About IAM authentication

Memorystore provides the IAM Authentication feature that integrates with Identity and Access Management (IAM) to help you better manage login access for users and service accounts.

Authentication is the process of using IAM to verify the identity of a user who is attempting to access a cluster. Memorystore does the verification using the Redis AUTH command and IAM access tokens.

For instructions on setting up IAM authentication for your Memorystore cluster, see Manage IAM authentication.

IAM authentication for Redis

When using IAM authentication, permission to access a Memorystore cluster isn't granted directly to the end user. Instead, permissions are grouped into roles, and roles are granted to principals. For more information, see the IAM overview.

Administrators who authenticate with IAM can use Memorystore IAM authentication to centrally manage access control to their instances using IAM policies. IAM policies involve the following entities:

  • Principals. In Memorystore, you can use two types of principals: A user account, and a service account (for applications). Other principal types, such as Google groups, Google Workspace domains, or Cloud Identity domains are not yet supported for IAM authentication. For more information, see Concepts related to identity.

  • Roles. For Memorystore IAM authentication, a user requires the redis.clusters.connect permission to authenticate with a cluster. To get this permission, you can bind the user or service account to the predefined Redis Cluster DB Connection User (roles/redis.dbConnectionUser) role. For more information about IAM roles, see Roles.

  • Resources. The resources that principals access are Memorystore clusters. By default, IAM policy bindings are applied at the project-level, such that principals receive role permissions for all Memorystore instances in the project. However, IAM policy bindings can be restricted to a particular cluster. For instructions, see Manage permissions for IAM authentication.

Redis AUTH command

The IAM Authentication feature uses the Redis AUTH command to integrate with IAM, allowing clients to provide an IAM access token that will be verified by the Memorystore cluster before allowing access to data.

Like every command, the AUTH command is sent unencrypted unless In Transit Encryption is enabled.

For an example of what the AUTH command can look like, see Connecting to a Redis cluster that uses IAM authentication.

IAM access token time frame

The IAM access token that you retrieve as a part of authentication expires 1 hour after it is retrieved by default. Alternatively, you can define the access token expire time when Generating the access token. A valid token needs to be presented via the AUTH command when establishing a new Redis connection. If the token has expired, you will need to get a new access token to establish new connections.

Terminating an authenticated connection

If you want to terminate the connection, you can do so using the Redis CLIENT KILL command. To find the connection you want to terminate, first run CLIENT LIST, which returns client connections in order of age. You can then run CLIENT KILL to terminate your desired connection.

Security and privacy

IAM Authentication helps you ensure that your Redis cluster is only accessible by authorized IAM principals. TLS encryption is not provided unless In Transit Encryption enabled. For this reason, it is recommended that In Transit Encryption be turned on when using IAM Authentication.

Connecting with a Compute Engine VM

If you are using a Compute Engine VM to Connect to an instance that uses IAM authentication you must enable the following access scopes and APIs for your project: