AWS Elasticache IAM Auth - Connections Fail on Token Expiration

[guilhemferr]

Hello, we are seeking your guidance on the recommended approach for handling expiring credentials, specifically AWS ElastiCache IAM tokens. We have followed the standard practice of using a RedisCredentialsProvider (e.g. spring-projects/spring-data-redis/issues/2769), but the connections in the pool are not re-authenticating before the token expires, leading to WRONGPASS errors.

Environment
Spring Boot Version: 3.5.6
Spring Data Redis Version: 3.5.6
Lettuce-core Version: 6.6.0.RELEASE
Cloud Provider: AWS ElastiCache for Redis (with IAM Authentication enabled)

Current setup

We configure our factory with a connection pool and our custom credentials provider. The pool is configured to evict idle connections.

var poolConfig = new GenericObjectPoolConfig<>();
poolConfig.setMinEvictableIdleDuration(Duration.ofMinutes(10));
poolConfig.setTimeBetweenEvictionRuns(Duration.ofMinutes(5));
poolConfig.setTestWhileIdle(true);

new LettuceConnectionFactory(
    LettuceConnectionFactory.createRedisConfiguration(RedisURI.create(uri)),
    LettucePoolingClientConfiguration.builder()
        .redisCredentialsProviderFactory(new ElastiCacheCredentialsProviderFactory())
        .poolConfig(poolConfig)
        .apply(RedisURI.create(uri))
        .build());

Below is the credentials provider:

public class ElastiCacheCredentialsProviderFactory implements RedisCredentialsProviderFactory {
  @Override
  public RedisCredentialsProvider createCredentialsProvider(RedisConfiguration redisConfiguration) {
    var username = getUsername(redisConfiguration);
    return new ElastiCacheCredentialsProvider(username);
  }
}

public class ElastiCacheCredentialsProvider implements RedisCredentialsProvider {
  @Override
  public Mono<RedisCredentials> resolveCredentials() {
    // getIamAuthTokenMemoized() generates a new token valid for 15min and cache it for 14 min
    return Mono.fromSupplier(() -> RedisCredentials.just(username, getIamAuthTokenMemoized()));
  }
}

Observed Behaviour

On startup, our application connects successfully as resolveCredentials() is called once to get a valid token. However the getIamAuthTokenMemoized() is not called anymore and only after one hour it is called again and we see this log:

Cannot reconnect to [<redis-host>/<unresolved>:6379]: io.lettuce.core.RedisCommandExecutionException: WRONGPASS invalid username-password pair or user is disabled.

We've confirmed that new tokens are generated correctly before they expire, but the active connections in the pool are not using them, causing persistent authentication errors.

What is the recommended pattern to force a connection pool to re-authenticate with a fresh token? Are we missing a simple configuration for this?

We have reviewed spring-projects/spring-data-redis/issues/2930, but the solution involving RedisConnectionStateListener seems quite complex for what we consider a standard use case like rotating credentials. Before we implement it, could you confirm if this is the intended approach? Thanks

[bobymicroby]

@guilhemferr You can try using https://github.com/redis/jvm-redis-authx-entraid and implement the IdentityProvider interface for AWS like this.

[guilhemferr]

Thanks for the quick reply @bobymicroby, your suggestion was spot on!

We initially added that redis-authx-entraid dependency, but in the end we only used the classes from redis-authx-core, which is a transitive dependency of lettuce-core. Just sharing our setup in case it helps other developers facing the same issue:

public class ElastiCacheIdentityProviderConfig implements IdentityProviderConfig {
    @Override
    public IdentityProvider getProvider() {
        return new ElastiCacheIdentityProvider();
    }
}

public class ElastiCacheIdentityProvider implements IdentityProvider {
    @Override
    public Token requestToken() {
        var token = generateSignedToken();
        return new SimpleToken(username, token, ...);
    }
}

// in redis credentials provider factory
public RedisCredentialsProvider createCredentialsProvider(...) {
    return TokenBasedRedisCredentialsProvider.create(
        TokenAuthConfig.builder()
            .identityProviderConfig(new ElastiCacheIdentityProviderConfig())
    );
}

All the heavy lifting — managing token refresh on a schedule and sending auth commands to reauthenticate the connection — is handled by the core library. This was extremely useful and significantly reduced the complexity of implementing this feature.

We just wish AWS offered something similar to what Microsoft Entra ID provides.

Thanks again for your support!

[bobymicroby]

That's fantastic to hear! Really glad the core library worked well for your use case!

Your implementation looks clean and demonstrates exactly what we were aiming for with the design — a generic, extensible solution that handles all the authentication lifecycle complexity while letting developers focus on just the token generation logic specific to their identity provider.