Pivotal Knowledge Base


How to Re-Construct an AWS RDS PostgreSQL Instance’s Master Username Password


  • Pivotal Cloud Foundry® (PCF) all versions
  • PCF Service Broker for AWS 1.4 and above


The master username password credential provided by Operations Manager is not allowing you to connect to your AWS PostgreSQL service instance with an access denied or invalid credentials error message.


The "Password" listed at Pivotal Operations Manager > AWS Service Broker Tile > Credentials > RDS Master Credentials fails because it is just a "Salt" supplied in the initial creation of the Instance. The high-level algorithm for the generation of the master username password:

masterusername = sha3-Hash( "Salt" + "New-PCF-Service-instance-GUID" )

Thus, the Password listed in RDS Master Credentials will fail when attempting to connect to the database outside of Operations Manager. This design also means that each newly generated Service instance will have a different master username password.


To get the actual master username password for your desired instance, you will need to manually regenerate it with the steps below and the passGen Tool attached to this article. Please download the relevant architecture for your system, available here: https://github.com/pivotal-gss/AWS-RDS-master-user-passgen/releases

1) Take note of the Salt value from Pivotal Operations Manager > AWS Service Broker Tile -> Credentials > "Rds Master Credentials".

2) Create a new PostgreSQL service instance:

$ cf create-service aws-rds-postgres basic postgres-db-1
Creating service instance postgres-db-1 in org jhairston / space aws-tests as admin...

3) Collect the GUID of the Service instance:

$ cf service postgres-db-1 --guid

4) Regenerate the master username password via the passGen tool:
Usage: passGen -i [identity] -s [salt]

$ ./passGen -i 883439ba-5494-407a-acc0-2ba10d6cdafb -s H6WdmhsMyv-scNNP_EIGVqB6AavFWcKcg
Generated password:

5) Use this generated password output as your actual masterusername password and you will be able to connect to the DB with Super User permissions. You can connect to either the database provided by RDS or to the database "postgres".



Powered by Zendesk