---
title: Configuring Trust Framework attribute caching for production
description: For higher environments, including testing and production, you can define an external attribute cache for the Trust Framework.
component: pingauthorize
version: 11.1
page_id: pingauthorize:pingauthorize_server_administration_guide:paz_tf_attribute_cache_embedded
canonical_url: https://docs.pingidentity.com/pingauthorize/11.1/pingauthorize_server_administration_guide/paz_tf_attribute_cache_embedded.html
llms_txt: https://docs.pingidentity.com/pingauthorize/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: June 12, 2026
section_ids:
  aws-iam-authentication-for-elasticache-redis: AWS IAM authentication for ElastiCache Redis
  before-you-begin: Before you begin
  steps: Steps
  result: Result
  before-you-begin-2: Before you begin
  steps-2: Steps
  result-2: Result
  migrating-from-static-to-iam-authentication: Migrating from static to IAM authentication
---

# Configuring Trust Framework attribute caching for production

For higher environments, including testing and production, you can define an external attribute cache for the Trust Framework.

With the Policy Decision Service set to embedded policy decision point (PDP) mode, the PingAuthorize Server is configured by default to cache attribute values in memory (for any attributes with a [defined caching strategy](../pingauthorize_policy_administration_guide/paz_attr_caching.html)). Alternatively, you can define an external attribute cache using the following Redis modes:

* Single Redis instance

* Single Redis instance using TLS

* Replicated Redis

* Redis Sentinel

* Amazon Web Services (AWS) ElastiCache Redis

## AWS IAM authentication for ElastiCache Redis

When AWS Identity and Access Management (IAM) authentication is configured, the PDP obtains short-lived authentication tokens from AWS through SigV4 signing and uses them as the Redis `AUTH` password on every connection.

* The authentication tokens refresh automatically before they expire.

* TLS is enforced whenever credentials are configured. This is because ElastiCache rejects unencrypted `AUTH` requests.

* AWS credentials are resolved from the standard AWS SDK provider chain, for example: environment variables, a shared credentials file, AWS IAM roles for service accounts (IRSA), or AWS Instance Metadata Service (IMDS).

To configure IAM authentication for ElastiCache, make sure the IAM principal running the PDP has the following permissions:

* `elasticache:Connect` scoped to the user and replication group Amazon Resource Names (ARNs)

* `elasticache:DescribeCacheClusters` to enable node discovery.

  Learn more in [Using identity-based policies for ElastiCache](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/IAM.IdentityBasedPolicies.html) in the AWS documentation.

  > **Collapse: Example IAM policy**
  >
  > ```json
  > {
  >   "Version": "2012-10-17",
  >   "Statement": [
  >     {
  >       "Effect": "Allow",
  >       "Action": "elasticache:Connect",
  >       "Resource": [
  >         "arn:aws:elasticache:us-east-1:123456789012:replicationgroup:my-replication-group-id",
  >         "arn:aws:elasticache:us-east-1:123456789012:user:my-elasticache-iam-user"
  >       ]
  >     },
  >     {
  >       "Effect": "Allow",
  >       "Action": "elasticache:DescribeCacheClusters",
  >       "Resource": "*"
  >     }
  >   ]
  > }
  > ```

|   |                                                                                                                                                                                                                                                        |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|   | IAM authentication failures can reveal service or attribute cache errors. Learn more about how to resolve these in [Troubleshooting AWS IAM authentication issues](../troubleshooting_pingauthorize_server/paz_troubleshoot_aws_iam_auth_issues.html). |

You can configure the external attribute cache using the admin console or `dsconfig`.

* Admin console

* dsconfig

### Before you begin

To successfully assign an external Redis attribute cache to the Policy Decision Service, you must set **PDP Mode** to **Embedded**.

### Steps

1. In the PingAuthorize admin console, go to **Configuration > Authorization and Policies > External Attribute Caches**.

2. Click **New External Attribute Cache** and select your desired Redis mode from the list.

   ![Screen capture of the options in the New External Attribute Cache list, with arrows pointing to the button and a selected option](_images/paz_new_external_attribute_cache.png)

3. Enter the required values, as indicated by a red asterisk.

4. (Optional) To configure IAM authentication for Redis ElastiCache, select the **Use Iam Auth** checkbox.

   ![Screen capture of the Redis ElastiCache configuration with the Use Iam Auth checkbox selected](_images/paz_elasticache_iam.png)

   1. In the **Username** field, enter the ElastiCache User ID. AWS requires an exact match between these values when IAM authentication is enabled.

      |   |                                                                                                                                                                                                |
      | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
      |   | Don't enter a value in the **Password** field. IAM mode replaces the static Redis password with a short-lived SigV4-signed token that is used as the Redis `AUTH` password on each connection. |

5. Click **Save**.

   |   |                                                                    |
   | - | ------------------------------------------------------------------ |
   |   | Hover over the question mark icon for more information on a field. |

   ![Screen capture of defining Redis configuration values for a new Redis cache, with arrows pointing to the required fields and the save button](_images/paz_external_redis_cache_config.png)

6. Go to **Configuration > Authorization and Policies > Policy Decision Service**.

7. In the **Trust Framework Attribute Cache Configuration** section, in the **External Attribute Cache** list, select the Redis cache you created in step 3.

   ![Screen capture of the External Attribute Cache list with arrows point to the list and the save button](_images/paz_policy_decision_srvc_redis_cache.png)

8. Click **Save**

### Result

The external attribute cache is now configured and attached to the Policy Decision Service. No server restart is required.

To create a Redis external attribute cache using `dsconfig`, run the `dsconfig create-external-attribute-cache` command with the `--type` flag to specify the cache type:

* `redis-single-instance`

* `redis-replicated`

* `redis-elasticache`

* `redis-sentinel`

The following `--set` properties are available. Required properties vary by cache type.

> **Collapse: Available --set properties**
>
> | Option                       | Required                                                                 | Description                                                                                                                                                                                                           |
> | ---------------------------- | ------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
> | `redis-node-addresses`       | Required when `--type` is `redis-single-instance` or `redis-replicated`. | A comma-separated list of Redis node addresses.                                                                                                                                                                       |
> | `redis-sentinel-addresses`   | Required when `--type` is `redis-sentinel`.                              | A comma-separated list of Redis sentinel node addresses.                                                                                                                                                              |
> | `redis-replication-group-id` | Required when `--type` is `redis-elasticache`.                           | The AWS ElastiCache replication group ID.                                                                                                                                                                             |
> | `redis-master-name`          | Required when `--type` is `redis-sentinel`.                              | The name of the master node.                                                                                                                                                                                          |
> | `redis-database-index`       | Optional when `--type` is `redis-sentinel`.                              | The database index for the Redis connection. Default value is `0`.                                                                                                                                                    |
> | `redis-scan-interval`        | Optional when `--type` is `redis-sentinel`.                              | The Redis cluster scan interval in milliseconds. Default value is `1000`.                                                                                                                                             |
> | `check-sentinel-list`        | Optional when `--type` is `redis-sentinel`.                              | Enables the sentinels list check during startup. Default value is `false`.                                                                                                                                            |
> | `username`                   | Optional                                                                 | The username for AUTH token authentication. Only applicable when AUTH token authentication is enabled in the Redis provider.&#xA;&#xA;When use-iam-auth is true, username must match the ElastiCache user ID exactly. |
> | `password`                   | Optional                                                                 | The password for AUTH token authentication. Only applicable when AUTH token authentication is enabled in the Redis provider.&#xA;&#xA;Don't set a password when use-iam-auth is true.                                 |
> | `use-iam-auth`               | Optional when `--type` is `redis-elasticache`.                           | Set to `true` to use AWS IAM authentication (SigV4-signed tokens) instead of a static password. Default value is `false`.                                                                                             |

### Before you begin

Before assigning the cache to the Policy Decision Service in step 2, make sure that:

* The `pdp-mode` property is set to `embedded`.

* The `deployment-package-source-type` property is set to `store` or `static-file`.

  * If the `deployment-package-source-type` property is set to `store`, the `deployment-package-store` property must resolve to a valid deployment package store.

  * If the `deployment-package-source-type` property is set to `static-file`, the `deployment-package-store` property must resolve to a valid deployment package.

### Steps

1. Create the external attribute cache with the `dsconfig create-external-attribute-cache` command, using one of the following authentication methods:

   * **Static password**: Set the `username` and `password` properties to the appropriate values.

     ```shell
     $ dsconfig create-external-attribute-cache \
       --cache-name 'Single Instance' \
       --type redis-single-instance \
       --set redis-node-addresses:redis://localhost:6379 \
       --set username:<your-redis-username> \
       --set password:<your-redis-password>
     ```

   * **IAM authentication (ElastiCache only)**: To configure IAM authentication:

     1. Set the `username` property to the ElastiCache User ID. AWS requires an exact match between these values when IAM authentication is enabled.

        |   |                                                                                                                                                                                                |
        | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
        |   | Don't set a value for the `password` property. IAM mode replaces the static Redis password with a short-lived SigV4-signed token that is used as the Redis `AUTH` password on each connection. |

     2. Set the `use-iam-auth` property to `true`.

        ```shell
        $ dsconfig create-external-attribute-cache \
          --cache-name 'ElastiCache IAM' \
          --type redis-elasticache \
          --set redis-replication-group-id:<your-replication-group-id> \
          --set username:<your-elasticache-iam-user> \
          --set use-iam-auth:true
        ```

2. Assign the defined external attribute cache to the Policy Decision Service:

   ```shell
   $ dsconfig set-policy-decision-service-prop \
     --set 'external-attribute-cache:<cache-name>'
   ```

### Result

The external attribute cache is now configured and attached to the Policy Decision Service. No server restart is required.

## Migrating from static to IAM authentication

PDPs that target the same replication group can mix static and IAM authentication because each PDP resolves its own configuration independently. This supports a phased migration approach:

1. In AWS, create a new ElastiCache user with authentication type set to **IAM**, and add it to the same user group as the existing static user.

2. Migrate PDPs from static authentication to IAM authentication one at a time.

3. After updating each PDP, confirm it's connecting successfully before migrating the next one. Check for `pdp-unavailable` alerts or `WRONGPASS` errors in the logs. Learn more in [Troubleshooting AWS IAM authentication issues](../troubleshooting_pingauthorize_server/paz_troubleshoot_aws_iam_auth_issues.html).

4. After confirming that all PDPs are using IAM authentication, remove the static user from the user group.
