Is it possible for an external server application (outside of AWS) to authenticate to Elastic Cache for Redis, using a method which is more secure than REDIS Auth token? If so what would be the steps required.
Question posted in Amazon Web Sevices
The official Amazon Web Services documentation can be found here.
2
Answers
AWS ElastiCache and MemoryDB Redis instances are only accessible from within the VPC.
Technically,
AUTH(orHELLOwith anAUTHargument) is the only way you can authenticate on Redis, so your Redis client will have to issue this command anyway.I assume you wanted to ask if there was an option to authenticate with something more secure than a permanent password.
If your cluster is set to Redis 7, instead of the permanent password, you can use short-lived tokens signed by your IAM role credentials.
Here’s what you need to do:
Create an Elasticache user and attach it to your cache.
Create an IAM role and grant it
elasticache:Connecton the user and the cache (specify the ARNs of both in the Resources section)Generate a URL-like string which would look like this:
Sign this request using the IAM credentials of your role and the service name
elasticacheStrip the leading
http://Pass the resulting string as your AUTH password.
You will have to reconnect to Redis once the signed request expires.
Unfortunately, current versions of the client libraries lack the functionality to sign the requests out of the box.
There is an example for Java, and someone ported it to Go, but I couldn’t find existing libraries for the other languages, so if you’re not using these two, you’ll have to roll your own.