Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DOC-4819 added Lettuce AMR example #1169

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

DOC-4819 added Lettuce AMR example #1169

Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0659ff9
DOC-4819 added Lettuce AMR example
andy-stark-redis Feb 14, 2025
5adcc32
Update content/develop/clients/lettuce/amr.md
andy-stark-redis Feb 14, 2025
241fc32
DOC-4819 implemented feedback
andy-stark-redis Feb 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
171 changes: 171 additions & 0 deletions content/develop/clients/lettuce/amr.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,171 @@
---
categories:
- docs
- develop
- stack
- oss
- rs
- rc
- oss
- kubernetes
- clients
description: Learn how to authenticate to an Azure Managed Redis (AMR) database
linkTitle: Connect to AMR
title: Connect to Azure Managed Redis
weight: 2
---

The [`redis-authx-entraid`](https://github.com/redis/jvm-redis-authx-entraid) package
lets you authenticate your app to
[Azure Managed Redis (AMR)](https://azure.microsoft.com/en-us/products/managed-redis)
using [Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/).
You can authenticate using a system-assigned or user-assigned
[managed identity](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview)
or a [service principal](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals),
letting `redis-authx-entraid` fetch and renew the authentication tokens for you automatically.

## Install

Install [`Lettuce`]({{< relref "/develop/clients/lettuce" >}}) first,
if you have not already done so.

If you are using Maven, add
the following dependency to your `pom.xml` file:

```xml
<dependency>
<groupId>redis.clients.authentication</groupId>
<artifactId>redis-authx-entraid</artifactId>
<version>0.1.1-beta1</version>
</dependency>
```

If you are using Gradle, add the following dependency to your
`build.gradle` file:

```bash
implementation 'redis.clients.authentication:redis-authx-entraid:0.1.1-beta1'
```

## Create a `TokenAuthConfig` instance

The `TokenAuthConfig` class contains the authentication details that you
must supply when you connect to Redis. Chain the methods of the
`EntraIDTokenAuthConfigBuilder` class together (starting with the `builder()`
method) to include the details you need, as shown in the following example:

```java
TokenAuthConfig authConfig = EntraIDTokenAuthConfigBuilder.builder()
.secret("<secret>")
.authority("<authority>")
// Other options...
.build();
```

Some of the details you can supply are common to different use cases:

- `secret()`: A string containing the [authentication secret](https://learn.microsoft.com/en-us/purview/sit-defn-azure-ad-client-secret).
- `authority()`: A string containing the [authority](https://learn.microsoft.com/en-us/entra/identity-platform/msal-client-application-configuration#authority)
URL.
- `scopes()`: A set of strings defining the [scopes](https://learn.microsoft.com/en-us/entra/identity-platform/scopes-oidc)
you want to apply.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to "Use Microsoft Entra for cache authentication" expected values for scopes when connecting to Redis are :

Configure your client application to acquire a Microsoft Entra token for scope, https://redis.azure.com/.default or acca5fbb-b7e4-4009-81f1-37e38fd66d78/.default

Probably we can add this as hint to the user so he is not wondering what to provide.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.


You can also add configuration to authenticate with a [service principal](#serv-principal)
or a [managed identity](#mgd-identity) as described in the sections below.

### Configuration for a service principal {#serv-principal}

Add `clientId()` to the `EntraIDTokenAuthConfigBuilder` chain to specify
authentication via a service principal, passing the ID token string as
a parameter. (See the
[Microsoft EntraID docs](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals)
for more information about service principals.)

```java
TokenAuthConfig authConfig = EntraIDTokenAuthConfigBuilder.builder()
.clientId("<CLIENT-ID>")
// ...
.build();
```

### Configuration for a managed identity {#mgd-identity}

You can also authenticate to AMR using a managed identity (see the
[Microsoft documentation](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) to learn more about managed identities).

For a system assigned managed identity, simply add the `systemAssignedManagedIdentity()`
method to the `EntraIDTokenAuthConfigBuilder` chain:

```java
TokenAuthConfig authConfig = EntraIDTokenAuthConfigBuilder.builder()
.systemAssignedManagedIdentity()
// ...
.build();
```

For a user assigned managed identity, add `userAssignedManagedIdentity()`. This
requires a member of the `UserManagedIdentityType` enum (to select a
`CLIENT_ID`, `OBJECT_ID`, or `RESOURCE_ID`) as well as the `id` string itself:

```java
TokenAuthConfig authConfig = EntraIDTokenAuthConfigBuilder.builder()
.userAssignedManagedIdentity(
UserManagedIdentityType.CLIENT_ID,
"<ID>"
)
// ...
.build();

```

## Connect using the `withAuthentication()` option

When you have created your `TokenAuthConfig` instance, you are ready to
connect to AMR.
The example below shows how to include the `TokenAuthConfig` details in a
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the case of Lettuce it is important to point out that lifecycle of TokenBasedRedisCredentialsProvider is not managed by the Lettuce client.

For reference you can check Create Entra ID enabled credentials provider

Create Entra ID enabled credentials provider
The lifecycle of the credentials provider is not managed by the Lettuce client. You can create it once and reuse it across multiple clients\connections. When no longer needed, you should close the provider to release resources TokenBasedRedisCredentialsProvider#close.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it will be also useful to provide example code to verify Credentials provider is properly configured

`You can test the credentials provider by obtaining a token.

// Test Entra ID credentials provider can resolve credentials
credentialsSP.resolveCredentials()
.doOnNext(c-> System.out.println(c.getUsername()))
.block();`

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

`TokenBasedRedisCredentialsProvider` instance and pass it to the `RedisURI.Builder`
using the `withAuthentication()` option.

{{< note >}} Azure requires you to use
[Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security)
when you connect, as shown in the example.
{{< /note >}}

```java
TokenAuthConfig authConfig = EntraIDTokenAuthConfigBuilder.builder()
// Chain of options...
.build();

TokenBasedRedisCredentialsProvider credentialsProvider =
TokenBasedRedisCredentialsProvider.create(tokenAuthConfig);

RedisURI uri = RedisURI.Builder.redis("<host>", <port>)
.withAuthentication(credentialsProvider)
.withSsl(true)
.build();

RedisClient client = RedisClient.create(uri);

SslOptions sslOptions = SslOptions.builder().jdkSslProvider()
.truststore(new File(
"<path_to_truststore.jks_file>"),
"<password_for_truststore.jks_file>"
)
.build();

client.setOptions(ClientOptions.builder()
.sslOptions(sslOptions)
.build());

StatefulRedisConnection<String, String> connection = client.connect();
RedisAsyncCommands<String, String> asyncCommands = connection.async();

// Test the connection.
CompletableFuture<Void> testDBSize = asyncCommands.dbsize()
.thenAccept(r -> {
System.out.println(String.format("Database size: %d", r));
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the complete .withSsl(true) should be sufficient and no additional SslOptions should be needed (in straight forward case when hostname is used )

I can suggest something like

        // Entra ID enabled credentials provider for Service Principle Identity with Client Secret
        TokenBasedRedisCredentialsProvider credentialsSP;
        try (EntraIDTokenAuthConfigBuilder builder = EntraIDTokenAuthConfigBuilder.builder()) {
            builder.clientId(CLIENT_ID).secret(CLIENT_SECRET).authority(AUTHORITY) // "https://login.microsoftonline.com/{YOUR_TENANT_ID}";
                    .scopes(SCOPES); // "https://redis.azure.com/.default";
            credentialsSP = TokenBasedRedisCredentialsProvider.create(builder.build());
        }

        // Test Entra ID credentials provider can resolve credentials
        // credentialsSP.resolveCredentials().doOnNext(c -> System.out.println("SPI ID :" + c.getUsername())).block();

        // Enable automatic re-authentication
        ClientOptions clientOptions = ClientOptions.builder()
                .reauthenticateBehavior(ClientOptions.ReauthenticateBehavior.ON_NEW_CREDENTIALS).build();

        // Use Entra ID credentials provider
        RedisURI redisURI = RedisURI.builder()
                .withHost(HOST)
                .withPort(PORT)
                .withAuthentication(credentialsSP)
                .withSsl(true)
                .build();

        // RedisClient
        RedisClient redisClient = RedisClient.create(redisURI);
        redisClient.setOptions(clientOptions);

        try {
            redisClient.setOptions(clientOptions);
            // Connect with Entra ID credentials provider
            try (StatefulRedisConnection<String, String> user1 = redisClient.connect(StringCodec.UTF8)) {
                System.out.println("Connected to redis as :" + user1.sync().aclWhoami());
                System.out.println("Db size :" + user1.sync().dbsize());
            }
        } finally {
            redisClient.shutdown();  // Shutdown Redis client and close connections
            credentialsSP.close(); // Shutdown Entra ID Credentials provider
        }

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

})
.toCompletableFuture();

testDBSize.join();
```