Skip to main content

Aurora PostgreSQL

Aurora PostgreSQL with the pgvector extension is the recommended AWS-native backend for memledger. The adapter authenticates to the cluster with IAM database auth (rds-db:connect) — no password ever touches the agent pod, the Helm values, the build script, or any secret store.

The backend resolves the host from your DSN, mints a short-lived (15-minute) token via the local boto3 session, and substitutes it for the password just before connecting. Connection pools refresh tokens naturally as they expire.

Validated end-to-end against a real Aurora cluster — see Backend Validation.

Connection string

memledger accepts a standard Postgres DSN; the password slot is filled in at connect time when iam_auth: true.

postgresql://<db-user>@<your-aurora-cluster-endpoint>:5432/<database>

For IAM auth, do not put a password in the DSN. memledger's connector reads the host/port/user from the DSN and fetches a fresh token on each new connection.

IAM database user setup

Run once against your Aurora cluster (with a master credential):

-- Create the database role memledger will connect as.
CREATE USER memledger;

-- Grant the rds_iam role so this user authenticates by IAM token.
GRANT rds_iam TO memledger;

-- Give it the schema permissions memledger needs.
CREATE DATABASE memledger;
GRANT ALL PRIVILEGES ON DATABASE memledger TO memledger;

-- Enable pgvector once.
\c memledger
CREATE EXTENSION IF NOT EXISTS vector;

IRSA policy

The agent's IRSA role needs rds-db:connect on the cluster's DbiResourceId for the memledger user:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["rds-db:connect"],
    "Resource": [
      "arn:aws:rds-db:<region>:<account-id>:dbuser:<DbiResourceId>/memledger"
    ]
  }]
}

<DbiResourceId> is the cluster's resource ID (looks like cluster-ABCDEFGH...), not the cluster name. Find it under "Configuration" in the RDS console or via:

aws rds describe-db-clusters --db-cluster-identifier <your-aurora-cluster> \
  --query 'DBClusters[0].DbClusterResourceId' --output text

SDK configuration

from memledger import Memledger
from memledger.models import EmbeddingConfig

ml = await Memledger.create(
    backend_name="pgvector",
    backend_config={
        "host": "<your-aurora-cluster-endpoint>",
        "port": 5432,
        "database": "memledger",
        "user": "memledger",
        "iam_auth": True,
        "region": "<your-region>",
    },
    embedding_config=EmbeddingConfig(
        provider="bedrock",
        model="amazon.titan-embed-text-v2:0",
        dimensions=1024,
    ),
)

Connection pool tuning

memledger's pgvector adapter uses an asyncpg pool with conservative defaults:

SettingDefaultWhen to raise
min_size2Steady-state agent count
max_size10Peak concurrent operations across all agents on the pod

For multi-agent pods or high-concurrency search workloads, raise both. Aurora's per-instance connection ceiling is your real cap — confirm max_connections on the cluster parameter group before pushing max_size past 50.

Embedding-dim alignment

The embedding column is sized at table-create time, and pgvector columns are fixed-dimension. The migration job creates a vector(1024) column to match Bedrock Titan v2.

If you switch embedding providers, the dimension must match:

ProviderDim
Bedrock Titan v21024
OpenAI text-embedding-3-small1024 (configurable, but 1024 is the default we ship for)
fastembed BAAI/bge-small384

Switching providers across a dim boundary requires migrating the agent_memory table or creating a new one. There is no live re-embedding path today.

Choosing Aurora vs. OpenSearch

Pick Aurora when…Pick OpenSearch when…
You want pure semantic similarityYou need hybrid search (BM25 + vector)
You're already running RDS / AuroraYou're already running OpenSearch
You prefer SQL for ad-hoc audit queriesYou prefer Lucene queries / Kibana
Your team owns Postgres toolingYour team owns OpenSearch tooling

Both are fully supported and validated end-to-end. The trust layer is identical across them.

Next steps