Passwords, users, and roles
All Redis Cloud databases require either password-based authentication or role-based access control. Role-based access control lets you define multiple users with fine-grained authorization features.
Prerequisites
To use role-based access control, your Redis Cloud database needs to support Redis version 6.0.0 or later.
The Redis version of a database is displayed in the General section of the Configuration tab of the database detail screen.

Password-based authentication
Password-based authentication is a basic but essential Redis security feature. When you create a Redis Cloud database, your database is given a randomly generated password called the Default user password.
This appears in the Security section of the Configuration tab of the database details screen.

Use the copy button to copy the password to the clipboard:

You’ll need to use this password whenever you connect to your database using a Redis client. For example, in the Redis CLI, you use the AUTH command to provide this password:
AUTH 4kTtH2ddXfN2sFmXE6sowOLukxiaJhN8n
See your Redis client’s documentation to learn how to provide your password when connecting.
Change password
To change the default user password for your database:
-
From the database Configuration tab, select Edit database:
-
Under the Security section, enter the new password in the Default user password field.
-
Select Save database to update the password:
Role-based access control
Role-based access control (RBAC) lets you define roles with specific sets of permissions. You can then assign users to these roles to provide appropriate levels of access.
RBAC effectively lets you implement the principle of least privilege. For example, you can provide read-only access to an application whose only job is to display Redis data. Similarly, you can prevent new developers from running dangerous administrative commands.
Set up RBAC
To set up RBAC, first navigate to the Data Access Control screen.
There are three tabs on this screen: Users, Roles, and Redis ACLs.
In the Redis ACLs tab, you define named permissions for specific Redis commands, keys, and pub/sub channels.

In the Roles tab, you create roles. Each role consists of a set of permissions for one or more Redis Cloud databases.

Finally, in the Users tab, you create users and assign each user a role.

OSS Redis ACLs vs. Redis Enterprise Cloud RBAC
In open source Redis, you can create users and assign ACLs to them using the ACL
command. However, open source
Redis does not support generic roles.
In Redis Enterprise Cloud, you configure RBAC using the admin console. As a result, certain open source Redis ACL subcommands are not available in Redis Cloud.
Specifically, Redis Cloud databases block the following ACL subcommands: LOAD
, SAVE
, SETUSER
, DELUSER
, GENPASS
, and LOG
.
Redis Cloud databases allow these ACL subcommands: LIST
, USERS
, GETUSER
, CAT
, WHOAMI
, and HELP
.
In open source Redis, you must explicitly provide access to the MULTI
, EXEC
, and DISCARD
commands.
In Redis Cloud, these commands, which are used in transactions, are always permitted. However, the commands
run within the transaction block are subject to RBAC permissions.
When you run multi-key commands on multi-slot keys, the return value is failure
but the command runs on the keys that are allowed.
Define permissions
To define permissions, go to the Redis ACLs tab of the Data Access Control screen.

You define these named permissions using the Redis ACL syntax. This syntax lets you concisely specify which commands, command categories, keys, and pub/sub channels to allow.
The Redis ACL syntax emphasizes brevity:
+
includes commands or command categories-
excludes commands or command categories@
indicates a command category~
defines a permitted key pattern&
allows access to a pub/sub channel
Command ACL rules
A command can be any Redis command.
For example, this Redis ACL rule indicates that the SET
command is permitted:
+set
Command category ACL rules
A command category is a predefined, named set of commands.
For example, the Redis commands that
read data are available in the read
command category. This Redis ACL rule permits access to all read commands:
To find out which commands are included in the
read
command category, run the following command with redis-cli
:
ACL CAT read
Key ACL rules
There’s also a syntax for specifying which keys are accessible.
The following ACL rule allows access to all keys:
~*
Whereas, this ACL rule only allows access to keys prefixed with cache:
~cache:*
Pub/sub ACL rules
Pub/sub ACL rules determine which pub/sub channels a user can access.
For versions earlier than Redis 7, pub/sub is permissive and allows access to all channels by default.
Redis 7 changes pub/sub to restrictive and blocks access to all channels in open source (OSS) Redis. However, Redis Cloud still defaults to permissive pub/sub even for Redis 7 subscriptions.
Redis version |
OSS Redis pub/sub ACLs |
Redis Cloud pub/sub ACLs |
---|---|---|
6.0 | Not supported | Not supported |
6.2 | Permissive | Permissive |
7.0 | Restrictive | Permissive |
Restrict channel access
To block access to all channels, use the following ACL rule:
resetchannels
If you want to limit access to specific channels, first include resetchannels
. Then use &
syntax to allow access to particular channels:
resetchannels &channel1 &channel2
Allow all channels
To make pub/sub explicitly permissive and allow users to access all channels, set the following rule:
allchannels
Predefined permissions
Redis Cloud includes three, predefined permissions:
-
Full-Access (
[email protected] ~*
) - All commands are allowed for all keys -
Read-Write (
[email protected] [email protected] ~*
) - All commands except for the “dangerous” command category are allowed for all keys -
Read-Only (
[email protected] ~*
) - Only the “read” command category is allowed for all keys
Module command permissions
Note that you can define permissions for the Redis module commands of any modules that are loaded on the subscription; however, these permissions can only be used for databases that support those modules.
To define database access control, you can either:
- Use the predefined data access roles and add Redis ACLs to them for specific databases.
- Create new data access roles and select the management roles and Redis ACLs that apply to the roles for specific databases.
- Assign roles and Redis ACLs to a database in the access control list section of the database configuration.
Configure permissions with Redis ACLs
To configure a Redis ACL that you can assign to a data access role:
-
Go to Data Access Control > ACLs and either:
-
Provide a descriptive name for the Redis ACL.
-
Enter ACL syntax to define the ACL rule or select Rule Builder for help building the ACL rule with correct syntax.
-
To create a Redis ACL rule with the Rule Builder:
-
For Redis commands / categories, enter a command or command category.
-
Select whether to include or exclude the command or category.
-
For Keys, enter the pattern for permitted keys.
-
In Pub/Sub channels, enter a channel pattern to restrict pub/sub so it only allows access to the specified channels.
The rule builder automatically adds
resetchannels
to the ACL rule when you save. This rule changes pub/sub access from permissive (allows access to all channels) to restrictive (blocks access to all channels).Note:- Pub/Sub channels are only available in the Rule Builder for accounts that have Redis version 6.2 or later for all subscriptions.
- If your account contains any Redis 6.0 subscriptions, you can’t use pub/sub ACLs unless you contact support to upgrade the subscriptions to a later version.
-
To add more commands, categories, keys, or pub/sub channels to the ACL rule, select Add:
-
When you finish building the ACL rule, select Save rule:
-
-
Select the check mark to save your changes:
Assign permissions to roles
To assign Redis ACLs to a data access role:
-
Go to Data Access Control > Roles and either:
-
In the Associations section of the Edit role or Create new role screen, you can:
-
Select one or more databases from the Databases list.
-
To set the role’s level of access to the selected databases, select a Redis ACL from the list.
-
Select the check mark to confirm the association:
-
Select Save role:
Users assigned the role can access the databases according to the role’s associated Redis ACLs.
Assign roles to users
To assign a role to a user: