Last updated 01 October 2015
Table of Contents
Amazon RDS is a service that allows you to set up, operate and scale a dedicated MySQL database server on top of EC2. In addition to standard MySQL features, RDS offers the following functionality:
- Automated backups.
- Point-in-time recovery.
- Seamless vertical scaling between instance types.
This article describes how to configure your Heroku app to consume an AWS RDS database provisioned and purchased separately.
Authorizing access to RDS instance
You have to grant Heroku dynos access to your RDS instance. The recommended way to do this is to configure the RDS instance to only accept SSL-encrypted connections from authorized users and configure the security group for your instance to permit ingress from all IPs, eg
Previously, Heroku published its AWS account ID and security group name as a way to grant access to an AWS RDS instance. This is no longer recommended.
Configuring a Heroku Ruby app
Follow these steps to access a MySQL RDS instance from a Heroku Ruby app (adapted from Stackoverflow response):
First, download the Amazon RDS CA certificate:
$ curl https://s3.amazonaws.com/rds-downloads/mysql-ssl-ca-cert.pem > ./config/amazon-rds-ca-cert.pem
You may also have to download and combine intermediate AWS certificates.
Add the certificate file to your app’s git repository and re-deploy to Heroku.
DATABASE_URL config var to include the
sslca parameter pointing to the certificate file in your repository:
heroku config:add DATABASE_URL="mysql2://username:password@hostname/dbname?sslca=config/amazon-rds-ca-cert.pem" -a <app_id>
The relative path to the certificate file is important.
Configure MySQL to require SSL for all connections for the user:
GRANT USAGE ON *.* TO 'username'@'%' REQUIRE SSL;
That’s it! Your Ruby app should now be able to access the RDS MySQL database over SSL.
Please refer to the relevant AWS and MySQL documentation for additional details on how to use SSL connections with your RDS database and how to authorize access for a DB security group:
- AWS: Using SSL with a MySQL DB Instance
- AWS: Require DB instance only accept encrypted connections
- AWS: Using SSL with a SQL Server DB Instance
- MySQL: Using SSL Connections
- AWS: Authorizing Network Access to a DB Security Group from an IP Range
The ClearDB Dev Center article has additional details on how to use SSL certificates when connecting to a MySQL Database
Please see this Forum discussion for details on how to connect to RDS databases from Java and Play apps