PlainID supports secure integration with AWS ElastiCache for Redis by using AWS Secrets Manager (SM) to manage authentication credentials. This setup allows PAA services—such as PDP, PIP, and Agent—to retrieve Redis passwords dynamically, avoiding hardcoded secrets and enabling seamless secret rotation without requiring service restarts.
The following sections outline how to configure AWS Secrets Manager as a secret store, define Redis credentials using secret references, and apply these settings in various deployment scenarios, including support for custom Kubernetes environments and advanced logging for troubleshooting.
PlainID PAA services use Redis as a data store for various purposes, such as PIP settings, policy metadata, and PDP caching. If you are using an AWS Managed Redis you can leverage PlainID's integration with AWS Secrets Manager to obtain AWS Redis passwords and serve them to the different services. This integration also supports seamless Secret rotation with no downtime or a need to restart the PAA pods, based on the AWS SM Secret rotation and password update in ElastiCache.
To use this integration pattern you are required to:
- Setup an AWS SM integration
- Define an AWS Role to allow access from Secrets Management Service to AWS SM
- Define the Redis passwords in different services to use secret key from Secrets Management Service
Configuring AWS SM as a Store
Follow the configuration steps detailed under AWS Secret Manager Store
AWS SM Preparations
To access AWS Secrets Manager, IAM credentials with permissions are required. There are two available methods to grant these permissions:
-
Grant the Secrets Management Service an IAM role directly via EKS, as detailed here (recommended).
-
Configure an AWS Key ID and Secret access key in the Secret Management service’s configuration file.
Make sure the Redis secret key is granted access permission using the specific Secret ARNs.
PAA Configurations
Make sure to add the externalRedis section to your values-custom.yaml and define the connection parameters to use Secrets Management Service with the proper details, such as storeID and secret key. See example below:
Redis Configuration with secret
| Parameter | Description | Example Values |
|---|---|---|
| externalRedis | This configuration is not under secretStore but in the general Redis config section. |
|
| .host | Host for external Redis. | master.redis-pw-rotation1.0wgi71l.use2.cache.amazonaws.com |
| .username | The username used for the connection with AWS Secrets Manager. | {{store=AWS_SECRETS_MANAGER_STORE,key=redis-rotated-pw,jsonpath=$.username}} |
| .password | The password used for the connection with AWS Secrets Manager. | {{store=AWS_SECRETS_MANAGER_STORE,key=redis-rotated-pw,jsonpath=$.password}} |
PAA services that use Redis get the credentials from the Secret Manager (SM) service do not require special configurations. Once an SM is configured and the externalRedis parameter is defined, all other services seamlessly utilize this configuration.
Sample Configuration
secretsMgmt:
enabled: true
...
secretStore:
- id: AWS_SECRETS_MANAGER_STORE
type: AWSSecretsManager
isDefault: false
details:
auth:
region: ${AWS_AUTH_REGION}
accessKeyId: ${AWS_AUTH_ACCESS_KEY_ID}
secretAccessKey: ${AWS_AUTH_SECRET_ACCESS_KEY}
serviceAccount:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::xxx:role/redis-rotating-pw-fetch
redis:
enabled: false # this capability is supported for external redis in AWS, so the internal redis needs to be disabled
externalRedis:
port: 6379
tls: true
host: "master.redis-pw-rotation1.0wgi71l.use2.cache.amazonaws.com"
username: |
"{{store=AWS_SECRETS_MANAGER_STORE,key=redis-rotated-pw,jsonpath=$.username}}"
password: |
"{{store=AWS_SECRETS_MANAGER_STORE,key=redis-rotated-pw,jsonpath=$.password}}"
Additional Optional Configurations in PDP, PIP and Agent Services
Secret Caching Duration & Refresh In the PAA services (PDP, PIP, Agent) that use Redis connections, you can define the cache duration for the Redis Secret retrieved from SM. Configure this using the optional environment variable (not limited to Redis):
SECRET_MGMT_CLIENT_CACHE_MANAGER_DURATION_SECONDS (default: 3600 seconds).
Troubleshooting SM Integration Each PAA service connecting to Redis for key retrieval uses the password provided by the SM service. To enable detailed logging for troubleshooting, configure the following settings and set the log level to TRACE:
- For the
agentandpip-operator:
SECRETMGMTCLIENT_LOGGING_DETAILED_ENABLED: "true"
- For the
runtime, use the Environment Variable:
RTCONF_SECRETS_PROVIDER__LOGGING__DETAILED__ENABLED: "true"
This logging configuration enables either of the following logs in PAA services:
Success message:
logger.detailed("Successfully parsed input: store=" + store);
Error message:
logger.detailed("identified as not a pattern, treating as password...");
This guide helps you configure and troubleshoot Redis connections for PAA services, whether using PlainID's Helm deployment or custom Kubernetes setups Leveraging the integration with the Secret Manager Service ensures secure and streamlined access to Redis credentials, while optional configurations and logging enable enhanced flexibility and visibility for your deployment.
Customers Managing Their Own K8s Deployment
If you are not using the PlainID Helm deployment and instead opt to build your own Kubernetes deployment procedures, you are required to configure the Redis user and password keys in the PAA services under the relevant Redis configuration entries.
Use the following key pattern to integrate with the SM service and obtain the credentials:
{{store=<store name>,key=<AWS SM key>,jsonpath=<AWS SM value jpath>}}
Example:
- Redis Connection Username:
{{store=AWS_SECRETS_MANAGER_STORE,key=redis-rotated-pw,jsonpath=$.username}} - Redis Connection Password:
{{store=AWS_SECRETS_MANAGER_STORE,key=redis-rotated-pw,jsonpath=$.password}}
AWS Secrets Manager Secret Rotation
AWS SM supports rotating ElastiCache for Redis secrets via Lambda, a service provided by Amazon. PlainID password rotation support, assuming that the AWS SM password rotation is implemented in the manner recommended by Amazon. See this guide for more information.