Updated on 2024-10-14 GMT+08:00

Modifying pg_hba.conf

Scenarios

You can modify parameters in the pg_hba.conf file for your DB instance to ensure access to your database.

Constraints

  • This operation is not allowed when another operation is being performed on the DB instance.
  • All restored DB instances will not inherit the pg_hba.conf files of the original instances. You need to reconfigure the pg_hba.conf file.
  • Only the md5, reject, and scram-sha-256 authentication methods are supported.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner and select a region.
  3. Click in the upper left corner of the page and choose Databases > Relational Database Service.
  4. On the Instances page, click the instance name.
  5. In the navigation pane, choose Accounts and click pg_hba Modifications.

    There are four default rules.
    Figure 1 pg_hba Modifications

  6. To modify or delete a default rule or add a new rule, locate the rule and click Modify, Delete, or Add in the Operation column. Then click Submit above the list. In the displayed dialog box, click OK. For the description of each parameter, see Table 1.

    Figure 2 Submit Modifications

    After the modification is submitted, the new configurations take effect only for new connections. For old connections, you need to disconnect the connections and reconnect them for the modification to take effect.

    Table 1 Parameter description

    Parameter

    Example Value

    Description

    Priority

    0

    Priority of the record. The value 0 indicates the highest priority.

    TYPE

    host

    Type of the record. Valid values:

    • host: The record matches connection attempts made using TCP/IP. host records match either SSL or non-SSL connection attempts.
    • hostssl: The record matches connection attempts made using TCP/IP, but only when the connection is made with SSL encryption.
    • hostnossl: The record only matches connection attempts made over TCP/IP that do not use SSL.

    DATABASE

    all

    Database that can be accessed by the user. The value all indicates that the user can access all databases. If multiple databases are specified, separate them with commas (,). The specified databases must have been created and cannot be template0 or template1.

    USER

    user0

    User who is allowed to access the database. Set this parameter to the username created in Creating a Database Account. If multiple usernames are configured, separate them with commas (,). The specified users must have been created and cannot be built-in users such as rdsAdmin, rdsMetric, rdsBackup, rdsRepl, and rdsProxy.

    ADDRESS

    0.0.0.0/0

    ::0/0

    IP address that the user can access the database from. 0.0.0.0/0 (IPv4) or ::0/0 (IPv6) indicates that the user can access the database from any IP address.

    NOTE:

    The IP addresses that are not in this CIDR block cannot access the database. Exercise caution when modifying this parameter.

    MASK

    Empty

    Subnet mask. If ADDRESS is set to an IP address, you can use this parameter to specify the subnet mask of the IP address.

    METHOD

    md5

    Authentication method. Valid values:

    • reject
    • scram-sha-256
    • md5

  7. To import rules in batches, click Create Custom Record above the list. In the displayed dialog box, configure new rules and click OK.

    • Append records with lowest priorities: The new rules are added below the existing rules and have the lowest priorities.
    • Append records with highest priorities: The new rules are added above the existing rules and have the highest priorities.
    • Overwrite existing records

  8. To restore the default pg_hba.conf configurations, click Restore to Default above the list.
  9. Run the psql command to connect to the database and test the connectivity you have specified for pg_hba.conf.

    psql -h <instance_connection_address> -U <specified_username> -p 5432 -d <specified_database_name>