search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.52k stars 1.75k forks source link

AWS ElastiCache IAM Auth support #18550

Closed smallinsky closed 1 year ago

smallinsky commented 1 year ago

What:

According to the https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/auth-iam.html ElastiCache right now support IAM auth where current Teleport AWS ElastiCache integration uses the AWS KMS and password rotation approach.

There are some limitation listed for IAM auth approach:

Limitations When using IAM authentication, the following limitations apply:

  • IAM authentication is available when using ElastiCache for Redis version 7.0 or above.
  • For IAM-enabled ElastiCache users the username and user id properties must be identical. The IAM authentication token is valid for 15 minutes. For long-lived connections, we recommend using a Redis client that supports a credentials provider interface.
  • An IAM authenticated connection to ElastiCache for Redis will automatically be disconnected after 12 hours. The connection can be prolonged for 12 hours by sending an AUTH or HELLO command with a new IAM authentication token.
  • IAM authentication is not supported in MULTI EXEC commands.

Teleport can leverage the IAM Auth for Redis 7.0 or above and simplify the integration.

Probably to support log living connection:

The IAM authentication token is valid for 15 minutes. For long-lived connections, we recommend using a Redis client that supports a credentials provider interface.

Teleport needs to implement internal mechanism for refreshing the IAM token.

prullanferragut commented 1 year ago

Related feature: support for Redis7: https://github.com/gravitational/teleport/issues/13202