Configure Dynamic Password

Valkey GLIDE introduces the ability to dynamically update the connection-configured password at runtime. This enhancement facilitates seamless password rotations, ensuring uninterrupted access and improved security for your applications.

Caution

The dynamic password update functionality does not rotate the password on the server-side. It only updates the client-side password to maintain secure connections.

Configuration

Below are examples demonstrating how to utilize the dynamic password update feature in different programming languages using GLIDE.

Java

import com.valkey.glide.GlideClusterClient;
import com.valkey.glide.GlideClusterClientConfiguration;
import com.valkey.glide.ServerCredentials;
import com.valkey.glide.NodeAddress;

import java.util.Arrays;
import java.util.List;

public class Main {
    public static void main(String[] args) throws Exception {
        // Define the list of node addresses
        List<NodeAddress> nodeList = Arrays.asList(
            new NodeAddress("localhost", 6379),
            new NodeAddress("localhost", 6380),
            new NodeAddress("localhost", 6381)
        );

        // Define your server credentials
        ServerCredentials credentials = ServerCredentials.builder()
            .username("your-username")
            .password("your-password-or-token")
            .build();

        // Create a configuration for the GlideClusterClient
        GlideClusterClientConfiguration config = new GlideClusterClientConfiguration.Builder()
            .addresses(nodeList)
            .credentials(credentials)
            .requestTimeout(5000)
            .clientName("my-client")
            .build();

        // Create the GlideClusterClient instance
        GlideClusterClient client = GlideClusterClient.createClient(config);

        // Update password dynamically
        client.updateConnectionPassword("your-new-password");
        // To perform immediate re-authentication, set the second parameter to true
        client.updateConnectionPassword("your-new-password", true);

        // Resetting password by passing null
        client.updateConnectionPassword(null); // Note: This will clear the password from the connection configuration.

        System.out.println("GlideClusterClient created and password updated.");
    }
}

Node

import { GlideClusterClient, GlideClusterClientConfiguration, ServerCredentials } from '@valkey/valkey-glide';

async function main() {

// Define your server credentials
const credentials: ServerCredentials = {
    username: 'your-username',
    password: 'your-password-or-token'
};

// Create a configuration for the GlideClusterClient
const config: GlideClusterClientConfiguration = {
    addresses: [
        { host: 'sample-address-0001.use1.cache.amazonaws.com', port: 6379 }
    ],
    credentials: credentials,
    requestTimeout: 5000,
    clientName: 'my-client'
};

// Create the GlideClusterClient instance
const client = await GlideClusterClient.createClient(config);

// Update password dynamically
await client.updateConnectionPassword('your-new-password');
// To perform immediate re-authentication, set the second parameter to true
await client.updateConnectionPassword('your-new-password', true);

// Resetting password by passing null
client.updateConnectionPassword(null); // Note: This will clear the password from the connection configuration.
}

Python

import asyncio
from glide import GlideClusterClientConfiguration, NodeAddress, GlideClusterClient

async def main():
    # Define your server credentials
    credentials = ServerCredentials(
        username='your-username',
        password='your-password-or-token'
    )
    # Define the list of node addresses
    addresses = [
        NodeAddress("my-instance.valkey.us-central1.gcp.cloud", 6379),
    ]
    # Create a configuration for the GlideClusterClient
    config = GlideClusterClientConfiguration(
        addresses=addresses,
        credentials=credentials,
        request_timeout=250,
        client_name='my-client'
    )

    # Create the GlideClusterClient instance
    client = await GlideClusterClient.create_client(config)

    # Update password dynamically
    await client.update_connection_password('your-new-password')
    # To perform immediate re-authentication, set the second parameter to true
    await client.update_connection_password('your-new-password', True)
    # Resetting password by passing None
    await client.update_connection_password(None) # Note: This will clear the password from the connection configuration.


asyncio.run(main())

Go

// TODO: Add Example

Caution

To avoid authentication errors, update the client’s password immediately after any server-side password changes.

Remove Password

In case you want to remove the password from the connection configuration, you can pass null/None as the password.

ACL Permissions

When dynamically switching to a new credential, ensure that it has enough permissions to run connection startup commands. See the ACL Permissions Requirements for more details.

Optional Username

In scenarios where a username is not required (e.g., IAM authentication), you can omit it or set it to null.

Java

ServerCredentials credentials = ServerCredentials.builder()
    .password("your-password-or-token")
    .build();

Node

const credentials: ServerCredentials = {
    password: 'your-password-or-token'
};

Python

credentials = ServerCredentials(
    password='your-password-or-token'
)

Go

// TODO: Add Example

Immediate Re-Auth

For most scenarios, you can update the password without immediate re-authentication. However, for cases like IAM authentication where tokens need to be refreshed periodically (e.g., every 12 hours), you can utilize the immediateAuth/immediate_auth option to re-authenticate immediately.

Integration with AWS and GCP Services

GLIDE’s dynamic password update feature supports integration with cloud services like Amazon ElastiCache, MemoryDB, and Google Cloud Memorystore.

• AWS ElastiCache: Supports password-based and IAM authentication. AWS recommends regular password rotations.
• Amazon MemoryDB: Uses IAM authentication with short-lived tokens that need regular renewal.
• Google Cloud Memorystore: Offers IAM authentication with ephemeral tokens requiring periodic renewal.

In all these scenarios, frequently updating passwords or tokens is essential to maintain secure connections and handle fail-overs effectively.

Best Practices

• Regular Credential Rotation: Frequently update passwords and tokens using the dynamic password update feature to maintain secure connections.
• Automate Token Refreshing: Implement automated mechanisms to refresh IAM tokens before they expire.
• Secure Credential Storage: Store passwords and tokens securely using environment variables or secret management tools.
• Principle of Least Privilege: Use ACLs to assign minimal necessary permissions to users.
• Monitor Authentication Events: Track authentication attempts and token renewals to detect and respond to potential security threats promptly.