{"id":46897349,"url":"https://github.com/ecliptical/tokio-postgres-rustls-rds-demo","last_synced_at":"2026-03-10T23:33:47.116Z","repository":{"id":70969702,"uuid":"284392351","full_name":"ecliptical/tokio-postgres-rustls-rds-demo","owner":"ecliptical","description":"Project demonstrating how to connect securely to Amazon RDS for PostgreSQL","archived":false,"fork":false,"pushed_at":"2026-02-03T19:46:34.000Z","size":280,"stargazers_count":16,"open_issues_count":3,"forks_count":2,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-02-04T08:45:40.362Z","etag":null,"topics":["amazon-rds","rustls","tokio-postgres"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ecliptical.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-08-02T04:45:30.000Z","updated_at":"2026-02-03T19:46:35.000Z","dependencies_parsed_at":"2024-04-26T23:23:52.100Z","dependency_job_id":"5e34894a-7763-40de-b7c2-0028a26dd4c7","html_url":"https://github.com/ecliptical/tokio-postgres-rustls-rds-demo","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ecliptical/tokio-postgres-rustls-rds-demo","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ecliptical%2Ftokio-postgres-rustls-rds-demo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ecliptical%2Ftokio-postgres-rustls-rds-demo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ecliptical%2Ftokio-postgres-rustls-rds-demo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ecliptical%2Ftokio-postgres-rustls-rds-demo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ecliptical","download_url":"https://codeload.github.com/ecliptical/tokio-postgres-rustls-rds-demo/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ecliptical%2Ftokio-postgres-rustls-rds-demo/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30362120,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-10T21:41:54.280Z","status":"ssl_error","status_checked_at":"2026-03-10T21:40:59.357Z","response_time":106,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["amazon-rds","rustls","tokio-postgres"],"created_at":"2026-03-10T23:33:46.937Z","updated_at":"2026-03-10T23:33:47.100Z","avatar_url":"https://github.com/ecliptical.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Connecting Securely to Amazon RDS for PostgreSQL\n\nThis project demonstrates how to use [Tokio Postgres](https://crates.io/crates/tokio-postgres) with [Rustls](https://crates.io/crates/rustls) to connect to [Amazon RDS for PostgreSQL](https://aws.amazon.com/rds/postgresql/) over TLS.\n\nThe trick? Configure your Rustls-backed Tokio Postgres client to use the AWS-issued RDS CA certificate, which can be downloaded [directly from Amazon](https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem). See [Using SSL/TLS to Encrypt a Connection to a DB Instance](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html) for additional details.\n\n## RDS Setup\n\nEnsure you have access to an _RDS for Postgres_ database. If not, you may be able to create one for free in the AWS Console.\n\n### Database Instance\n\nNow for the actual database instance:\n\n1. In the _Databases_ tab, click _Create database_\n2. Choose _Standard Create_ and pick the _PostgreSQL_ engine type\n3. Pick the latest _Version_ (e.g., PostgreSQL 16.1-R2)\n4. If available, pick the _Free tier_ template\n5. Fill out _Credentials Settings_ (i.e., Master username and password)\n6. Under _Connectivity_, check _Yes_ under _Public access_. This will allow you to connect to your instance remotely from your computer.\n7. Scroll down to the last top-level section named _Additional configuration_ and enter `postgres` in the _Initial database name_ field right under _Database options_.\n8. Click _Create database_\n\n### Security Group\n\nUnless you previously set up and configured your Security Group, the default one that was created for your database instance won't let you connect remotely. To address this:\n\n1. Open the details of your newly created database instance\n2. In the _Connectivity and security_ tab, _Security_ section, click the first (active) security group under _VPC security groups_ (it should be named something like `default (sg-0123abcd)`).\n3. Open its _Inbound rules_ tab and click _Edit inbound rules_\n4. Ensure your development machine has access to TCP port 5432; e.g., add your public IP address as the _Source_ for a _PostgreSQL_ type rule. *BE CAUTIOUS* -- this has implications on the security of your newly created database instance and any other AWS assets that may be protected by this security group!\n\n## Testing Connectivity\n\nOnce your new database instance becomes available, find its public hostname:\n\n1. Open its details\n2. In the _Connectivity and security_ tab, _Endpoint \u0026 port_ section, copy the _Endpoint_ value (i.e., its fully-qualified domain name). It should look something like `database-1.xq7f5vzbpq1x.ca-central-1.rds.amazonaws.com`.\n\n\u003e In the examples that follow, please substitute the PG.HOST parameter value with your own database instance hostname.\n\nBy default, the RDS instance you created requires secure connections (i.e., its default parameter group's `rds.force_ssl` parameter is set to `1`). To connect using TLS, add the `DB_CA_CERT` parameter with the path to the RDS CA certificate:\n\n```bash\nenv PG.DBNAME=postgres PG.HOST=database-1.xq7f5vzbpq1x.ca-central-1.rds.amazonaws.com PG.USER=postgres PG.PASSWORD=xxxxxxxx DB_CA_CERT=ca-certificates/global-bundle.pem RUST_LOG=debug cargo run\n```\n\nYou should see output similar to:\n\n```\n    Finished dev [unoptimized + debuginfo] target(s) in 0.08s\n     Running `target/debug/tokio-postgres-rustls-rds-demo`\n DEBUG tokio_postgres_rustls_rds_demo \u003e settings: Settings { pg: Config { url: None, user: Some(\"postgres\"), password: Some(\"xxxxxxxx\"), dbname: Some(\"postgres\"), options: None, application_name: None, ssl_mode: None, host: Some(\"database-1.xq7f5vzbpq1x.ca-central-1.rds.amazonaws.com\"), hosts: None, hostaddr: None, hostaddrs: None, port: None, ports: None, connect_timeout: None, keepalives: None, keepalives_idle: None, target_session_attrs: None, channel_binding: None, load_balance_hosts: None, manager: None, pool: None }, db_ca_cert: Some(\"ca-certificates/global-bundle.pem\") }\n DEBUG rustls::client::hs             \u003e No cached session for DnsName(\"database-1.xq7f5vzbpq1x.ca-central-1.rds.amazonaws.com\")\n DEBUG rustls::client::hs             \u003e Not resuming any session\n DEBUG rustls::client::hs             \u003e Using ciphersuite TLS13_AES_256_GCM_SHA384\n DEBUG rustls::client::tls13          \u003e Not resuming\n DEBUG rustls::client::tls13          \u003e TLS1.3 encrypted extensions: []\n DEBUG rustls::client::hs             \u003e ALPN protocol is None\n DEBUG rustls::client::tls13          \u003e Got CertificateRequest CertificateRequestPayloadTls13 { context: , extensions: [SignatureAlgorithms([ECDSA_NISTP256_SHA256, RSA_PSS_SHA256, RSA_PKCS1_SHA256, ECDSA_NISTP384_SHA384, RSA_PSS_SHA384, RSA_PKCS1_SHA384, RSA_PSS_SHA512, RSA_PKCS1_SHA512, RSA_PKCS1_SHA1]), AuthorityNames([DistinguishedName(3081a5310b300906035504061302555331223020060355040a0c19416d617a6f6e205765622053657276696365732c20496e632e31133011060355040b0c0a416d617a6f6e20524453310b300906035504080c025741313e303c06035504030c35416d617a6f6e205244532063612d63656e7472616c2d31205375626f7264696e61746520434120525341323034382047312e412e353110300e06035504070c0753656174746c65)])] }\n DEBUG rustls::client::common         \u003e Client auth requested but no cert/sigscheme available\n DEBUG tokio_postgres::prepare        \u003e preparing query s0: SELECT * FROM information_schema.information_schema_catalog_name\n DEBUG tokio_postgres::query          \u003e executing statement s0 with parameters: []\n INFO  tokio_postgres_rustls_rds_demo \u003e postgres```\n\n## Connecting Without the RDS CA Certificate\n\nUsing TLS without Amazon's RDS CA certificate, you would see an error similar to:\n\n```\n    Finished dev [unoptimized + debuginfo] target(s) in 1.28s\n     Running `target/debug/tokio-postgres-rustls-rds-demo`\n DEBUG tokio_postgres_rustls_rds_demo \u003e settings: Settings { pg: Config { url: None, user: Some(\"postgres\"), password: Some(\"xxxxxxxx\"), dbname: Some(\"postgres\"), options: None, application_name: None, ssl_mode: None, host: Some(\"database-1.xq7f5vzbpq1x.ca-central-1.rds.amazonaws.com\"), hosts: None, hostaddr: None, hostaddrs: None, port: None, ports: None, connect_timeout: None, keepalives: None, keepalives_idle: None, target_session_attrs: None, channel_binding: None, load_balance_hosts: None, manager: None, pool: None }, db_ca_cert: None }\nError: Error occurred while creating a new object: db error: FATAL: no pg_hba.conf entry for host \"12.34.56.78\", user \"postgres\", database \"postgres\", no encryption\n\nCaused by:\n    0: db error: FATAL: no pg_hba.conf entry for host \"12.34.56.78\", user \"postgres\", database \"postgres\", no encryption\n    1: FATAL: no pg_hba.conf entry for host \"12.34.56.78\", user \"postgres\", database \"postgres\", no encryption\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fecliptical%2Ftokio-postgres-rustls-rds-demo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fecliptical%2Ftokio-postgres-rustls-rds-demo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fecliptical%2Ftokio-postgres-rustls-rds-demo/lists"}