Amazon RDS Connection
Connect ForceCnx to an RDS PostgreSQL instance with IAM authentication and automatic SSL encryption.
Prerequisites
- An AWS account with an RDS PostgreSQL or Aurora PostgreSQL instance
- An IAM user or role with permissions to connect to the RDS instance
- The RDS instance must be publicly accessible, or you must have VPC connectivity
Step 1: Configure IAM Authentication (Recommended)
Recommended: IAM authentication generates short-lived tokens instead of static passwords, improving security and simplifying credential rotation.
Enable IAM authentication on your RDS instance
In the AWS Console, go to RDS → Databases → Your Instance → Modify and enable IAM database authentication.
# Using AWS CLI
aws rds modify-db-instance \
--db-instance-identifier your-instance \
--enable-iam-database-authentication \
--apply-immediatelyCreate an IAM policy
Create an IAM policy that grants the rds-db:connect permission for your database user.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "rds-db:connect",
"Resource": "arn:aws:rds-db:REGION:ACCOUNT_ID:dbuser:DBI_RESOURCE_ID/forcecnx_reader"
}
]
}Replace REGION, ACCOUNT_ID, and DBI_RESOURCE_ID with your values. The resource ID is found on the RDS instance's Configuration tab.
Create an IAM user and attach the policy
Create a dedicated IAM user for ForceCnx and attach the policy from the previous step. Generate an access key pair.
aws iam create-user --user-name forcecnx-rds-reader
aws iam attach-user-policy \
--user-name forcecnx-rds-reader \
--policy-arn arn:aws:iam::ACCOUNT_ID:policy/ForceCnxRDSConnect
aws iam create-access-key --user-name forcecnx-rds-readerSave the AccessKeyId and SecretAccessKey from the output.
Create the database user
Connect to your RDS instance and create a PostgreSQL user that maps to the IAM identity:
-- Create an IAM-authenticated database user
CREATE USER forcecnx_reader WITH LOGIN;
GRANT rds_iam TO forcecnx_reader;
-- Grant read access
GRANT USAGE ON SCHEMA public TO forcecnx_reader;
GRANT SELECT ON TABLE customers, orders TO forcecnx_reader;Step 2: Create the Connection in ForceCnx
Open the New Connection form
From your ForceCnx Dashboard, click + New Connection and select the AWS RDS tab.
Enter connection details
Fill in your RDS connection parameters:
| Field | Description | Example |
|---|---|---|
Endpoint | RDS instance endpoint | my-db.abc123.us-east-1.rds.amazonaws.com |
Port | PostgreSQL port | 5432 |
Region | AWS region | us-east-1 |
Database | Database name | myapp |
Username | Database user | forcecnx_reader |
Use IAM Auth | Enable for IAM database authentication | Checked |
Access Key ID | IAM user access key | — |
Secret Access Key | IAM user secret key | — |
If not using IAM auth, provide a standard database password instead of access keys.
Test and save
Click Create Connection. ForceCnx will connect to your RDS instance and introspect the schema.
SSL Configuration
SSL is enabled by default for all RDS connections. ForceCnx includes the AWS RDS CA bundle, so certificate verification works automatically.
Note: RDS enforces SSL by default. ForceCnx uses verify-full SSL mode with the RDS root certificate bundle, ensuring encrypted and authenticated connections.
Security Group Configuration
If your RDS instance is publicly accessible, ensure the security group allows inbound connections on the PostgreSQL port (default 5432) from ForceCnx.
Security: We recommend using IAM authentication instead of static passwords. IAM tokens expire after 15 minutes and are automatically refreshed, eliminating long-lived credentials. Keep your IAM access keys secure — ForceCnx encrypts them at rest.
Aurora PostgreSQL
ForceCnx works with Aurora PostgreSQL the same way as standard RDS PostgreSQL. Use the cluster endpoint for read/write access or a reader endpoint for read-only access.
Next Steps
Once connected, follow the Getting Started guide to map entities, configure field mappings, and set up Salesforce Connect.