get authentication token / password for IAM secured elasticache (Redis OSS)

[mark76]

Describe the feature

AWS supports IAM Authentication at the Elasticache service (see https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/auth-iam.html ). However, getting a valid login token in this configuration is extremely nontrivial; the linked page only demonstrates how to get a token with the Java SDK, and there is no dedicated method to do exactly this (even in the SDK).

One of the comments in the sample Code notes that "The pre-signed request URL is used as an IAM authentication token for ElastiCache (Redis OSS)." In other words, retrieving an Authentication token requires us to generate a pre-signed Request URL, which is a feature that aws-cli does not expose because we do not need it (usually).

This feature request would add the ability to generate an Authentication token / Redis password (which is non-standard, unfortunately) for a secured Redis without having to "reinvent the wheel", i.e. without reimplementing the signing process.

Use Case

I am working in a big project where Security is a very major issue, and where we are required to use IAM role authentication whenever possible. This introduces major

In order to connect to the Cache, the only option we have is redis-cli, and we need to pass it a valid authentication token. Due to the sheer complexity of generating the token (i.e. generating a signed request) with just a bash shell, we have failed doing this - and considering that aws-cli does encapsulate most of these technical processes when talking to aws, we should be able to generate Tokens for this Use Case (Redis OSS with IAM Authentication) as well.

Proposed Solution

There should be a new Command, such as "aws elasticache generate-iam-access-token --cluster-host --cluster-username --iam-role "

I am not sure which other parameters this feature would need, especially with respect to different Aws Credential Providers that exist (our Use Case uses assume-role-with-web-identity, but there may be other variants).

Other Information

No response

Acknowledgements

• [ ] I may be able to implement this feature request
• [ ] This feature might incur a breaking change

CLI version used

aws-cli/2.15.30 Python/3.9.16 Linux/5.10.219-208.866.amzn2.x86_64 source/x86_64.amzn.2023 prompt/off

Environment details (OS name and version, etc.)

Amazon Linux 2023.5.20240722

[tim-finnigan]

Thanks for reaching out. It looks like the request here is for a new ElastiCache API, as the service APIs (https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_Operations.html) correspond directly to the available CLI commands: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/index.html.

I'll transfer this to our cross-SDK repository for further review, since service APIs are used across AWS SDKs.

[tim-finnigan]

After searching internally, I found a feature request is already being tracked for this. I'll go ahead and add your "+1", and share your use case information there. If any other details you'd like to add please let me know. We can't guarantee if or when service teams like Elasticache would consider API feature requests such as these, but please refer to the blog and CLI CHANGELOG for related updates.

[github-actions[bot]]

This issue is now closed.

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.