|
| 1 | +--- |
| 2 | +categories: |
| 3 | +- docs |
| 4 | +- develop |
| 5 | +- stack |
| 6 | +- oss |
| 7 | +- rs |
| 8 | +- rc |
| 9 | +- oss |
| 10 | +- kubernetes |
| 11 | +- clients |
| 12 | +description: Learn how to authenticate to an Azure Managed Redis (AMR) database |
| 13 | +linkTitle: Connect to AMR |
| 14 | +title: Connect to Azure Managed Redis |
| 15 | +weight: 2 |
| 16 | +--- |
| 17 | + |
| 18 | +The [`redis-authx-entraid`](https://github.com/redis/jvm-redis-authx-entraid) package |
| 19 | +lets you authenticate your app to |
| 20 | +[Azure Managed Redis (AMR)](https://azure.microsoft.com/en-us/products/managed-redis) |
| 21 | +using [Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/). |
| 22 | +You can authenticate using a system-assigned or user-assigned |
| 23 | +[managed identity](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) |
| 24 | +or a [service principal](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals), |
| 25 | +letting `redis-authx-entraid` fetch and renew the authentication tokens for you automatically. |
| 26 | + |
| 27 | +## Install |
| 28 | + |
| 29 | +Install [`lettuce`]({{< relref "/develop/clients/lettuce" >}}) first, |
| 30 | +if you have not already done so. |
| 31 | + |
| 32 | +If you are using Maven, add |
| 33 | +the following dependency to your `pom.xml` file: |
| 34 | + |
| 35 | +```xml |
| 36 | +<dependency> |
| 37 | + <groupId>redis.clients.authentication</groupId> |
| 38 | + <artifactId>redis-authx-entraid</artifactId> |
| 39 | + <version>0.1.1-beta1</version> |
| 40 | +</dependency> |
| 41 | +``` |
| 42 | + |
| 43 | +If you are using Gradle, add the following dependency to your |
| 44 | +`build.gradle` file: |
| 45 | + |
| 46 | +```bash |
| 47 | +implementation 'redis.clients.authentication:redis-authx-entraid:0.1.1-beta1' |
| 48 | +``` |
| 49 | + |
| 50 | +## Create a `TokenAuthConfig` instance |
| 51 | + |
| 52 | +The `TokenAuthConfig` class contains the authentication details that you |
| 53 | +must supply when you connect to Redis. Chain the methods of the |
| 54 | +`EntraIDTokenAuthConfigBuilder` class together (starting with the `builder()` |
| 55 | +method) to include the details you need, as shown in the following example: |
| 56 | + |
| 57 | +```java |
| 58 | +TokenAuthConfig authConfig = EntraIDTokenAuthConfigBuilder.builder() |
| 59 | + .secret("<secret>") |
| 60 | + .authority("<authority>") |
| 61 | + // Other options... |
| 62 | + .build(); |
| 63 | +``` |
| 64 | + |
| 65 | +Some of the details you can supply are common to different use cases: |
| 66 | + |
| 67 | +- `secret()`: A string containing the [authentication secret](https://learn.microsoft.com/en-us/purview/sit-defn-azure-ad-client-secret). |
| 68 | +- `authority()`: A string containing the [authority](https://learn.microsoft.com/en-us/entra/identity-platform/msal-client-application-configuration#authority) |
| 69 | + URL. |
| 70 | +- `scopes()`: A set of strings defining the [scopes](https://learn.microsoft.com/en-us/entra/identity-platform/scopes-oidc) |
| 71 | + you want to apply. |
| 72 | + |
| 73 | +You can also add configuration to authenticate with a [service principal](#serv-principal) |
| 74 | +or a [managed identity](#mgd-identity) as described in the sections below. |
| 75 | + |
| 76 | +### Configuration for a service principal {#serv-principal} |
| 77 | + |
| 78 | +Add `clientId()` to the `EntraIDTokenAuthConfigBuilder` chain to specify |
| 79 | +authentication via a service principal, passing the ID token string as |
| 80 | +a parameter. (See the |
| 81 | +[Microsoft EntraID docs](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals) |
| 82 | +for more information about service principals.) |
| 83 | + |
| 84 | +```java |
| 85 | +TokenAuthConfig authConfig = EntraIDTokenAuthConfigBuilder.builder() |
| 86 | + .clientId("<CLIENT-ID>") |
| 87 | + // ... |
| 88 | + .build(); |
| 89 | +``` |
| 90 | + |
| 91 | +### Configuration for a managed identity {#mgd-identity} |
| 92 | + |
| 93 | +You can also authenticate to AMR using a managed identity (see the |
| 94 | +[Microsoft documentation](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) to learn more about managed identities). |
| 95 | + |
| 96 | +For a system assigned managed identity, simply add the `systemAssignedManagedIdentity()` |
| 97 | +method to the `EntraIDTokenAuthConfigBuilder` chain: |
| 98 | + |
| 99 | +```java |
| 100 | +TokenAuthConfig authConfig = EntraIDTokenAuthConfigBuilder.builder() |
| 101 | + .systemAssignedManagedIdentity() |
| 102 | + // ... |
| 103 | + .build(); |
| 104 | +``` |
| 105 | + |
| 106 | +For a user assigned managed identity, add `userAssignedManagedIdentity()`. This |
| 107 | +requires a member of the `UserManagedIdentityType` enum (to select a |
| 108 | +`CLIENT_ID`, `OBJECT_ID`, or `RESOURCE_ID`) as well as the `id` string itself: |
| 109 | + |
| 110 | +```java |
| 111 | +TokenAuthConfig authConfig = EntraIDTokenAuthConfigBuilder.builder() |
| 112 | + .userAssignedManagedIdentity( |
| 113 | + UserManagedIdentityType.CLIENT_ID, |
| 114 | + "<ID>" |
| 115 | + ) |
| 116 | + // ... |
| 117 | + .build(); |
| 118 | + |
| 119 | +``` |
| 120 | + |
| 121 | +## Connect using the `withAuthentication()` option |
| 122 | + |
| 123 | +When you have created your `TokenAuthConfig` instance, you are ready to |
| 124 | +connect to AMR. |
| 125 | +The example below shows how to include the `TokenAuthConfig` details in a |
| 126 | +`TokenBasedRedisCredentialsProvider` instance and pass it to the `RedisURI.Builder` |
| 127 | +using the `withAuthentication()` option. |
| 128 | + |
| 129 | +{{< note >}} Azure requires you to use |
| 130 | +[Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security) |
| 131 | +when you connect, as shown in the example. |
| 132 | +{{< /note >}} |
| 133 | + |
| 134 | +```java |
| 135 | +TokenAuthConfig authConfig = EntraIDTokenAuthConfigBuilder.builder() |
| 136 | + // Chain of options... |
| 137 | + .build(); |
| 138 | + |
| 139 | +TokenBasedRedisCredentialsProvider credentialsProvider = |
| 140 | + TokenBasedRedisCredentialsProvider.create(tokenAuthConfig); |
| 141 | + |
| 142 | +RedisURI uri = RedisURI.Builder.redis("<host>", <port>) |
| 143 | + .withAuthentication(credentialsProvider) |
| 144 | + .withSsl(true) |
| 145 | + .build(); |
| 146 | + |
| 147 | +RedisClient client = RedisClient.create(uri); |
| 148 | + |
| 149 | +SslOptions sslOptions = SslOptions.builder().jdkSslProvider() |
| 150 | + .truststore(new File( |
| 151 | + "<path_to_truststore.jks_file>"), |
| 152 | + "<password_for_truststore.jks_file>" |
| 153 | + ) |
| 154 | + .build(); |
| 155 | + |
| 156 | +client.setOptions(ClientOptions.builder() |
| 157 | + .sslOptions(sslOptions) |
| 158 | + .build()); |
| 159 | + |
| 160 | +StatefulRedisConnection<String, String> connection = client.connect(); |
| 161 | +RedisAsyncCommands<String, String> asyncCommands = connection.async(); |
| 162 | + |
| 163 | +// Test the connection. |
| 164 | +CompletableFuture<Void> testDBSize = asyncCommands.dbsize() |
| 165 | + .thenAccept(r -> { |
| 166 | + System.out.println(String.format("Database size: %d", r)); |
| 167 | + }) |
| 168 | + .toCompletableFuture(); |
| 169 | + |
| 170 | +testDBSize.join(); |
| 171 | +``` |
0 commit comments