Redis Standalone Credentials
For standalone Redis instances, you can configure authentication in several ways.
Method 1: URL-based Authentication
Include credentials directly in the Redis URL:
deployments:
- id: "redis-prod"
name: "Production Redis"
deployment_type: "standalone"
redis_url: "redis://username:password@localhost:6379"
Method 2: Separate Credentials
Use the credentials section for better security:
deployments:
- id: "redis-prod"
name: "Production Redis"
deployment_type: "standalone"
redis_url: "redis://localhost:6379"
credentials:
username: "radar-collector"
password: "${REDIS_PASSWORD}"
Method 3: Environment Variables in URL
Combine URL format with environment variable expansion:
deployments:
- id: "redis-prod"
name: "Production Redis"
deployment_type: "standalone"
redis_url: "redis://${REDIS_USER}:${REDIS_PASSWORD}@${REDIS_HOST}:6379"
Redis ACL Setup
Creating a Monitoring User
For Redis instances with ACL support (Redis 6+), create a dedicated monitoring user:
# Connect to Redis
redis-cli
# Create user with read-only permissions
ACL SETUSER radar-collector on >${SECURE_PASSWORD} \
+info +ping +config|get +client|list +memory|usage +latency \
+@read ~* &*
# Verify the user
ACL LIST
Or without a password (not recommended for production):
ACL SETUSER radar-collector on nopass \
+info +ping +config|get +client|list +memory|usage +latency \
+@read ~* &*
Required Permissions
The radar-collector user needs these Redis permissions:
| Command Category | Commands | Purpose |
|---|---|---|
| Server Info | +info, +ping | Basic server information and health |
| Configuration | +config|get | Redis configuration settings |
| Client Info | +client|list | Active connection information |
| Memory | +memory|usage | Memory usage statistics |
| Performance | +latency | Latency monitoring data |
| Data Access | +@read, ~* | Read access to all keys for sampling |
| Pub/Sub | &* | Access to all pub/sub channels |
Minimal ACL Rule
For the most restrictive setup:
ACL SETUSER radar-collector on >${PASSWORD} \
+info +ping +config|get +client|list +memory|usage +latency \
+@read ~* &*
TLS/SSL Configuration
For secure connections, use rediss:// URLs:
deployments:
- id: "redis-tls"
name: "Redis with TLS"
deployment_type: "standalone"
redis_url: "rediss://username:password@localhost:6380"
Environment Variables
Store sensitive information in environment variables:
# Set environment variables
export REDIS_PASSWORD="your-secure-password"
export REDIS_HOST="redis.example.com"
export REDIS_PORT="6379"
Reference them in configuration:
deployments:
- id: "redis-prod"
name: "Production Redis"
deployment_type: "standalone"
redis_url: "redis://radar-collector:${REDIS_PASSWORD}@${REDIS_HOST}:${REDIS_PORT}"
- id: "redis-replica"
name: "Redis Replica"
deployment_type: "standalone"
redis_url: "redis://${REDIS_HOST_REPLICA}:6379"
credentials:
username: "radar-collector"
password: "${REDIS_REPLICA_PASSWORD}"
Testing Credentials
Validate your credentials using the validation command:
# Test all deployments
radar-collector validate
# Test specific deployment
radar-collector validate --deployment-id redis-prod
# Test with connection attempts
radar-collector validate --test-connections
Security Best Practices
- Use dedicated monitoring users - Don't use admin credentials
- Apply least privilege - Only grant necessary permissions
- Use environment variables - Don't hardcode credentials in config files
- Enable TLS - Use
rediss://URLs for encrypted connections - Rotate credentials - Regularly update passwords and API keys
- Monitor access - Review Redis logs for authentication events