Configure AWS IAM Authentication

GLIDE 2.2+ provides built-in support for AWS Identity and Access Management (IAM) authentication when connecting to Amazon ElastiCache and MemoryDB clusters. This feature automatically handles token generation and rotation, making it simple to maintain secure connections.

GLIDE 2.2+ Required

For GLIDE versions below 2.2, see the guide on how to configure IAM authentication using the AWS SDK.

How It Works

• GLIDE automatically generates temporary authentication tokens that are valid for 15 minutes
• GLIDE refreshes the token every 5 minutes. On failure, it retries with exponential backoff and keeps using the last valid token until refreshed
• Each connection remains valid for up to 12 hours before requiring re-authentication
• GLIDE handles all token management and refresh operations behind the scenes
• Manual option available via refreshIamToken

Required Setup

1. AWS Credentials: Your application must run in an environment with AWS credentials available (such as an EC2 instance with an IAM role, or ECS task with a task role).

2. Required Information:

• username: Your ElastiCache/MemoryDB username
• cluster_name: Your cluster’s name
• service: Either ElastiCache or MemoryDB
• region: The AWS region where your cluster runs
• refreshIntervalSeconds (Optional): How often to refresh the token. Default is 300 seconds (5 minutes)

Examples

Python

from glide import (
    GlideClusterClient,
    GlideClusterClientConfiguration,
    IamAuthConfig,
    NodeAddress,
    ServerCredentials,
    ServiceType,
)
...
addresses = [NodeAddress("endpoint.example.com", 6379)]

# Configure IAM authentication
# Automatically regenerates the token every 5 mins (default: 300 seconds)
iam_config = IamAuthConfig(
    cluster_name="clustername",
    service=ServiceType.ELASTICACHE,  # or ServiceType.MEMORYDB
    region="us-east-1",
    # refresh_interval_seconds=100,  # Optional, default is 300 seconds
)

credentials = ServerCredentials(username="username", iam_config=iam_config)

config = GlideClusterClientConfiguration(
    addresses=addresses,
    credentials=credentials,
)
# for async mode
client = await GlideClusterClient.create(config)

# for sync mode
client = GlideClusterClient.create_sync(config)
...

Java

  import java.util.Collections;
  import java.util.List;

  import glide.api.GlideClusterClient;
  import glide.api.models.configuration.AwsIamConfig;
  import glide.api.models.configuration.AwsIamConfig.ServiceType;
  import glide.api.models.configuration.GlideClusterClientConfiguration;
  import glide.api.models.configuration.NodeAddress;
  ...

  List<NodeAddress> nodeList =
              Collections.singletonList(
                      NodeAddress.builder().host("endpoint.example.com").port(6379).build());

  // Configure IAM authentication
  // Automatically regenerates the token every 5 mins (default: 300 seconds)
  AwsIamConfig iamConfig =
          AwsIamConfig.builder()
                  .clusterName("clustername")
                  .service(ServiceType.ELASTICACHE) // or ServiceType.MEMORYDB
                  .region("us-east-1")
                  // .refreshIntervalSeconds(100) // Optional, default is 300 seconds
                  .build();

  GlideClusterClientConfiguration config =
          GlideClusterClientConfiguration.builder()
                  .addresses(nodeList)
                  .credentials("username", iamConfig)
                  .build();

  GlideClusterClient client = GlideClusterClient.createClient(config).get();
...

Node

// Automatically regenerates the token every 5 mins
const client = await GlideClusterClient.createClient({
  addresses: [{ host: "endpoint.example.com", port: 6379 }],
  credentials: {
    username: "username",
    iamConfig: {
      cluster_name: "clustername",
      service: ServiceType.Elasticache, // or ServiceType.MemoryDB
      region: "us-east-1",
      // refreshIntervalSeconds: 100, // Optional, default is 300 seconds
    }
  }
});

// You can manually refresh the token too
await client.refreshIamToken();

Go

import (

  "github.com/valkey-io/valkey-glide/go/glide/api"
  "github.com/valkey-io/valkey-glide/go/glide/config"
)
...

// Configure IAM authentication
// Automatically regenerates the token every 5 mins (default: 300 seconds)
iamConfig := config.NewIamAuthConfig("clustername", config.ElastiCache, "us-east-1")
// Optional: Set custom refresh interval
// iamConfig.WithRefreshIntervalSeconds(100)

credentials, err := config.NewServerCredentialsWithIam("username", iamConfig)
if err != nil {
  return nil, fmt.Errorf("failed to create credentials: %w", err)
}

clientConfig := config.GlideClusterClientConfiguration{
  Addresses: []config.NodeAddress{
    {Host: "endpoint.example.com", Port: 6379},
  },
  Credentials: credentials,
}

client, err := api.NewGlideClusterClient(&clientConfig)
...

Php

// Create ValkeyGlide client with IAM authentication
// Automatically regenerates the token every 5 mins (default: 300 seconds)
$client = new ValkeyGlide();
$client->connect(
    addresses: [['host' => 'endpoint.example.com', 'port' => 6379]],
    use_tls: true,  // REQUIRED for IAM authentication
    credentials: [
        'username' => 'username',  // REQUIRED for IAM
        'iamConfig' => [
            ValkeyGlide::IAM_CONFIG_CLUSTER_NAME => 'clustername',
            ValkeyGlide::IAM_CONFIG_REGION => 'us-east-1',
            ValkeyGlide::IAM_CONFIG_SERVICE => ValkeyGlide::IAM_SERVICE_ELASTICACHE,
            // ValkeyGlide::IAM_CONFIG_REFRESH_INTERVAL => 100,  // Optional, default is 300 seconds
        ]
    ]
);

// Use the client normally - IAM tokens are managed automatically
$client->set('key', 'value');
$value = $client->get('key');

$client->close();
...