I recently worked on a project that required creating and attaching an RDS Proxy to an already existing RDS instance running PostgreSQL. It seems easy enough, but I kept getting a validation error that took some time to resolve.
What I Was Doing (This Doesn’t Work)
My first attempt used the standard fromLookup function to reference an existing database:
...
const coolDatabase = rds.DatabaseInstance.fromLookup(this, 'coolDB', {
instanceIdentifier: props.databaseInstanceId,
})
const dbProxy = coolDatabase.addProxy('coolDBProxy', {
secrets: [<relevant_secrets>],
vpc: <relevant_vpc>,
securityGroups: [<relevant_security_groups>],
});
...
This code retrieves information from an RDS instance using the fromLookup function with a database identifier passed through props, then calls addProxy to create and attach an RDS proxy.
Easy enough, right? When I attempted to deploy my stack I kept getting this validation error:
Could not determine engine for proxy target 'coolStack/coolDB'.
Please provide it explicitly when importing the resource at path
[coolStack/coolDB/coolProxy] in aws-cdk-lib.aws_rds.DatabaseProxy
The problem
The gist of it is that the function fromLookup does not populate the engine field used by the database. Internally, this value is important for the code that creates and wires the RDS Proxy, so understandably it presents you with a validation error.
The Solution
Use fromDatabaseInstanceAttributes instead of fromLookup. This function allows you to explicitly specify the database engine, solving our problem. The downside is that the call requires additional information about the database:
- Instance identifier
- Instance endpoint address
- Port number
- Security groups (can be left empty if needed)
The corrected code looks like :
const coolDatabase = rds.DatabaseInstance.fromDatabaseInstanceAttributes(this,'coolDB',
{
instanceIdentifier: props.databaseInstanceId,
instanceEndpointAddress: props.databaseInstanceEndpoint,
port: 5432, // because Postgres
securityGroups: [<relevant_security_groups>], // This can be left empty in a pinch
engine: rds.DatabaseInstanceEngine.POSTGRES, // <- Magic happening right there
}
);
const dbProxy = coolDatabase.addProxy('coolDBProxy', {
secrets: [<relevant_secrets>],
vpc: <relevant_secrets>,
securityGroups: [<relevant_security_groups>],
});
By explicitly setting the engine field, CDK has all the information it needs to properly configure the RDS Proxy. The addProxy call will now succeed without validation errors.
While this solution works, it’s not ideal. I’d prefer to pass the engine directly to the fromLookup function, but as of July 2025, using fromDatabaseInstanceAttributes is probably the most straightforward way to solve this problem.
If you’ve encountered this specific issue, welcome to our very exclusive club! There are probably only a handful of people who have run into this exact scenario, but I hope this guide saves you some debugging/fixing time.
I hope you find this useful!