Elasticache with IAM Authentication authenticate Faild

[mappei]

Background

We have enabled IAM authentication for our Replication Group, but now we need to connect to it using a Ruby script. According to the documentation, we need to generate a signature. However, when I tried implementing the same method in Ruby, the authentication failed and returned an error.

Details about generating the token

the following code to generate a token:

def generate_token(elasticache_name, connect_user, credentials, region)
  signer = Aws::Sigv4::Signer.new(
    service: 'elasticache',
    region: "#{region}",
    credentials_provider: credentials
  )
  query_params = {
    "Action" => "connect",
    "User" => connect_user
  }
  uri = URI("http://#{elasticache_name}/")
  uri.query = URI.encode_www_form(query_params)

  signer.presign_url(
    http_method: 'GET',
    url: uri.to_s,
    expires_in: 3600,
    headers: {
      "host" => elasticache_name,
    }
  ).to_s.sub('http://', '')
end

The result has the following approximate structure:

replication_group_name/?Action=connect&User=elastcache_user&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA3......&X-Amz-Date=20250120T033239Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEKT%2.....&X-Amz-SignedHeaders=host&X-Amz-Signature=b34575843caf15f8b9.....

Connect to replication group use redis-rb client

redis = Redis.new(
        host: redis_host,
        port: redis_port,
        ssl: true,
        password: token,
        username: elasticache_user
      )
redis.ping

What happened

However, after running the code, I encountered an error with the following message:

WRONGPASS invalid username-password pair or user is disabled.

Some additional tests

When I generate a token using Java code and use it in the redis-rb client to connect, the connection is successful. Therefore, it can be inferred that the issue lies with the token generated by Ruby.

There might be something wrong with how I'm using it, but I'm not sure how to fix it. Could you please review my approach and point out any issues?

Best wishes~~

[alextwoods]

Have you tried using a shorter expires in, like 900 instead of the 3600?
Additionally, you may want to try not adding the host header.

Whats the structure of the token generated by java and is there anything different about it?

[mullermp]

Yes, if you are able to post both strings, it would be easier to debug.

[mappei]

I tried changing the expiration time from 3600 seconds to 900 seconds, and I’m very happy that it is now working properly and successfully connecting to ElastiCache!

This is a very detailed modification. The Java implementation was generated by referring to the AWS official sample, this made me overlook this detail.

Previously, I also tried printing the token and comparing the results generated by Java and Ruby. The query parameters in the final URL were the same, but the values were different. This caused me to overlook the potential impact of the expiration time.

I have another question. The documentation states that the maximum expiration time is one week (604800 seconds). In theory, setting it to 3600 seconds should also work, but the authentication still fails.

Or there might be some other restrictions causing the authentication failure. Could you provide some guidance or assistance?

Thank you all again for your help! This issue had been troubling me for a long time, and it's finally resolved! 😊

[mappei]

Additionally, I want to mention that when I changed the expiration time to 3600 seconds in the Java code, I encountered the same issue. The url was successfully generated, but authentication failed.

[alextwoods]

Glad that suggestion worked!

Expiration time on presigned URLs is a bit tricky and usually needs to consider both the expiration time of the credentials and the security posture of the service. Our utilities to generate presigned URLs are fairly permissive and I think one week may be the absolute maximum time accepted anywhere, but individual services may enforce lower limits. I'll look at updating our documentation to make that more clear.