Memorystore provides the IAM Authentication feature that leverages Identity and Access Management (IAM) to help you better manage login access for users and service accounts. IAM based authentication integrates with Valkey AUTH, letting you seamlessly rotate credentials (IAM tokens) without relying on static passwords.
For instructions on setting up IAM authentication for your Memorystore instance, see Manage IAM authentication.
IAM authentication for Valkey
When using IAM authentication, permission to access a Memorystore instance isn't granted directly to the end user. Instead, permissions are grouped into roles, and roles are granted to principals. For more information, see the IAM overview.
Administrators who authenticate with IAM can use Memorystore IAM authentication to centrally manage access control to their instances using IAM policies. IAM policies involve the following entities:
Principals. In Memorystore, you can use two types of principals: A user account, and a service account (for applications). Other principal types, such as Google groups, Google Workspace domains, or Cloud Identity domains are not yet supported for IAM authentication. For more information, see Concepts related to identity.
Roles. For Memorystore IAM authentication, a user requires the memorystore.instances.connect permission to authenticate with an instance. To get this permission, you can bind the user or service account to the predefined Memorystore DB Connection User (roles/memorystore.dbConnectionUser) role. For more information about IAM roles, see Roles.
Resources. The resources that principals access are Memorystore instances. By default, IAM policy bindings are applied at the project-level, such that principals receive role permissions for all Memorystore instances in the project. However, IAM policy bindings can be restricted to a particular instance. For instructions, see Manage permissions for IAM authentication.
Valkey AUTH command
The IAM Authentication feature uses the Valkey AUTH command to integrate with IAM, allowing clients to provide an IAM access token that will be verified by the Valkey instanec before allowing access to data.
Like every command, the AUTH command is sent unencrypted unless In Transit Encryption is enabled.
For an example of what the AUTH command can look like, see Connecting to a Valkey instance that uses IAM authentication.
IAM access token time frame
The IAM access token that you retrieve as a part of authentication expires 1 hour after it is retrieved by default. Alternatively, you can define the access token expire time when Generating the access token. A valid token needs to be presented via the AUTH command when establishing a new Valkey connection. If the token has expired, you will need to get a new access token to establish new connections.
Terminating an authenticated connection
If you want to terminate the connection, you can do so using the Valkey CLIENT KILL
command. To find the connection you want to terminate, first run CLIENT LIST
,
which returns client connections in order of age. You can then run CLIENT KILL
to terminate your desired connection.
Security and privacy
IAM Authentication helps you ensure that your Valkey instance is only accessible by authorized IAM principals. TLS encryption is not provided unless In Transit Encryption enabled. For this reason, it is recommended that In Transit Encryption be turned on when using IAM Authentication.
Connecting with a Compute Engine VM
If you are using a Compute Engine VM to Connect to an instance that uses IAM authentication you must enable the following access scopes and APIs for your project:
Cloud Platform API scope. For instructions on enabling this scope, see Attach the service account and update the access scope. For a description of best practices for this access scope, see Scopes best practice.
Memorystore for Valkey API. For a link to enable the API, click the following button:
Memorystore for Valkey