PlainID supports secure integration with Azure Cache for Redis using Microsoft Entra ID authentication and the Secrets Manager (SM) service. This integration enables PAA services, including the PDP, PIP, and Agent, to retrieve Redis access tokens dynamically, removing the need for hardcoded credentials and allowing token refresh without service restarts.
Redis is used by PAA services for Policy metadata, PIP configuration, and PDP caching. When using Azure Managed Redis with Microsoft Entra authentication, clients authenticate using an Entra-issued access token instead of a static password. PlainID leverages the Secrets Manager service to securely retrieve and distribute these tokens across all Redis-consuming services, with optional logging available for troubleshooting.
This integration supports token refresh with no downtime, provided that the access token stored in the Secrets Manager service is refreshed before expiration.
To use this integration pattern, you must:
- Set up a Secrets Manager integration.
- Configure access to Microsoft Entra tokens by using a managed identity or service principal.
- Define Redis authentication parameters using secret references in PAA services.
Configuring the Secrets Manager as a Store
Follow the configuration steps described in the Secrets Manager documentation relevant to your deployment.
Ensure that the Secrets Manager store is configured to retrieve secrets populated by a process capable of acquiring Microsoft Entra access tokens. Examples include an external token-fetching job, an Azure Function, or an identity-aware service.
Azure Entra Prerequisites
To authenticate against Azure Cache for Redis using Microsoft Entra, the following prerequisites apply:
- An Azure Managed Identity or Service Principal enabled for Redis access.
- Appropriate role assignments on the Azure Cache for Redis instance.
- A mechanism to acquire, refresh, and store Entra access tokens in the Secrets Manager.
The Redis credentials are defined as follows:
- Redis Username: The Object ID of the managed identity or service principal.
- Redis Password: A valid Microsoft Entra access token for Azure Cache for Redis.
Ensure that the Secrets Manager store has permission to retrieve the secret containing these values.
PAA Configurations
If you are not using the PlainID Helm deployment and instead manage your own Kubernetes deployment, configure the Redis authentication parameters directly in the Redis configuration sections of the relevant PAA services.
Use the following secret reference pattern:
{{store=<store name>,key=<secret key>,jsonpath=<value jsonpath>}}
Redis Configuration with Entra Token Secret
| Parameter | Description | Example Value |
|---|---|---|
| redis.username | Object ID used for Entra authentication | {{store=AZURE_ENTRA_TOKEN_STORE,key=redis-entra-token,jsonpath=$.username}} |
| redis.password | Microsoft Entra access token | {{store=AZURE_ENTRA_TOKEN_STORE,key=redis-entra-token,jsonpath=$.access_token}} |
Secret Structure
The secret returned by the Secrets Manager store must use the following JSON structure:
{
"username": "<object-id-of-managed-identity-or-service-principal>",
"access_token": "<entra-access-token>",
"expires_on": "<token-expiration-timestamp>"
}
All PAA services that connect to Redis automatically consume these credentials through the Secrets Manager service once configured. No additional service-specific Redis configuration is required beyond defining the secret references.
Troubleshooting Secrets Manager Integration
Each PAA service that connects to Redis retrieves the Entra token through the Secrets Manager. To enable detailed logging for troubleshooting, configure the following settings and set the service log level to TRACE.
Note: Enabling detailed Secrets Manager logging may generate a high volume of log entries, as a log message is printed on each refresh operation.
For the Agent and PIP Operator:
SECRETMGMTCLIENT_LOGGING_DETAILED_ENABLED: "true"
For the Runtime:
RTCONF_SECRETS_PROVIDER__LOGGING__DETAILED__ENABLED: "true"
When enabled, the following detailed log messages may appear.
Success message:
logger.detailed("Successfully parsed input: store=" + store);
Error message:
logger.detailed("identified as not a pattern, treating as password...");
Customers Managing Their Own Kubernetes Deployment
For customers managing custom Kubernetes deployments, Redis credentials must be explicitly defined in the PAA services Redis configuration by using Secrets Manager references.
Example:
-
Redis connection username
{{store=AZURE_ENTRA_TOKEN_STORE,key=redis-entra-token,jsonpath=$.username}} -
Redis connection password
{{store=AZURE_ENTRA_TOKEN_STORE,key=redis-entra-token,jsonpath=$.access_token}}
This configuration enables secure, identity-based authentication to Azure Cache for Redis by using Microsoft Entra access tokens, removes the need for static secrets, and allows seamless credential refresh without restarting PAA services.