Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

get authentication token / password for IAM secured elasticache (Redis OSS) #8814

Open
2 tasks
mark76 opened this issue Jul 23, 2024 · 0 comments
Open
2 tasks

get authentication token / password for IAM secured elasticache (Redis OSS) #8814

mark76 opened this issue Jul 23, 2024 · 0 comments
Labels
feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged.

Comments

@mark76
Copy link

mark76 commented Jul 23, 2024

Describe the feature

AWS supports IAM Authentication at the Elasticache service (see https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/auth-iam.html ). However, getting a valid login token in this configuration is extremely nontrivial; the linked page only demonstrates how to get a token with the Java SDK, and there is no dedicated method to do exactly this (even in the SDK).

One of the comments in the sample Code notes that "The pre-signed request URL is used as an IAM authentication token for ElastiCache (Redis OSS)." In other words, retrieving an Authentication token requires us to generate a pre-signed Request URL, which is a feature that aws-cli does not expose because we do not need it (usually).

This feature request would add the ability to generate an Authentication token / Redis password (which is non-standard, unfortunately) for a secured Redis without having to "reinvent the wheel", i.e. without reimplementing the signing process.

Use Case

I am working in a big project where Security is a very major issue, and where we are required to use IAM role authentication whenever possible. This introduces major

In order to connect to the Cache, the only option we have is redis-cli, and we need to pass it a valid authentication token. Due to the sheer complexity of generating the token (i.e. generating a signed request) with just a bash shell, we have failed doing this - and considering that aws-cli does encapsulate most of these technical processes when talking to aws, we should be able to generate Tokens for this Use Case (Redis OSS with IAM Authentication) as well.

Proposed Solution

There should be a new Command, such as
"aws elasticache generate-iam-access-token --cluster-host --cluster-username --iam-role "

I am not sure which other parameters this feature would need, especially with respect to different Aws Credential Providers that exist (our Use Case uses assume-role-with-web-identity, but there may be other variants).

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CLI version used

aws-cli/2.15.30 Python/3.9.16 Linux/5.10.219-208.866.amzn2.x86_64 source/x86_64.amzn.2023 prompt/off

Environment details (OS name and version, etc.)

Amazon Linux 2023.5.20240722
@mark76 mark76 added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Jul 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mark76