get authentication token / password for IAM secured elasticache (Redis OSS) #8814
Labels
feature-request
A feature should be added or improved.
needs-triage
This issue or PR still needs to be triaged.
Describe the feature
AWS supports IAM Authentication at the Elasticache service (see https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/auth-iam.html ). However, getting a valid login token in this configuration is extremely nontrivial; the linked page only demonstrates how to get a token with the Java SDK, and there is no dedicated method to do exactly this (even in the SDK).
One of the comments in the sample Code notes that "The pre-signed request URL is used as an IAM authentication token for ElastiCache (Redis OSS)." In other words, retrieving an Authentication token requires us to generate a pre-signed Request URL, which is a feature that aws-cli does not expose because we do not need it (usually).
This feature request would add the ability to generate an Authentication token / Redis password (which is non-standard, unfortunately) for a secured Redis without having to "reinvent the wheel", i.e. without reimplementing the signing process.
Use Case
I am working in a big project where Security is a very major issue, and where we are required to use IAM role authentication whenever possible. This introduces major
In order to connect to the Cache, the only option we have is redis-cli, and we need to pass it a valid authentication token. Due to the sheer complexity of generating the token (i.e. generating a signed request) with just a bash shell, we have failed doing this - and considering that aws-cli does encapsulate most of these technical processes when talking to aws, we should be able to generate Tokens for this Use Case (Redis OSS with IAM Authentication) as well.
Proposed Solution
There should be a new Command, such as
"aws elasticache generate-iam-access-token --cluster-host --cluster-username --iam-role "
I am not sure which other parameters this feature would need, especially with respect to different Aws Credential Providers that exist (our Use Case uses assume-role-with-web-identity, but there may be other variants).
Other Information
No response
Acknowledgements
CLI version used
aws-cli/2.15.30 Python/3.9.16 Linux/5.10.219-208.866.amzn2.x86_64 source/x86_64.amzn.2023 prompt/off
Environment details (OS name and version, etc.)
Amazon Linux 2023.5.20240722
The text was updated successfully, but these errors were encountered: