Redis Standalone Credentials

For standalone Redis instances, the collector uses redis_url only for the host, port, and TLS scheme. Authentication comes from credentials.password or the REDIS_PASSWORD environment variable.

Standalone deployments do not currently support configuring a Redis ACL username. When a password is provided, the collector authenticates as the default ACL user.

Method 1: credentials.password

Use the credentials section to configure authentication:

deployments:
  - id: "redis-prod"
    name: "Production Redis"
    type: "standalone"
    redis_url: "redis://localhost:6379"
    credentials:
      password: "${REDIS_PASSWORD}"

Method 2: REDIS_PASSWORD Environment Variable

If credentials.password is omitted, the collector falls back to REDIS_PASSWORD:

deployments:
  - id: "redis-prod"
    name: "Production Redis"
    type: "standalone"
    redis_url: "redis://localhost:6379"

export REDIS_PASSWORD="your-secure-password"

Method 3: TLS Endpoint Configuration

Use rediss:// in redis_url for secure connections and keep the password in credentials.password:

deployments:
  - id: "redis-tls"
    name: "Redis with TLS"
    type: "standalone"
    redis_url: "rediss://localhost:6380"
    credentials:
      password: "${REDIS_PASSWORD}"

Redis ACL Limitations

Standalone deployments currently authenticate as the default ACL user only. If your Redis instance requires a non-default ACL username, standalone monitoring is not supported yet.

Default User Permissions

For Redis instances with ACL support (Redis 6+), grant the default user the minimum commands required by the collector:

# Connect to Redis
redis-cli

# Configure the default user with the required permissions
ACL SETUSER default on >${SECURE_PASSWORD} \
  +info +ping +config|get +client|list +memory|usage +latency \
  +@read ~* &*

# Verify the user
ACL LIST

Or without a password (not recommended for production):

ACL SETUSER default on nopass \
  +info +ping +config|get +client|list +memory|usage +latency \
  +@read ~* &*

Required Permissions

The default ACL user needs these Redis permissions:

Minimal ACL Rule

For the most restrictive setup:

ACL SETUSER default on >${PASSWORD} \
  +info +ping +config|get +client|list +memory|usage +latency \
  +@read ~* &*

TLS/SSL Configuration

For secure connections, use rediss:// URLs:

deployments:
  - id: "redis-tls"
    name: "Redis with TLS"
    type: "standalone"
    redis_url: "rediss://localhost:6380"
    credentials:
      password: "${REDIS_PASSWORD}"

Environment Variables

Store sensitive information in environment variables:

# Set environment variables
export REDIS_PASSWORD="your-secure-password"
export REDIS_HOST="redis.example.com"
export REDIS_PORT="6379"

Reference them in configuration:

deployments:
  - id: "redis-prod"
    name: "Production Redis"
    type: "standalone"
    redis_url: "redis://${REDIS_HOST}:${REDIS_PORT}"
    credentials:
      password: "${REDIS_PASSWORD}"

  - id: "redis-replica"
    name: "Redis Replica"
    type: "standalone"
    redis_url: "redis://${REDIS_HOST_REPLICA}:6379"
    credentials:
      password: "${REDIS_REPLICA_PASSWORD}"

Testing Credentials

Validate your credentials using the validation command:

# Validate all deployments
radar-collector --validate

# Validate specific deployment connectivity
radar-collector validate --deployment redis-prod

# Test collection from a specific deployment
radar-collector test --deployment redis-prod

Security Best Practices

1. Avoid admin credentials - Use a dedicated password with least-privilege ACLs on the default user
2. Apply least privilege - Only grant necessary permissions
3. Use environment variables - Don’t hardcode credentials in config files
4. Enable TLS - Use rediss:// URLs for encrypted connections
5. Rotate credentials - Regularly update passwords and API keys
6. Monitor access - Review Redis logs for authentication events