Skip to content

feat(infra): Add IAM support for Redis #5265

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

feat(infra): Add IAM support for Redis #5265

wants to merge 1 commit into from

Conversation

justin-tahara
Copy link
Contributor

@justin-tahara justin-tahara commented Aug 26, 2025
edited
Loading

Description

[Provide a brief description of the changes in this PR]
Adding in IAM support for Redis to match Postgresql

How Has This Been Tested?

[Describe the tests you ran to verify your changes]
Still working on testing this.

Backporting (check the box to trigger backport action)

Note: You have to check that the action passes, otherwise resolve the conflicts manually and tag the patches.

  • This PR should be backported (make sure to check that the backport attempt succeeds)
  • [Optional] Override Linear Check

@justin-tahara justin-tahara requested a review from a team as a code owner August 26, 2025 21:06
@vercel Vercel
Copy link

vercel bot commented Aug 26, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
internal-search Ready Ready Preview Comment Aug 26, 2025 9:27pm

greptile-apps[bot]
greptile-apps bot reviewed Aug 26, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Greptile Summary

This PR introduces IAM authentication support for Redis ElastiCache to complement the existing PostgreSQL IAM authentication pattern in the codebase. The implementation adds a new configuration flag USE_REDIS_IAM_AUTH that allows Redis connections to use AWS IAM roles instead of password-based authentication.

The changes span four key areas:

  1. Configuration: Adds the USE_REDIS_IAM_AUTH environment variable flag in app_configs.py
  2. Redis Connection Handling: Updates redis_pool.py to create IAM-aware connection pools that disable password auth and enforce SSL when IAM is enabled
  3. IAM Authentication Module: Introduces iam_auth.py containing functions for token generation, SSL configuration, and credential management
  4. Celery Integration: Modifies base.py to exclude passwords from broker URLs when IAM authentication is active

The implementation follows the same architectural pattern as the existing PostgreSQL IAM authentication (USE_IAM_AUTH), maintaining consistency across the codebase. When USE_REDIS_IAM_AUTH is enabled, Redis connections are configured to use SSL and IAM credentials from AWS, while traditional password authentication is bypassed. This enables secure integration with AWS ElastiCache clusters that are configured for IAM authentication, eliminating the need for hardcoded Redis passwords and leveraging AWS IAM policies for access control.

Confidence score: 1/5

  • This PR has critical implementation flaws that will cause authentication failures in production
  • Score reflects fundamental issues with the IAM token generation logic that doesn't align with AWS ElastiCache IAM authentication mechanisms
  • Pay close attention to backend/onyx/redis/iam_auth.py - the core authentication logic needs complete revision as it attempts to use cluster names as tokens rather than generating proper IAM auth tokens

4 files reviewed, 6 comments

Edit Code Review Bot Settings | Greptile

@justin-tahara justin-tahara force-pushed the jtahara/redis-iam-workflow branch from d71014e to e9f1d3f Compare August 26, 2025 21:12
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Aug 26, 2025
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

6 issues found across 4 files

React with 👍 or 👎 to teach cubic. You can also tag @cubic-dev-ai to give feedback, ask questions, or re-run the review.

backend/onyx/redis/redis_pool.py
host=host,
port=port,
db=db,
password=None, # No password with IAM auth
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IAM auth requires an AUTH token (SigV4) and username; setting password=None means no authentication will be performed, causing connection failures with ElastiCache Redis IAM.

Prompt for AI agents 
Address the following comment on backend/onyx/redis/redis_pool.py at line 209:

<comment>IAM auth requires an AUTH token (SigV4) and username; setting password=None means no authentication will be performed, causing connection failures with ElastiCache Redis IAM.</comment>

<file context>
@@ -192,6 +196,28 @@ def create_pool(
 
         # Using ConnectionPool is not well documented.
         # Useful examples: https://github.com/redis/redis-py/issues/780
+
+        # Handle IAM authentication
+        if USE_REDIS_IAM_AUTH:
+            # For IAM authentication, we don&#39;t use password
+            # and ensure SSL is enabled
+            ssl_context = create_redis_ssl_context_if_iam()
</file context>

@justin-tahara justin-tahara force-pushed the jtahara/redis-iam-workflow branch from e9f1d3f to 8dd7f31 Compare August 26, 2025 21:21
@justin-tahara
Copy link
Contributor Author

@greptileai

greptile-apps[bot]
greptile-apps bot reviewed Aug 26, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Greptile Summary

This PR adds IAM authentication support for Redis ElastiCache to match the existing PostgreSQL IAM authentication capabilities in the codebase. The changes introduce a new configuration variable USE_REDIS_IAM_AUTH that enables IAM-based authentication for Redis connections.

The implementation adds four key components:

  1. Configuration: A new USE_REDIS_IAM_AUTH environment variable in app_configs.py that follows the same pattern as the existing USE_IAM_AUTH for PostgreSQL

  2. IAM Authentication Module: A new iam_auth.py file in the Redis directory that provides functions for configuring IAM authentication parameters and creating SSL contexts

  3. Celery Integration: Updates to the Celery broker configuration to conditionally exclude password authentication when IAM auth is enabled

  4. Redis Pool Integration: Modifications to both synchronous and asynchronous Redis connection creation to support IAM authentication by removing password-based auth and enabling SSL

The approach mirrors the existing PostgreSQL IAM authentication pattern by creating separate configuration paths for IAM versus traditional authentication methods. When IAM authentication is enabled, the system removes password-based authentication and ensures SSL is properly configured for secure connections to AWS ElastiCache.

Confidence score: 1/5

  • This PR is not safe to merge and will cause Redis connection failures in production
  • Score reflects fundamental flaws in IAM authentication implementation - the code only removes passwords and enables SSL but doesn't implement actual AWS Signature V4 authentication tokens required by ElastiCache IAM
  • Pay close attention to backend/onyx/redis/iam_auth.py and backend/onyx/redis/redis_pool.py as they contain incomplete IAM authentication logic that will fail silently

4 files reviewed, no comments

Edit Code Review Bot Settings | Greptile

@justin-tahara
--amend
966ddbc 
"""
Manual approach: Generate URLs for all your projects to check OAuth clients.
Requires no additional installations - just built-in Python libraries.
"""

def main():
    print("Since we can't easily list projects without gcloud,")
    print("let's generate URLs manually.")
    print()

    # Ask user for project IDs
    print("Enter your GCP project IDs (one per line, press Enter twice when done):")
    projects = []

    while True:
        project = input().strip()
        if not project:
            if projects:  # If we have at least one project and get empty line
                break
            else:
                continue
        projects.append(project)

    if not projects:
        print("No projects entered.")
        return

    print(f"\nFound {len(projects)} projects.")
    print("Here are the direct URLs to check for OAuth 2.0 Client IDs:")
    print()

    # Generate URLs for each project
    for project in projects:
        url = f"https://console.cloud.google.com/apis/credentials?project={project}"
        print(f"Project: {project}")
        print(f"URL: {url}")
        print()

    # Save to file
    with open('oauth_check_urls.txt', 'w') as f:
        f.write("OAuth Client Check URLs\n")
        f.write("=" * 30 + "\n\n")
        for project in projects:
            url = f"https://console.cloud.google.com/apis/credentials?project={project}"
            f.write(f"Project: {project}\n")
            f.write(f"URL: {url}\n\n")

    print(f"URLs also saved to: oauth_check_urls.txt")
    print("\nInstructions:")
@justin-tahara justin-tahara force-pushed the jtahara/redis-iam-workflow branch from 8dd7f31 to 966ddbc Compare August 26, 2025 21:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@justin-tahara