PingAuthorize

Configuring Trust Framework attribute caching for production

For higher environments, including testing and production, you can define an external attribute cache for the Trust Framework.

With the Policy Decision Service set to embedded policy decision point (PDP) mode, the PingAuthorize Server is configured by default to cache attribute values in memory (for any attributes with a defined caching strategy). Alternatively, you can define an external attribute cache using the following Redis modes:

  • Single Redis instance

  • Single Redis instance using TLS

  • Replicated Redis

  • Redis Sentinel

  • Amazon Web Services (AWS) ElastiCache Redis

AWS IAM authentication for ElastiCache Redis

When AWS Identity and Access Management (IAM) authentication is configured, the PDP obtains short-lived authentication tokens from AWS through SigV4 signing and uses them as the Redis AUTH password on every connection.

  • The authentication tokens refresh automatically before they expire.

  • TLS is enforced whenever credentials are configured. This is because ElastiCache rejects unencrypted AUTH requests.

  • AWS credentials are resolved from the standard AWS SDK provider chain, for example: environment variables, a shared credentials file, AWS IAM roles for service accounts (IRSA), or AWS Instance Metadata Service (IMDS).

To configure IAM authentication for ElastiCache, make sure the IAM principal running the PDP has the following permissions:

  • elasticache:Connect scoped to the user and replication group Amazon Resource Names (ARNs)

  • elasticache:DescribeCacheClusters to enable node discovery.

    Learn more in Using identity-based policies for ElastiCache in the AWS documentation.

    Example IAM policy
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "elasticache:Connect",
          "Resource": [
            "arn:aws:elasticache:us-east-1:123456789012:replicationgroup:my-replication-group-id",
            "arn:aws:elasticache:us-east-1:123456789012:user:my-elasticache-iam-user"
          ]
        },
        {
          "Effect": "Allow",
          "Action": "elasticache:DescribeCacheClusters",
          "Resource": "*"
        }
      ]
    }

IAM authentication failures can reveal service or attribute cache errors. Learn more about how to resolve these in Troubleshooting AWS IAM authentication issues.

You can configure the external attribute cache using the admin console or dsconfig.

  • Admin console

  • dsconfig

Before you begin

To successfully assign an external Redis attribute cache to the Policy Decision Service, you must set PDP Mode to Embedded.

Steps

  1. In the PingAuthorize admin console, go to Configuration > Authorization and Policies > External Attribute Caches.

  2. Click New External Attribute Cache and select your desired Redis mode from the list.

    Screen capture of the options in the New External Attribute Cache list, with arrows pointing to the button and a selected option
  3. Enter the required values, as indicated by a red asterisk.

  4. (Optional) To configure IAM authentication for Redis ElastiCache, select the Use Iam Auth checkbox.

    Screen capture of the Redis ElastiCache configuration with the Use Iam Auth checkbox selected
    1. In the Username field, enter the ElastiCache User ID. AWS requires an exact match between these values when IAM authentication is enabled.

      Don’t enter a value in the Password field. IAM mode replaces the static Redis password with a short-lived SigV4-signed token that is used as the Redis AUTH password on each connection.

  5. Click Save.

    Hover over the question mark icon for more information on a field.

    Screen capture of defining Redis configuration values for a new Redis cache, with arrows pointing to the required fields and the save button
  6. Go to Configuration > Authorization and Policies > Policy Decision Service.

  7. In the Trust Framework Attribute Cache Configuration section, in the External Attribute Cache list, select the Redis cache you created in step 3.

    Screen capture of the External Attribute Cache list with arrows point to the list and the save button
  8. Click Save

Result

The external attribute cache is now configured and attached to the Policy Decision Service. No server restart is required.

To create a Redis external attribute cache using dsconfig, run the dsconfig create-external-attribute-cache command with the --type flag to specify the cache type:

  • redis-single-instance

  • redis-replicated

  • redis-elasticache

  • redis-sentinel

The following --set properties are available. Required properties vary by cache type.

Available --set properties
Option Required Description

redis-node-addresses

Required when --type is redis-single-instance or redis-replicated.

A comma-separated list of Redis node addresses.

redis-sentinel-addresses

Required when --type is redis-sentinel.

A comma-separated list of Redis sentinel node addresses.

redis-replication-group-id

Required when --type is redis-elasticache.

The AWS ElastiCache replication group ID.

redis-master-name

Required when --type is redis-sentinel.

The name of the master node.

redis-database-index

Optional when --type is redis-sentinel.

The database index for the Redis connection. Default value is 0.

redis-scan-interval

Optional when --type is redis-sentinel.

The Redis cluster scan interval in milliseconds. Default value is 1000.

check-sentinel-list

Optional when --type is redis-sentinel.

Enables the sentinels list check during startup. Default value is false.

username

Optional

The username for AUTH token authentication. Only applicable when AUTH token authentication is enabled in the Redis provider.

When use-iam-auth is true, username must match the ElastiCache user ID exactly.

password

Optional

The password for AUTH token authentication. Only applicable when AUTH token authentication is enabled in the Redis provider.

Don’t set a password when use-iam-auth is true.

use-iam-auth

Optional when --type is redis-elasticache.

Set to true to use AWS IAM authentication (SigV4-signed tokens) instead of a static password. Default value is false.

Before you begin

Before assigning the cache to the Policy Decision Service in step 2, make sure that:

  • The pdp-mode property is set to embedded.

  • The deployment-package-source-type property is set to store or static-file.

    • If the deployment-package-source-type property is set to store, the deployment-package-store property must resolve to a valid deployment package store.

    • If the deployment-package-source-type property is set to static-file, the deployment-package-store property must resolve to a valid deployment package.

Steps

  1. Create the external attribute cache with the dsconfig create-external-attribute-cache command, using one of the following authentication methods:

    • Static password: Set the username and password properties to the appropriate values.

      $ dsconfig create-external-attribute-cache \
        --cache-name 'Single Instance' \
        --type redis-single-instance \
        --set redis-node-addresses:redis://localhost:6379 \
        --set username:<your-redis-username> \
        --set password:<your-redis-password>
    • IAM authentication (ElastiCache only): To configure IAM authentication:

      1. Set the username property to the ElastiCache User ID. AWS requires an exact match between these values when IAM authentication is enabled.

        Don’t set a value for the password property. IAM mode replaces the static Redis password with a short-lived SigV4-signed token that is used as the Redis AUTH password on each connection.

      2. Set the use-iam-auth property to true.

        $ dsconfig create-external-attribute-cache \
          --cache-name 'ElastiCache IAM' \
          --type redis-elasticache \
          --set redis-replication-group-id:<your-replication-group-id> \
          --set username:<your-elasticache-iam-user> \
          --set use-iam-auth:true
  2. Assign the defined external attribute cache to the Policy Decision Service:

    $ dsconfig set-policy-decision-service-prop \
      --set 'external-attribute-cache:<cache-name>'

Result

The external attribute cache is now configured and attached to the Policy Decision Service. No server restart is required.

Migrating from static to IAM authentication

PDPs that target the same replication group can mix static and IAM authentication because each PDP resolves its own configuration independently. This supports a phased migration approach:

  1. In AWS, create a new ElastiCache user with authentication type set to IAM, and add it to the same user group as the existing static user.

  2. Migrate PDPs from static authentication to IAM authentication one at a time.

  3. After updating each PDP, confirm it’s connecting successfully before migrating the next one. Check for pdp-unavailable alerts or WRONGPASS errors in the logs. Learn more in Troubleshooting AWS IAM authentication issues.

  4. After confirming that all PDPs are using IAM authentication, remove the static user from the user group.