When using @prisma/adapter-pg, are additional options required for DATABASE_URL?
When using @prisma/adapter-pg, are additional options required for DATABASE_URL?
error: User was denied access on the database
db-name
version 6.16
db: aws-rds postgres17.4
3 Replies
You opted for speed from this bot. Let's conjure up an answer right now!
When using
Add
@prisma/adapter-pg with AWS RDS Postgres, you generally do not need special options in your DATABASE_URL beyond the standard PostgreSQL connection string format. However, AWS RDS enforces SSL connections by default. If SSL is not configured properly, you may encounter the error:
To resolve this, you should add the sslmode=no-verify option to your DATABASE_URL to bypass strict SSL certificate verification (especially useful for development or if you haven't set up a trusted certificate):
This tells Prisma (and the underlying pg driver) not to require a valid SSL certificate, which is often necessary for AWS RDS connections unless you have configured certificates correctly. Note that for production, you should ideally use a valid SSL certificate and not rely on no-verify for security reasons see docs.
No other special options are required for @prisma/adapter-pg—the connection string format remains the same as for the standard Prisma ORM PostgreSQL connector see docs.
If you still get access denied errors, double-check:
- The username and password are correct.
- The user has the necessary privileges on the database.
- The RDS instance allows connections from your application’s IP.
If you need to specify a schema, you can use the schema query parameter as you have done.
Summary:Add
sslmode=no-verify to your DATABASE_URL for AWS RDS if you see access denied errors due to SSL. No other special options are required for @prisma/adapter-pg beyond the standard connection string format.
🤔 Alright, thanks for letting us know that there's still some help needed. A team member will reply to you shortly.
In the meantime, please let us know any additional info, questions, or which parts of the answer may need clarification.I resolved it by setting the
sslmode=no-verify option. But is this the correct approach? The migration command executed normally without that option. prisma migrate deploy
https://github.com/prisma/prisma/pull/27639
Has this issue not been addressed yet?GitHub
fix(adapter-pg): get correct database name from error code 28000 by...
Error code 28000 is returned from a Postgres server when client authentication fails and turns into Prisma error P1010. This is often the result of the server forcing SSL while the client cannot v...
When you change from using Prisma’s Rust engine to adapter-pg, the default behavior when connecting to the database is different. The Rust engine defaults to
prefer, so it will connect over SSL without certificate verification. When you use adapter-pg, the pg driver requires you to explicitly configure your SSL connection settings - by default it is off causing the error message you received since the server is requiring SSL and your pg client did not attempt SSL. I believe the prisma migrate commands are still using the Rust engine.
There is no equivalent behavior in pg for prefer as the author decided this is not worth implementing. The official PostgreSQL documentation even throws shade on prefer by stating that it is the equivalent of saying “I don't care about encryption, but I wish to pay the overhead of encryption if the server supports it”.
So the correct way if you want to ensure a secure connection is to set ssl=true and then likely configure your Node process to trust the RDS CA cert by setting NODE_EXTRA_CA_CERTS or a similar method.
Using sslmode=no-verify is an escape hatch that will use SSL, but ignore the verification of the server’s certificate. This of course means you are vulnerable to MITM attacks.