Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Compete to become Power BI Data Viz World Champion! First round ends August 18th. Get started.

Reply
KalpeshClearDu
Regular Visitor

Power BI DirectQuery to AWS RDS PostgreSQL via SSH Tunnel – SSL Certificate Validation Error

Hi all,

I’m working on a project where I need to connect Power BI (DirectQuery mode) to an AWS RDS (PostgreSQL) instance. The RDS is hosted in a private VPC and is only accessible through a VPN and a Bastion Host. I’ve successfully established an SSH tunnel from my local machine to RDS.

What works:

  • I can connect to the RDS instance using pgAdmin via the SSH tunnel.

  • I can connect in Power BI using ODBC in Import mode (data loads fine).

The problem:
We need a DirectQuery connection, but when I try this in Power BI Desktop, I get the following error:

"An error happened while reading data from the provider: 'The remote certificate is invalid according to the validation procedure.'"

What I’ve tried:

  • Downloaded and installed the correct RDS SSL certificate for my region (ap-south-1 / Mumbai) from AWS documentation.

  • Installed the certificate using PowerShell:
    Import-Certificate -FilePath "C:\Users\kalpesh.bhatt.ssh\rds-ca-ap-south-1.cer" -CertStoreLocation Cert:\LocalMachine\Root

  • Verified the certificate is present in Cert:\LocalMachine\Root

  • Tried running Power BI as Administrator

  • Used localhost as the server name to utilize the SSH tunnel

Despite these steps, I’m still getting the same certificate validation error in Power BI when trying to connect using DirectQuery.

Request:
Is there any known fix or configuration required to make DirectQuery work with SSL over an SSH tunnel to AWS RDS PostgreSQL? Any help or insight would be greatly appreciated.

Thanks in advance!

1 ACCEPTED SOLUTION
johnbasha33
Super User
Super User

@KalpeshClearDu 

This is a known and painfully tricky issue when trying to use DirectQuery over an SSH tunnel with SSL-enabled PostgreSQL (especially via AWS RDS). You’ve done almost everything right, and it’s clear this isn’t just a standard connectivity problem — it’s certificate validation inside Power BI’s DirectQuery engine, which behaves differently from Import or tools like pgAdmin.

Option 1: Use Server Compatibility Mode in connection string

Power BI allows advanced parameters — try tweaking the SSL behavior directly:

  1. When connecting in Power BI, choose DirectQuery, then select Advanced options.

In Additional settings, add:

Trust Server Certificate=true;
Ssl Mode=Require;

Option 2: Modify the hosts file + use actual RDS endpoint

You can trick Power BI into thinking it's talking to the RDS endpoint:

  1. Open your local hosts file (as admin):
    C:\Windows\System32\drivers\etc\hosts

Add a line like:
127.0.0.1 your-rds-endpoint.rds.amazonaws.com
Then connect in Power BI using:
your-rds-endpoint.rds.amazonaws.com

This matches the SSL certificate’s hostname, even though the SSH tunnel is to localhost.

⚠️ Be sure that your tunnel is forwarding to localhost:5432 in this case.

Option 3: Use a Power BI Gateway (for scheduled refresh, not desktop)

If your end goal is Power BI Service (not just Desktop), you'd typically need to:

  • Configure the On-premises data gateway to use ODBC + Import (DirectQuery to private RDS is not fully supported out-of-the-box via SSH tunnels)

  • Or host a custom service on EC2/VPN that routes securely

But since you're focused on Desktop testing, this doesn’t help you immediately.


Did I answer your question? Mark my post as a solution! Appreciate your Kudos !!






View solution in original post

3 REPLIES 3
johnbasha33
Super User
Super User

@KalpeshClearDu 

This is a known and painfully tricky issue when trying to use DirectQuery over an SSH tunnel with SSL-enabled PostgreSQL (especially via AWS RDS). You’ve done almost everything right, and it’s clear this isn’t just a standard connectivity problem — it’s certificate validation inside Power BI’s DirectQuery engine, which behaves differently from Import or tools like pgAdmin.

Option 1: Use Server Compatibility Mode in connection string

Power BI allows advanced parameters — try tweaking the SSL behavior directly:

  1. When connecting in Power BI, choose DirectQuery, then select Advanced options.

In Additional settings, add:

Trust Server Certificate=true;
Ssl Mode=Require;

Option 2: Modify the hosts file + use actual RDS endpoint

You can trick Power BI into thinking it's talking to the RDS endpoint:

  1. Open your local hosts file (as admin):
    C:\Windows\System32\drivers\etc\hosts

Add a line like:
127.0.0.1 your-rds-endpoint.rds.amazonaws.com
Then connect in Power BI using:
your-rds-endpoint.rds.amazonaws.com

This matches the SSL certificate’s hostname, even though the SSH tunnel is to localhost.

⚠️ Be sure that your tunnel is forwarding to localhost:5432 in this case.

Option 3: Use a Power BI Gateway (for scheduled refresh, not desktop)

If your end goal is Power BI Service (not just Desktop), you'd typically need to:

  • Configure the On-premises data gateway to use ODBC + Import (DirectQuery to private RDS is not fully supported out-of-the-box via SSH tunnels)

  • Or host a custom service on EC2/VPN that routes securely

But since you're focused on Desktop testing, this doesn’t help you immediately.


Did I answer your question? Mark my post as a solution! Appreciate your Kudos !!






Thanks For sharing you valuable solution. After 10 Days duration of solving this issue,option 2 that you have provided could solve my problem. Thank you Bro Thank you so much!

Thanks for your valuable suggestion. But I use latest version of power bi and it has no any provision in advance option for SSL Mode. So what should i do to enabling that perticular SSL Mode?Is there any need to download older vesrion kindly share me the link to direct download.Thanks in advance!

Helpful resources

Announcements
August Power BI Update Carousel

Power BI Monthly Update - August 2025

Check out the August 2025 Power BI update to learn about new features.

August 2025 community update carousel

Fabric Community Update - August 2025

Find out what's new and trending in the Fabric community.

Top Solution Authors