All Redis Cloud databases require either password-based authentication or role-based access control. Role-based access control lets you define multiple users with fine-grained authorization features.

Prerequisites

To use role-based access control, your Redis Cloud database needs to support Redis version 6.0.0 or later.

The Redis version of a database is displayed in the General section of the Configuration tab of the database detail screen.

The Redis version appears in the General section of the Configuration tab on the database details screen.

Password-based authentication

Password-based authentication is a basic but essential Redis security feature. When you create a Redis Cloud database, your database is given a randomly generated password called the Default user password.

This appears in the Security section of the Configuration tab of the database details screen.

The Default user password appears in the Security section of the Configuration tab on the database details screen.

Use the copy button to copy the password to the clipboard:

Use the Copy button to copy the default user password.

You’ll need to use this password whenever you connect to your database using a Redis client. For example, in the Redis CLI, you use the AUTH command to provide this password:

AUTH 4kTtH2ddXfN2sFmXE6sowOLukxiaJhN8n

See your Redis client’s documentation to learn how to provide your password when connecting.

Change password

To change the default user password for your database:

  1. From the database Configuration tab, select Edit database:

    The Edit database button lets you change the database's default user password.

  2. Under the Security section, enter the new password in the Default user password field.

  3. Select Save database to update the password:

    Use the Save database button to save the new password.

Role-based access control

Role-based access control (RBAC) lets you define roles with specific sets of permissions. You can then assign users to these roles to provide appropriate levels of access.

RBAC effectively lets you implement the principle of least privilege. For example, you can provide read-only access to an application whose only job is to display Redis data. Similarly, you can prevent new developers from running dangerous administrative commands.

Set up RBAC

To set up RBAC, first navigate to the Data Access Control screen.

There are three tabs on this screen: Users, Roles, and Redis ACLs.

In the Redis ACLs tab, you define named permissions for specific Redis commands, keys, and pub/sub channels.

Data access control screen.

In the Roles tab, you create roles. Each role consists of a set of permissions for one or more Redis Cloud databases.

Data access control screen.

Finally, in the Users tab, you create users and assign each user a role.

Data access control screen.

OSS Redis ACLs vs. Redis Enterprise Cloud RBAC

In open source Redis, you can create users and assign ACLs to them using the ACL command. However, open source Redis does not support generic roles.

In Redis Enterprise Cloud, you configure RBAC using the admin console. As a result, certain open source Redis ACL subcommands are not available in Redis Cloud.

Specifically, Redis Cloud databases block the following ACL subcommands: LOAD, SAVE, SETUSER, DELUSER, GENPASS, and LOG.

Redis Cloud databases allow these ACL subcommands: LIST, USERS, GETUSER, CAT, WHOAMI, and HELP.

In open source Redis, you must explicitly provide access to the MULTI, EXEC, and DISCARD commands. In Redis Cloud, these commands, which are used in transactions, are always permitted. However, the commands run within the transaction block are subject to RBAC permissions.

When you run multi-key commands on multi-slot keys, the return value is failure but the command runs on the keys that are allowed.

Define permissions

To define permissions, go to the Redis ACLs tab of the Data Access Control screen.

Data access control screen.

You define these named permissions using the Redis ACL syntax. This syntax lets you concisely specify which commands, command categories, keys, and pub/sub channels to allow.

The Redis ACL syntax emphasizes brevity:

  • + includes commands or command categories
  • - excludes commands or command categories
  • @ indicates a command category
  • ~ defines a permitted key pattern
  • & allows access to a pub/sub channel

Command ACL rules

A command can be any Redis command.

For example, this Redis ACL rule indicates that the SET command is permitted:

+set

Command category ACL rules

A command category is a predefined, named set of commands.

For example, the Redis commands that read data are available in the read command category. This Redis ACL rule permits access to all read commands:

[email protected]

To find out which commands are included in the read command category, run the following command with redis-cli:

ACL CAT read

Key ACL rules

There’s also a syntax for specifying which keys are accessible.

The following ACL rule allows access to all keys:

~*

Whereas, this ACL rule only allows access to keys prefixed with cache:

~cache:*

Pub/sub ACL rules

Pub/sub ACL rules determine which pub/sub channels a user can access.

For versions earlier than Redis 7, pub/sub is permissive and allows access to all channels by default.

Redis 7 changes pub/sub to restrictive and blocks access to all channels in open source (OSS) Redis. However, Redis Cloud still defaults to permissive pub/sub even for Redis 7 subscriptions.

Redis
version		 OSS Redis
pub/sub ACLs		 Redis Cloud
pub/sub ACLs
6.0 Not supported Not supported
6.2 Permissive Permissive
7.0 Restrictive Permissive
Restrict channel access

To block access to all channels, use the following ACL rule:

resetchannels

If you want to limit access to specific channels, first include resetchannels. Then use & syntax to allow access to particular channels:

resetchannels &channel1 &channel2
Allow all channels

To make pub/sub explicitly permissive and allow users to access all channels, set the following rule:

allchannels

Predefined permissions

Redis Cloud includes three, predefined permissions:

Module command permissions

Note that you can define permissions for the Redis module commands of any modules that are loaded on the subscription; however, these permissions can only be used for databases that support those modules.

To define database access control, you can either:

  • Use the predefined data access roles and add Redis ACLs to them for specific databases.
  • Create new data access roles and select the management roles and Redis ACLs that apply to the roles for specific databases.
  • Assign roles and Redis ACLs to a database in the access control list section of the database configuration.

Configure permissions with Redis ACLs

To configure a Redis ACL that you can assign to a data access role:

  1. Go to Data Access Control > ACLs and either:

    • Create a new Redis ACL:

      Select the Add button to create a new Redis ACL.

    • Point to an existing ACL and select Edit:

      Select the Edit button to edit an existing ACL.

  2. Provide a descriptive name for the Redis ACL.

  3. Enter ACL syntax to define the ACL rule or select Rule Builder for help building the ACL rule with correct syntax.

  4. To create a Redis ACL rule with the Rule Builder:

    1. For Redis commands / categories, enter a command or command category.

    2. Select whether to include or exclude the command or category.

    3. For Keys, enter the pattern for permitted keys.

    4. In Pub/Sub channels, enter a channel pattern to restrict pub/sub so it only allows access to the specified channels.

      The rule builder automatically adds resetchannels to the ACL rule when you save. This rule changes pub/sub access from permissive (allows access to all channels) to restrictive (blocks access to all channels).

      Note:
      • Pub/Sub channels are only available in the Rule Builder for accounts that have Redis version 6.2 or later for all subscriptions.
      • If your account contains any Redis 6.0 subscriptions, you can’t use pub/sub ACLs unless you contact support to upgrade the subscriptions to a later version.

    5. To add more commands, categories, keys, or pub/sub channels to the ACL rule, select Add:

      Use the Add button to add more commands, categories, or keys to the ACL rule.

    6. When you finish building the ACL rule, select Save rule:

      The Save rule button saves your ACL rule changes.

  5. Select the check mark to save your changes:

    Select the Submit entry button to save your Redis ACL changes.

Assign permissions to roles

To assign Redis ACLs to a data access role:

  1. Go to Data Access Control > Roles and either:

    • Point to an existing role and select the Edit button:

      Select the Edit button to edit an existing role.

    • Select the Add button to create a new role:

      Select the Add button to create a new role.

  2. In the Associations section of the Edit role or Create new role screen, you can:

    • Point to an existing association and select the Edit button:

      Select the Edit button to edit an existing role association.

    • Select the Add button to create a new association:

      Select the Add button to create a new role association.

  3. Select one or more databases from the Databases list.

  4. To set the role’s level of access to the selected databases, select a Redis ACL from the list.

  5. Select the check mark to confirm the association:

    Select the Submit entry button to save the role association changes.

  6. Select Save role:

    The Save role button saves your role changes.

Users assigned the role can access the databases according to the role’s associated Redis ACLs.

Assign roles to users

To assign a role to a user:

  1. Go to Data Access Control > Users.

  2. Point to the user and select the Edit button when it appears:

    Select the Edit button to edit an existing user's role.

  3. Select a Role from the list.

  4. Select the check mark to assign the role to the user:

    Select the Submit entry button to apply the user's role changes.