The need to Move to Passwordless Redis Authentication
Previously, Terraform Enterprise (TFE) relied on a static Redis password stored in configuration.
This model creates several operational and security challenges:
| Challenge | Impact |
|---|---|
| Manual rotation required | Downtime and reconfiguration effort |
| Password must be shared across systems | Violates least-privilege & credential minimization |
| Transport used 6379 non-TLS | Password travels in plaintext if TLS is not enforced |
With AWS IAM-based Redis authentication, credentials are no longer stored or distributed.
Instead, Terraform Enterprise receives temporary IAM tokens at connection time, eliminating password handling entirely.
YAML Configuration Changes (TFE Side)
Before (password-based Redis)
TFE_REDIS_HOST: "redis_hostname:6379"
TFE_REDIS_USER: "redis"
TFE_REDIS_PASSWORD: "plaintext-password"
TFE_REDIS_USE_AUTH: "true"
After (passwordless IAM-based Redis)
No Redis password is stored, injected, or rotated.
TFE_REDIS_HOST: "redis_hostname:6379"
TFE_REDIS_USER: "iam-redis"
TFE_REDIS_USE_TLS: "true"
# Passwordless IAM configuration
TFE_REDIS_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE: "true"
TFE_REDIS_PASSWORDLESS_AWS_REGION: "us-west-1"
TFE_REDIS_PASSWORDLESS_AWS_HOST_NAME: "instance-name"
TFE_REDIS_PASSWORDLESS_AWS_SERVICE_NAME: "elasticache"
# Passwordless Auth for Sidekiq
TFE_REDIS_SIDEKIQ_HOST: "redis_hostname"
TFE_REDIS_SIDEKIQ_USE_AUTH: true
TFE_REDIS_SIDEKIQ_USE_TLS: true
TFE now uses IAM auth instead of password auth
-
TLS must be enabled to support IAM token authentication
AWS Configuration Required
Step 1: Create an IAM-Enabled Redis User
aws elasticache create-user \
--user-name iam-redis \
--user-id iam-redis \
--authentication-mode Type=iam \
--engine redis \
--access-string "on ~* +@all"
Step 2: Attach the User to a Redis User Group
aws elasticache create-user-group \
--user-group-id tfe-redis-ug \
--engine redis \
--user-ids default iam-redis
Step 3: Attach the User Group to the Redis Replication Group
aws elasticache modify-replication-group \
--replication-group-id instance-name \
--user-group-ids-to-add tfe-redis-ug \
--apply-immediately
Now in case of the EKS cluster the IAM role of the node group should be updated with this policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "elasticache:Connect",
"Resource": [
"arn:aws:elasticache:ap-south-1:186XXXXXXXXX:replicationgroup:redis-tfe",# arn of the redis instance
"arn:aws:elasticache:ap-south-1:186XXXXXXXXX:user:iam-redis2" arn of the redis user
]
}
]
}
IAM authentication requires:
Redis in-transit encryption enabled
Redis at-rest encryption enabled
Terraform Enterprise now connects to Redis:
without storing credentials
without manual password rotation
without exposing secrets
with AWS-managed, ephemeral IAM auth tokens
This approach aligns with modern zero-trust and secrets-free architectures, significantly reducing the administrative and security burden inherent in static credential management.
Reference Links
AWS Documentation
ElastiCache IAM Authentication Overview
https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/IAM.auth.htmlElastiCache Identity-Based Policies (elasticache:Connect)
https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/IAM.IdentityBasedPolicies.htmlTFE Configuration Reference (Environment Variables)
https://developer.hashicorp.com/terraform/enterprise/flexible-deployments/reference-architecture#configuration