The ultimate Fabric, Power BI, SQL, and AI community-led learning event. Save €200 with code FABCOMM.
Get registeredCompete to become Power BI Data Viz World Champion! First round ends August 18th. Get started.
Hi all,
I’m working on a project where I need to connect Power BI (DirectQuery mode) to an AWS RDS (PostgreSQL) instance. The RDS is hosted in a private VPC and is only accessible through a VPN and a Bastion Host. I’ve successfully established an SSH tunnel from my local machine to RDS.
What works:
I can connect to the RDS instance using pgAdmin via the SSH tunnel.
I can connect in Power BI using ODBC in Import mode (data loads fine).
The problem:
We need a DirectQuery connection, but when I try this in Power BI Desktop, I get the following error:
"An error happened while reading data from the provider: 'The remote certificate is invalid according to the validation procedure.'"
What I’ve tried:
Downloaded and installed the correct RDS SSL certificate for my region (ap-south-1 / Mumbai) from AWS documentation.
Installed the certificate using PowerShell:
Import-Certificate -FilePath "C:\Users\kalpesh.bhatt.ssh\rds-ca-ap-south-1.cer" -CertStoreLocation Cert:\LocalMachine\Root
Verified the certificate is present in Cert:\LocalMachine\Root
Tried running Power BI as Administrator
Used localhost as the server name to utilize the SSH tunnel
Despite these steps, I’m still getting the same certificate validation error in Power BI when trying to connect using DirectQuery.
Request:
Is there any known fix or configuration required to make DirectQuery work with SSL over an SSH tunnel to AWS RDS PostgreSQL? Any help or insight would be greatly appreciated.
Thanks in advance!
Solved! Go to Solution.
@KalpeshClearDu
This is a known and painfully tricky issue when trying to use DirectQuery over an SSH tunnel with SSL-enabled PostgreSQL (especially via AWS RDS). You’ve done almost everything right, and it’s clear this isn’t just a standard connectivity problem — it’s certificate validation inside Power BI’s DirectQuery engine, which behaves differently from Import or tools like pgAdmin.
Server Compatibility Mode
in connection stringPower BI allows advanced parameters — try tweaking the SSL behavior directly:
When connecting in Power BI, choose DirectQuery, then select Advanced options.
In Additional settings, add:
Trust Server Certificate=true;
Ssl Mode=Require;
You can trick Power BI into thinking it's talking to the RDS endpoint:
Open your local hosts
file (as admin):C:\Windows\System32\drivers\etc\hosts
Add a line like:
127.0.0.1 your-rds-endpoint.rds.amazonaws.com
Then connect in Power BI using:
your-rds-endpoint.rds.amazonaws.com
This matches the SSL certificate’s hostname, even though the SSH tunnel is to localhost
.
⚠️ Be sure that your tunnel is forwarding to localhost:5432
in this case.
If your end goal is Power BI Service (not just Desktop), you'd typically need to:
Configure the On-premises data gateway to use ODBC + Import (DirectQuery to private RDS is not fully supported out-of-the-box via SSH tunnels)
Or host a custom service on EC2/VPN that routes securely
But since you're focused on Desktop testing, this doesn’t help you immediately.
Did I answer your question? Mark my post as a solution! Appreciate your Kudos !!
@KalpeshClearDu
This is a known and painfully tricky issue when trying to use DirectQuery over an SSH tunnel with SSL-enabled PostgreSQL (especially via AWS RDS). You’ve done almost everything right, and it’s clear this isn’t just a standard connectivity problem — it’s certificate validation inside Power BI’s DirectQuery engine, which behaves differently from Import or tools like pgAdmin.
Server Compatibility Mode
in connection stringPower BI allows advanced parameters — try tweaking the SSL behavior directly:
When connecting in Power BI, choose DirectQuery, then select Advanced options.
In Additional settings, add:
Trust Server Certificate=true;
Ssl Mode=Require;
You can trick Power BI into thinking it's talking to the RDS endpoint:
Open your local hosts
file (as admin):C:\Windows\System32\drivers\etc\hosts
Add a line like:
127.0.0.1 your-rds-endpoint.rds.amazonaws.com
Then connect in Power BI using:
your-rds-endpoint.rds.amazonaws.com
This matches the SSL certificate’s hostname, even though the SSH tunnel is to localhost
.
⚠️ Be sure that your tunnel is forwarding to localhost:5432
in this case.
If your end goal is Power BI Service (not just Desktop), you'd typically need to:
Configure the On-premises data gateway to use ODBC + Import (DirectQuery to private RDS is not fully supported out-of-the-box via SSH tunnels)
Or host a custom service on EC2/VPN that routes securely
But since you're focused on Desktop testing, this doesn’t help you immediately.
Did I answer your question? Mark my post as a solution! Appreciate your Kudos !!
Thanks For sharing you valuable solution. After 10 Days duration of solving this issue,option 2 that you have provided could solve my problem. Thank you Bro Thank you so much!
Thanks for your valuable suggestion. But I use latest version of power bi and it has no any provision in advance option for SSL Mode. So what should i do to enabling that perticular SSL Mode?Is there any need to download older vesrion kindly share me the link to direct download.Thanks in advance!