Password Authentication for Amazon RDS and S3

Using Amazon RDS

Use an Amazon RDS PostgreSQL instance as your Develocity database.

Obtain the Required Permissions

You need permission to create and manage Amazon RDS instances and security groups.

The necessary permissions are granted using the AmazonRDSFullAccess AWS managed policy.

Set Up an RDS Instance

Develocity is compatible with PostgreSQL versions 14 through 18. The minimum storage space required is 250 GB with 3,000 or more IOPS.

Create a Root Username and Password

Create a root username and password for the database instance — «db-root-username» and «db-root-password». These are the credentials you use for your database setup; save them somewhere secure.

Create a Security Group

Before creating the database, you have to create a security group in the VPC you want to use.

In this tutorial you use the eksctl created VPC used by your cluster.

You can use a different VPC, but you need to make the RDS instance accessible from your cluster (for example, by peering the VPCs).

To create the Security Group, run:

CLUSTER_VPC_ID=$(
  aws ec2 describe-vpcs \
    --filters Name=tag:aws:cloudformation:stack-name,Values=eksctl-develocity-cluster \
    --query 'Vpcs[0].VpcId' \
    --output text
)
aws ec2 create-security-group --group-name develocity-database \
  --description "Develocity DB security group" \
  --vpc-id ${CLUSTER_VPC_ID}

Enable Ingress

Then enable ingress to the RDS instance from your cluster for port 5432 by running:

CLUSTER_SECURITY_GROUP_ID=$(
  aws eks describe-cluster --name develocity \
  --query cluster.resourcesVpcConfig.clusterSecurityGroupId \
  --output text
)
RDS_SECURITY_GROUP_ID=$(
  aws ec2 describe-security-groups \
  --filters Name=group-name,Values=develocity-database \
  --query 'SecurityGroups[0].GroupId' \
  --output text
)
aws ec2 authorize-security-group-ingress \
  --protocol tcp --port 5432 \
  --source-group ${CLUSTER_SECURITY_GROUP_ID} \
  --group-id ${RDS_SECURITY_GROUP_ID}

Create a Subnet Group

Before creating the database, you need to create a subnet group to specify how the RDS instance will be networked.

This subnet group must have subnets in two availability zones, and typically should use private subnets.

eksctl has already created private subnets you can use.

Create a subnet group containing them by running:

CLUSTER_VPC_ID=$(
  aws ec2 describe-vpcs \
    --filters Name=tag:aws:cloudformation:stack-name,Values=eksctl-develocity-cluster \
    --query 'Vpcs[0].VpcId' \
    --output text
)
SUBNET_IDS=$(
  aws ec2 describe-subnets \
    --query 'Subnets[?!MapPublicIpOnLaunch].SubnetId' \
    --filters Name=vpc-id,Values=${CLUSTER_VPC_ID} \
    --output json
)
aws rds create-db-subnet-group --db-subnet-group-name develocity-database \
  --db-subnet-group-description "Develocity DB subnet group" \
  --subnet-ids ${SUBNET_IDS}
 Consult RDS’s subnet group documentation for more details on subnet groups and their requirements.

Create the RDS Instance

Create the RDS instance:

RDS_SECURITY_GROUP_ID=$(
  aws ec2 describe-security-groups \
    --filters Name=group-name,Values=develocity-database \
    --query 'SecurityGroups[0].GroupId' \
    --output text
)
RDS_POSTGRES_VERSION=$(
  aws rds describe-db-engine-versions \
    --engine postgres \
    --engine-version 17 \(1)
    --default-only \
    --query 'DBEngineVersions[0].EngineVersion' \
    --output text
)
1 The latest major version of PostgreSQL that Develocity supports. 
aws rds create-db-instance \
  --engine postgres \
  --engine-version ${RDS_POSTGRES_VERSION} \
  --db-instance-identifier develocity-database \
  --db-name gradle_enterprise \
  --allocated-storage 250 \(1)
  --iops 3000 \(2)
  --db-instance-class db.m5.large \
  --db-subnet-group-name develocity-database \
  --backup-retention-period 3 \(3)
  --no-publicly-accessible \
  --vpc-security-group-ids ${RDS_SECURITY_GROUP_ID} \
  --master-username «db-root-username» \
  --master-user-password «db-root-password»
1 Develocity should be installed with 250GB of database storage to start with.
2 Develocity’s data volumes and database should support at least 3,000 IOPS.
3 The backup retention period, in days.

While you don’t configure it here, RDS supports storage autoscaling.

 Consult AWS’s database creation guide and the CLI command reference for more details on RDS instance creation.

You can view the status of your instance with:

aws rds describe-db-instances --db-instance-identifier develocity-database

Wait until the DBInstanceStatus is available.

Once available, you can see the hostname of the instance under Endpoint > Address. This is the hostname you use to connect to the instance, referred to as «database-hostname».

Configure Develocity with RDS

Add the following configuration snippet to your Helm values file:

values.yaml
database:
  location: user-managed
  provider: aws-rds
  connection:
    host: «database-hostname»
    databaseName: gradle_enterprise
  credentials:
    superuser:
      username: «db-root-username» (1)
      password: «db-root-password» (1)
1 The RDS root credentials you chose earlier.

Using Amazon S3

Develocity can use a user-managed Object Storage instead of its own embedded version. Benefits include scalable storage, reduced operational overhead, and improved backup and failover management. This page covers using an Amazon S3 bucket to store Build Scan® data and monitoring data such as metrics.

Obtain the Required Permissions

Ensure you have permission to create and manage Amazon S3 buckets. You also need to create IAM policies and roles, but you already have permission to do that from the eksctl policies.

The necessary permissions can be granted by using the AmazonS3FullAccess AWS managed policy.

Set Up S3 Buckets

To create the S3 buckets, run:

ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) \
  aws s3 mb s3://develocity-application-data-${ACCOUNT_ID} && \(1)
  aws s3 mb s3://develocity-monitoring-data-${ACCOUNT_ID} (2)
1 The name of the bucket meant to store application data, like Build Scan data or Build Cache entries
2 The name of the bucket meant to store monitoring data, like metrics collected during application lifetime

Storing data in different buckets allows you to apply various strategies, such as access control, replication, soft-delete, backup, and more. However, you can use only one bucket for both application and monitoring data; this is an operational decision based on your practices.

Update Your Installation’s Resource Requirements

When using S3 Build Scan storage, Develocity uses more memory.

To update Develocity’s memory usage specification, update your Helm values file with the following values:

values.yaml
enterprise:
  resources:
    requests:
      memory: 6Gi (1)
    limits:
      memory: 6Gi (1)
1 If you have already set a custom value here, instead increase it by 2Gi.
When adding items to your Helm values file, merge any duplicate blocks. Alternatively, you can use separate files and pass all of them with --values «file» when running Helm commands.

If you are additionally using the background processor component, also update its values:

values.yaml
enterpriseBackgroundProcessor:
  resources:
    requests:
      memory: 6Gi (1)
    limits:
      memory: 6Gi (1)
1 If you have already set a custom value here, instead increase it by 2Gi.

Configure Develocity with S3

Develocity must now be configured to use S3. To do this, you must use the unattended configuration mechanism.

Develocity can store Build Scan data in either the configured database or in the configured object store.

The unattended configuration mechanism lets you configure which of these is used to store Build Scan data as part of a configuration file, which can be embedded in your Helm values file as described in the unattended configuration guide.

This section describes how to extend your Helm values file to include the correct unattended configuration block for S3 Build Scan storage.

First, create a minimal unattended configuration file. This requires you to choose a password for the system user and hash it. To do this, install Develocityctl.

The following command prompts you to enter a password and writes the hash to secret.txt. The output is referred to below as «hashed-system-password».

develocityctl config-file hash -o secret.txt

To use your S3 bucket, add the following to your Helm values file:

values.yaml
global:
  unattended:
    configuration:
      version: 14 (1)
      systemPassword: "«hashed-system-password»" (2)
      buildScans:
        incomingStorageType: objectStorage

enterprise:
  resources:
    requests:
      memory: 8Gi (3)
    limits:
      memory: 8Gi (3)

objectStorage:
  type: s3
  s3:
    bucket: develocity-application-data-«account-id» (4)
    region: «region» (5)
    credentials:
      type: keys (6)
      keys:
        accessKey: "«aws-access-key-id»"
        secretKey: "«aws-secret-key-id»"
    monitoring:
      bucket: develocity-monitoring-data-«account-id» (4)
      region: «region» (5)
      credentials:
        type: keys (6)
        keys:
          accessKey: "«aws-access-key-id»" (7)
          secretKey: "«aws-secret-key-id»" (7)
1 The version of the unattended configuration.
2 The hashed system password.
3 If you have already set a custom value here, instead increase it by 2Gi.
4 «account-id» is the ID of your AWS account
5 The region where your S3 bucket resides, which should be your current region.
6 The type of AWS credentials, in this example, access/secret keys.
7 The access key ID and secret key ID of the AWS user that has permissions to access the S3 bucket.

Once you have updated your Helm values file as described above, reapply it using the method described in Changing Configuration Values. This updates your Develocity installation to use the unattended configuration you created above, and Develocity restarts.

 Switching between embedded Object Storage and user-managed Object Storage is not supported, starting with S3 is recommended as a more scalable solution, as data migration will not be possible later on.

Verify S3 Storage Is Used

 Develocity will start even if your S3 configuration is incorrect.

To confirm that Develocity stores incoming Build Scans in S3 and can read Build Scan data from S3:

  1. Upload a new Build Scan to your Develocity instance.

  2. Confirm that you can view the Build Scan.

  3. Confirm that the Build Scan is stored in your S3 bucket by running:

ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
aws s3 ls s3://develocity-application-data-${ACCOUNT_ID}/build-scans/ \(1)
  --recursive --human-readable --summarize
1 If you used a custom prefix, use it here instead of build-scans.
Output
2025-05-27 19:11:06    6.6 KiB build-scans/2025/05/27/aprvi3bnnxyzm

Total Objects: 1
   Total Size: 6.6 KiB