This page gives an overview of AUTH on Memorystore for Redis.
For instructions on managing AUTH for your Redis instance, see Managing Redis AUTH.
AUTH behavior
Using AUTH is optional for Memorystore for Redis.
A connecting client starts by sending the AUTH command followed by the Redis instance's AUTH string. Every AUTH string is a Universally Unique Identifier (UUID). Each Redis instance with AUTH enabled has a unique AUTH string.
If you enable the AUTH feature on your Memorystore instance, incoming client connections must authenticate in order to connect. Existing connections that had not previously authenticated need to properly authenticate before they can continue issuing commands. Once a client authenticates with an AUTH string, it remains authenticated for the lifetime of that connection, even if you change the AUTH string.
For Memorystore for Redis, the AUTH string is automatically generated after AUTH is enabled on the instance. The AUTH string is a randomly generated string of 36 characters that is exclusive to each Memorystore instance. The AUTH string is uniquely generated each time that AUTH is enabled. Therefore, the AUTH string can be changed if necessary by toggling AUTH from off to on.
Like every command, if in-transit encryption is not enabled, there is no guarantee that the command is encrypted in-transit end to end. This is because there is no guarantee that the client traffic is meeting the VPC network level based encryption on Google Cloud encryption standards.
Security and privacy
AUTH helps you ensure that known entities in your organization do not unintentionally access and modify your Redis instance. AUTH does not provide security during data transportation. Also, AUTH does not protect your instance against any malicious entities that have access to your VPC network.
Make sure to limit access to your VPC network to known users and clients. See Redis security for additional details.
Using AUTH with read replica enabled instances
If AUTH is enabled on an instance that also has read replicas enabled, any connection to the Redis instance requires initial authentication using the AUTH string.
What's next
- Perform common tasks associated with Redis AUTH
- See the permissions required to perform Redis AUTH tasks.