About IAM authentication

Memorystore provides the IAM Authentication feature that leverages Identity and Access Management (IAM) to help you better manage login access for users and service accounts. IAM based authentication integrates with Redis AUTH, letting you seamlessly rotate credentials (IAM tokens) without relying on static passwords.

For instructions on setting up IAM authentication for your Memorystore cluster, see Manage IAM authentication.

IAM authentication for Redis

When using IAM authentication, permission to access a Memorystore cluster isn't granted directly to the end user. Instead, permissions are grouped into roles, and roles are granted to principals. For more information, see the IAM overview.

Administrators who authenticate with IAM can use Memorystore IAM authentication to centrally manage access control to their instances using IAM policies. IAM policies involve the following entities:

  • Principals. In Memorystore, you can use two types of principals: A user account, and a service account (for applications). Other principal types, such as Google groups, Google Workspace domains, or Cloud Identity domains are not yet supported for IAM authentication. For more information, see Concepts related to identity.

  • Roles. For Memorystore IAM authentication, a user requires the redis.clusters.connect permission to authenticate with a cluster. To get this permission, you can bind the user or service account to the predefined Redis Cluster DB Connection User (roles/redis.dbConnectionUser) role. For more information about IAM roles, see Roles.

  • Resources. The resources that principals access are Memorystore clusters. By default, IAM policy bindings are applied at the project-level, such that principals receive role permissions for all Memorystore instances in the project. However, IAM policy bindings can be restricted to a particular cluster. For instructions, see Manage permissions for IAM authentication.

Redis AUTH command

The IAM Authentication feature uses the Redis AUTH command to integrate with IAM, allowing clients to provide an IAM access token that will be verified by the Memorystore cluster before allowing access to data.

Like every command, the AUTH command is sent unencrypted unless In Transit Encryption is enabled.

For an example of what the AUTH command can look like, see Connecting to a Redis cluster that uses IAM authentication.

IAM access token time frame

By default, the IAM access token that you retrieve as a part of authentication expires one hour after it's retrieved. Alternatively, when you generate the access token, you can define the access token expiration time.

When you establish a new Redis connection, you must present a valid access token by using the AUTH command. If the token expires, then you must get a new token to establish new connections. However, if you already authenticated an existing connection, then it continues to work, even if the token expires.

End an authenticated connection

If you want to end the connection, then use the Redis CLIENT KILL command. To find the connection that you want to end, first run CLIENT LIST, which returns client connections in order of age. You can then run CLIENT KILL to end the connection.

Enable IAM authentication

Enabling IAM authentication doesn't degrade steady state performance. However, it does affect the rate that you can establish a connection.

Enabling IAM authentication throttles the rate of client connections that are established every second. This is because Google Cloud's IAM authentication must authenticate each new connection. In steady state, an application enables connection pools so this impact is negligible. However, when client applications are refreshed through deployments or bounce processing, there might be an influx of connections established again. If you update your clients gradually and you implement exponential backoffs, then you can absorb this reduced rate.

To view a code sample of how to use IAM authentication, see Code sample for both IAM auth and in-transit encryption.

Security and privacy

IAM Authentication helps you ensure that your Redis cluster is only accessible by authorized IAM principals. TLS encryption is not provided unless In Transit Encryption enabled. For this reason, it is recommended that In Transit Encryption be turned on when using IAM Authentication.

Connect with a Compute Engine VM

If you are using a Compute Engine VM to Connect to an instance that uses IAM authentication you must enable the following access scopes and APIs for your project: