Redis Cloud connections can fail with authentication-related errors even when the database is reachable. These failures commonly appear as WRONGPASS invalid username-password pair, AUTH failed, or generic “Failed to connect” messages. Often, the root cause isn't the password itself, but a mismatch between the database authentication mode, client configuration, and TLS requirements.
This article helps you quickly determine whether the failure is caused by incorrect credentials, ACL usage, passwordless access, TLS enforcement, or endpoint mismatches, and walks through step-by-step validation and fixes.
Covered in this article: Quick Fixes, Symptoms and Common Causes, Step-by-Step Resolution, Client Configuration Examples, and Evidence Collection for Ongoing Issues.
Quick Fix Table
| Issue | Fast check | Action |
|---|---|---|
| WRONGPASS or AUTH failed | Was the database password recently rotated or updated? | Update the password in all secret stores, environment variables, and client configs, then restart clients to pick up the new credentials. |
| WRONGPASS when using ACL users | Is the client authenticating as the default user instead of the intended ACL user? Is the ACL user enabled and assigned to a role under Data Access Control → Users? | Ensure the client sends AUTH <username> <password> or is configured with both username and password. In Redis Cloud, verify the user is enabled and has a role with the required permissions. |
| WRONGPASS on a passwordless database | Was the default user password removed, but the client still sends AUTH? | Remove AUTH configuration from the client. Passwordless databases will reject authentication attempts. |
| Connection timeouts or immediate disconnects | Does the database enforce TLS, but the client connects without TLS? | Use a TLS-enabled client and connect to the TLS port. Verify CA certificates if required. |
| AUTH appears correct, but still fails | Is the client connecting to the correct database endpoint and port? | Verify the host, port, and subscription. Ensure the endpoint was copied from the intended database. |
| All databases suddenly return WRONGPASS or AUTH failed | Can you sign in to Redis Cloud and see a billing, suspension, or account restriction banner? Did you receive account restriction or suspension emails? | Resolve outstanding invoices or payment issues. Authentication will continue to fail until the account or subscription is restored to Active status. |
Symptoms
You may see one or more of the following:
WRONGPASSinvalid username-password pairAUTH failedGeneric “Failed to connect” or timeout errors with little detail
Immediate disconnects after connection attempts
Clients are reporting connection failures while Redis Cloud Console shows the database as healthy
Common Causes
Authentication failures are commonly caused by one or more of the following:
Applications using stale credentials after a password rotation
Using ACL authentication while sending
AUTHas if connecting as the default userDefault user password removed (passwordless access), but clients still send
AUTHConnecting to the wrong endpoint or port
Connecting without TLS to a database that enforces TLS
TLS handshake or certificate issues surfacing as generic connectivity or auth errors
Account or subscription suspended due to billing issues (unpaid invoices) — databases can return
WRONGPASSorAUTHfailed for all connections until the account is unblocked in Redis Cloud.
Step-by-Step Resolution
1. Confirm endpoint and protocol requirements
Verify the database endpoint (host) and port from the Redis Cloud Console.
Also, confirm the account and subscription status in the Redis Cloud console. If the account is suspended, restricted, or blocked due to billing issues, authentication will fail until the block is cleared, regardless of the username and password.
Confirm whether the database requires TLS.
-
If TLS is required:
Use a TLS-enabled client
Use a TLS URI such as
rediss://, or enable TLS options in the client configuration
Ensure you are not connecting to a non-TLS port when TLS is enforced.
2. Validate authentication mode and credentials
Redis Cloud supports multiple authentication modes. Ensure the client configuration matches the database setup.
-
Default user with password
Connect without a username; clients either send
AUTH <password>or use the implicitdefaultuser in their configuration.This is the mode used when Data Access Control is not enabled, or you haven’t created additional ACL users.
-
ACL user authentication
Connect with both username and password.
Client must send
AUTH <username> <password>(or configureusername+passwordin the client’s connection options).-
In Redis Cloud → Data Access Control → Users, confirm that:
The user is enabled (not disabled).
The user is assigned to at least one role that grants access to the target database.
-
Passwordless access
The default user password has been removed
Clients must not send
AUTHat allSee: Passwordless Access to Redis Cloud databases (link to existing article)
3. Test connectivity with redis-cli
Testing directly with redis-cli helps determine whether the issue is related to your application client or the database configuration itself.
TLS-required database
Use these commands when the database enforces TLS.
Default user with password
redis-cli -h <host> -p <port> --tls -a <password>
ACL user
redis-cli -h <host> -p <port> --tls
AUTH <username> <password>Non-TLS database
Use these commands when TLS is not enabled.
redis-cli -h <host> -p <port>
Apply the same authentication rules as above:
Use
-a <password>for the default userUse
AUTH <username> <password>for ACL users
Validate authentication
After connecting and authenticating, run: PING
A PONG response confirms that authentication and connectivity are working.
Advanced: Passwords with special characters
If your password contains special characters (for example @, %, !, or shell metacharacters), avoid embedding it directly in a redis:// URI without encoding.
Recommended approach
redis-cli \
-h <host> -p <port> --tls \
--user <username> \
--pass '<password-with-special-chars>'Alternatively, URL-encode the password portion of the URI.
Several WRONGPASS cases were resolved by switching from -u redis://... to --user and --pass with proper quoting.
4. Synchronize credentials after password rotation
If credentials were recently changed:
-
Update all applications, services, and secret stores:
Kubernetes or OpenShift secrets
Environment variables
Vault or secret management systems
Restart or redeploy workloads that cache credentials at startup
5. Distinguish TLS failures from AUTH failures
TLS and authentication issues often look similar at the client level.
-
Timeouts or immediate disconnects (before any Redis error message)
Often indicates that TLS is required but the client is connecting in plaintext, or that the TLS handshake is failing (for example, because of certificate validation).
Verify TLS settings and trusted CA configuration
-
AUTH errors after successful TLS connection
Re-check username, password, and authentication mode
Confirm the database is not passwordless
6. Collect client-side evidence if the issue persists
If the issue can't be reproduced with redis-cli:
Use
MONITORbriefly during low-traffic windows to observe incoming commands and confirm whether clients sendAUTH-
Capture a short
tcpdumpduring connection attempts to verify:Whether TLS is negotiated
Whether
AUTHis sent (and in which form)
7. Common client configuration fixes
-
redis-py
Redis( host=..., port=..., username=None or "user", password=None or "secret", ssl=True or False ) -
go-redis
Options{ Addr: "host:port", Username: "" or "user", Password: "" or "secret", TLSConfig: <configured if TLS is required> } -
Redis Insight and manual tools
Ensure TLS is enabled if required
Match authentication mode (default user vs ACL user) to the database configuration
If WRONGPASS errors continue, confirm that the password change has fully propagated and that you're connecting to the correct database within the correct subscription.
0 comments
Please sign in to leave a comment.