Memorystore provides the IAM Authentication feature that leverages Identity and Access Management (IAM) to help you better manage login access for users and service accounts. IAM based authentication integrates with Redis AUTH, letting you seamlessly rotate credentials (IAM tokens) without relying on static passwords.
For instructions on setting up IAM authentication for your Memorystore cluster, see Manage IAM authentication.
IAM authentication for Redis
When using IAM authentication, permission to access a Memorystore cluster isn't granted directly to the end user. Instead, permissions are grouped into roles, and roles are granted to principals. For more information, see the IAM overview.
Administrators who authenticate with IAM can use Memorystore IAM authentication to centrally manage access control to their instances using IAM policies. IAM policies involve the following entities:
Principals. In Memorystore, you can use two types of principals: A user account, and a service account (for applications). Other principal types, such as Google groups, Google Workspace domains, or Cloud Identity domains are not yet supported for IAM authentication. For more information, see Concepts related to identity.
Roles. For Memorystore IAM authentication, a user requires the redis.clusters.connect permission to authenticate with a cluster. To get this permission, you can bind the user or service account to the predefined Redis Cluster DB Connection User (roles/redis.dbConnectionUser) role. For more information about IAM roles, see Roles.
Resources. The resources that principals access are Memorystore clusters. By default, IAM policy bindings are applied at the project-level, such that principals receive role permissions for all Memorystore instances in the project. However, IAM policy bindings can be restricted to a particular cluster. For instructions, see Manage permissions for IAM authentication.
Redis AUTH command
The IAM Authentication feature uses the Redis AUTH command to integrate with IAM, allowing clients to provide an IAM access token that will be verified by the Memorystore cluster before allowing access to data.
Like every command, the AUTH command is sent unencrypted unless In Transit Encryption is enabled.
For an example of what the AUTH command can look like, see Connecting to a Redis cluster that uses IAM authentication.
IAM access token time frame
The IAM access token that you retrieve as a part of authentication expires 1 hour after it is retrieved by default. Alternatively, you can define the access token expire time when Generating the access token. A valid token needs to be presented via the AUTH command when establishing a new Redis connection. If the token has expired, you will need to get a new access token to establish new connections.
Terminating an authenticated connection
If you want to terminate the connection, you can do so using the Redis CLIENT KILL
command. To find the connection you want to terminate, first run CLIENT LIST
,
which returns client connections in order of age. You can then run CLIENT KILL
to terminate your desired connection.
Security and privacy
IAM Authentication helps you ensure that your Redis cluster is only accessible by authorized IAM principals. TLS encryption is not provided unless In Transit Encryption enabled. For this reason, it is recommended that In Transit Encryption be turned on when using IAM Authentication.
Connecting with a Compute Engine VM
If you are using a Compute Engine VM to Connect to an instance that uses IAM authentication you must enable the following access scopes and APIs for your project:
Cloud Platform API scope. For instructions on enabling this scope, see Attach the service account and update the access scope. For a description of best practices for this access scope, see Scopes best practice.
Memorystore for Redis Cluster API. For a link to enable the API, click the following button:
Memorystore for Redis Cluster