-
Notifications
You must be signed in to change notification settings - Fork 115
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for AWS IAM #356
Comments
Maybe via a more general approach: #376 ? |
Could you provide a code sample how to connect to a AWS ElasticCache Redis server with the IAM Module? How to do ? Thank you |
@pmlopes I don't see where you support redis authentication? |
Hi sorry for the late response. I am currently drowning in work, that is also the reason, why I could not finish the requested more generic approach. To your question. You do not pass the Credentials Provider from AWS. When you check the example code they also do not do that. They implement the RedisCredentialsProvider, which is a lettuce interface. They implement this interface in RedisIAMAuthCredentialsProvider. What they do is they use the default credentials provider to get the credentials provided by whatever (Static, STSAssumeRoleSessionCredentialsProvider, Web...something :), etc. ) and then use it together with IAMAuthTokenRequest to create a username and password and this is then provided to lettuce. Check the resolveCredentials method there. That is exactly the same I created here. I do not provide a solution specific for AWS but instead you are able to dynamically exchange the credentials at any time. Form where the credentials are provided do not matter. You can implement your own solution then for AWS, Azure, etc. |
Hi, I still have some trouble to establish a secure connection. So I try with the following URI :
As I understand, this is the same than what the lettuce driver does. I don't have any trouble to establish a connection with lettuce. But with vertx, I got the following error : {
"name": "Redis connection health check",
"status": "DOWN",
"data": {
"reason": "client [<default>]: Fail to parse connection string authority"
}
}, The password has been generated in the same way than this sample code I use quarkus and I follow their documentation : https://quarkus.io/guides/redis-reference#programmatic-redis-hosts I tried to see how lettuce works by cloning the repo but I don't see exactly which URI syntax is used to establish the connection. Any help? thank you |
Hi @geniusit Regarding the other part. We are using Quarkus as well. We do not set the password in the url. We use quarkus.redis.password and then set the value via environment variable from a kubernetes secret. You also need rediss:// and not redis:// as far as I know. But as said static credentials and we also use the default user at the moment. |
Hi @holomekc Btw If I don't set the username I got an authentication error. So I added it like that : rediss://myusername:mypassword@myserver.com:6379/1 The documentation should precise it as well. Now it's working but my manager doesn't like static credentials. Do you think there is a chance that you implement dynamic credentials as Lettuce does? Thank you! |
See #391 |
Maybe an additional info. Even when the changes are done. I think you will not be able to use them directly. The requested approach are applied on level of the Redis client creation and are not part of the RedisOptions. So I think Quarkus will need to adjust things as well. Something like this: https://quarkus.io/guides/redis-reference#customize-the-redis-options-programmatically will not work in this case. I guess. Not sure if there would be a different approach to work around the quarkus config. |
The way to handle this is that we need some sort of async supplier in At the https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/auth-iam.html |
I provided exactly that in #376, but an even more general approach was requested. |
https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/auth-iam.html
Technically we can use this mechanism as of today as we support redis authentication, we could however try to simplify the process to generating the v4 signature in a blocking call outside the event loop.
The text was updated successfully, but these errors were encountered: