Configuring Access Control and RBAC in Redis Cloud – Redis Knowledge Base

Redis Cloud provides Role-Based Access Control (RBAC) and Access Control Lists (ACLs) to enforce fine-grained, database-level security. RBAC assigns users to roles, and each role maps to Redis ACLs, controlling which commands and keys are accessible.

This guide covers Setting Up RBAC, Configuring Permissions with ACLs, Managing ACLs via the REST API, and Common Troubleshooting Scenarios, with practical examples and security best practices.

Introduction to Access Control in Redis Cloud

Access control in Redis Cloud helps enforce the principle of least privilege by restricting what each user can access or execute within a database.

Key points:

Separation of account-level and database-level access
Support for predefined and custom command-level restrictions
Flexible enforcement via UI or REST API automation

Setting Up Role-Based Access Control (RBAC)

RBAC decouples user identities from database privileges using intermediary roles.

Steps to Configure RBAC:

Log in to your Redis Cloud console.
Navigate to Data Access Control in the left navigation.
Use the Users, Roles, and Redis ACLs tabs:
- Redis ACLs: Define allowed/denied commands and key patterns.
- Roles: Assign ACLs and set database scope.
- Users: Assign roles to database users.

Configuring Permissions with Redis ACLs

ACLs define which commands or operations a user can perform. Redis Cloud supports:

Predefined ACLs:
- Full‑Access
- Read‑Write
- Read‑Only
Custom ACLs: Created via the console or REST API

Syntax Elements:

+COMMAND – Allow a specific command
-COMMAND – Block a specific command
+@category – Allow command category (e.g., @read)
~pattern – Restrict access to key patterns
&channel – Specify Pub/Sub access

Example: Custom Read-Only ACL with Redis Search Access

# Example ACL
+get
+@read
+FT.SEARCH
+FT.INFO
~index:*

# Notes:
# +COMMAND     = Allow specific command
# -COMMAND     = Deny specific command
# +@category   = Allow command category (e.g., @read)
# ~pattern     = Restrict to key patterns
# &channel     = Specify Pub/Sub channel access

High-Risk Categories

Use caution with:

Category/Command	Why Avoid	Typical Usage Allowed For
`@dangerous`	Data loss, config	Admin users only
`@admin`	Infra disruption	Admin users only
`@connection`	Connection abuse	Ops / Monitoring
`@scripting`	Code execution	Controlled automation
`@all`, `~*`	Unrestricted access	Never for non‑admins

Managing ACLs via REST API

Use the Redis Cloud REST API to automate ACL creation and updates.

Endpoints:

GET    /v1/redis_acls        # List all ACLs
GET    /v1/redis_acls/{uid}  # Retrieve ACL details
POST   /v1/redis_acls        # Create new ACL
PUT    /v1/redis_acls/{uid}  # Update ACL
DELETE /v1/redis_acls/{uid}  # Remove ACL

Example Request:

curl -u "username:password" -X POST \
  -H 'Content-Type: application/json' \
  --data-raw '{ "name": "Geo", "acl": "~* +@geo" }' \
  https://api.redislabs.com/v1/redis_acls

Note: The cluster must support Redis ACLs, or the API will return 501 Not Implemented.

Common Troubleshooting Scenarios

Scenario	Solution
Default user is still active	Disable the default user in database settings and use custom RBAC roles.
`Access Denied` errors	Check ACL syntax, key patterns, and assigned role permissions.
Can’t modify Full‑Access ACL	Predefined ACLs are immutable. Create a custom ACL instead.
501 error from API	Your database or cluster may not support Redis ACLs.
Multi‑key commands partially fail	Some keys may not match allowed patterns—revise the `~` pattern in the ACL.
Pub/Sub rules ignored	Redis Cloud allows broad Pub/Sub by default; explicitly set channel access using `&` rules.

Additional Resources

RBAC in Redis Cloud

Configuring ACLs in Redis Cloud

Recommended Security Practices

Related to