Skip to main content
Support Requests Chat with us

Credential Rotation and Secure Access Management in Redis Cloud

Natalie Patterson

0 comments

Redis Cloud provides enterprise-grade security by enforcing strong credentials, access controls, TLS encryption, and robust credential management features. Credential rotation, updating database passwords, certificates, API keys, and cloud provider credentials is a critical part of maintaining a secure and production-ready Redis Cloud environment. This guide outlines best practices, step-by-step instructions for key scenarios, and troubleshooting tips.

Account and Database Credential Rotation

Password-Based Access (Console and Databases)

All Redis Cloud accounts and databases enforce password-based authentication for the default user. For finer-grained security, enable Role-Based Access Control (RBAC) and create custom users with least-privilege roles rather than using the default user.

Rotating a Database Password (Default User)

  1. Log in to your Redis Cloud account.

  2. Open the target database and navigate to the Security tab.

  3. Click the "eye" icon to reveal the existing password.

  4. Click Edit, enter a new password, and Save. This updates the password for all new connections.

  5. Update all client connection strings and secrets managers to use the new password. Old connections will fail authentication after rotation.

Notes & Limitations:

  • Password rotation for the default user is supported via the Console and REST API, but only one password can be active at a time.

  • For seamless rotation without downtime, use custom users with ACLs/RBAC. Rolling updates are supported for ACL users but limited for the default user.

Password Policy Enforcement

  • Minimum complexity: at least 8 characters, must include upper/lowercase, digit, and special character.

  • For SAML SSO logins, password rotation and policies are enforced by your identity provider.

API Key Management and Rotation

API Key Rotation Steps:

  1. Navigate to Account → API Keys in the Redis Cloud Console.

  2. Click Create API Key to generate a new key and secret.

  3. Distribute the new credentials to automation, integration, or CI/CD systems.

  4. Remove or deactivate the old API key after all dependent systems have been updated.

Notes:

  • Store API credentials securely in a secrets manager.

  • Rotate API keys routinely and immediately after any suspected compromise.

  • The Redis Cloud REST API supports key management, rate limits, and revocation.

Cloud Provider Credential Rotation (BYOC/Marketplace)

For Bring Your Own Cloud (BYOC) or marketplace-managed deployments:

  • Redis Cloud stores and rotates cloud provider credentials (e.g., AWS IAM access keys, GCP service accounts) securely in encrypted vaults.

  • As credentials approach expiration, Redis generates new credentials, validates, stores them securely, and updates resource access.

  • Customers providing their own credentials should rotate them regularly according to internal security policies.

Key Steps:

  • Managed rotation: Redis notifies or rotates credentials based on integration method.

  • Manual rotation: Replace credentials via the Cloud Account settings in Redis Cloud.

Certificate Rotation (TLS/mTLS)

All connections to paid Redis Cloud databases use TLS by default. For mutual TLS (mTLS), Redis Cloud Pro lets you manage client certificates per database.

How to Rotate mTLS Client Certificates:

  1. From the Security tab of your Pro database, add a new client certificate while keeping the old one valid.

  2. Update all clients to use the new certificate.

  3. Once all clients are updated, remove the old certificate.

This allows seamless certificate rotation with no downtime.

Best Practices for Secure Credential Management

  • Rotate passwords and API keys regularly, and always after staff turnover or suspected compromise.

  • Do not share credentials between users—use RBAC and per-user credentials.

  • Never store credentials in plaintext; use secrets managers or environment variables with proper permissions.

  • Enforce MFA/SAML SSO for console access.

  • Always use encrypted TLS connections (rediss:// URI) for clients.

  • Review and restrict CIDR/IP allow lists for database access.

  • Audit credential access and rotation events via Redis Cloud audit logs or your central SIEM.

  • Follow least-privilege principles for roles, credentials, and API key scopes.

Troubleshooting Credential Rotation Issues

Symptom

Possible Cause

Recommended Action

Unable to authenticate after rotation

Client still using old credentials

Update all connection strings and secrets.

“Access Denied” via API

Old or invalid API key

Issue a new API key and update all systems.

“No valid credential” for cloud resources

Expired/revoked cloud credentials

Upload refreshed credentials via Cloud Account settings.

Connection drops after password change

Open connections not updated

Clients must re-authenticate; schedule rotations for low-traffic windows.

TLS handshake failure after certificate change

Client not updated with new certificate

Ensure all clients trust the new CA/certificate.

Note: Some connection drops are expected for managed connections to comply with security standards. Invalidated credentials are forcibly disconnected.

Related to

Was this article helpful?

0 out of 1 found this helpful

Related articles

0 comments

Please sign in to leave a comment.