---
title: Configuring Trust Framework attribute caching for development
description: While building and testing policies in a development environment, you can define an external attribute cache for the Trust Framework.
component: pingauthorize
version: 11.1
page_id: pingauthorize:pingauthorize_server_administration_guide:paz_tf_attribute_cache_external
canonical_url: https://docs.pingidentity.com/pingauthorize/11.1/pingauthorize_server_administration_guide/paz_tf_attribute_cache_external.html
llms_txt: https://docs.pingidentity.com/pingauthorize/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: June 12, 2026
section_ids:
  aws-iam-authentication-for-elasticache-redis: AWS IAM authentication for ElastiCache Redis
  steps: Steps
  example: Example:
  migrating-from-static-to-iam-authentication: Migrating from static to IAM authentication
---

# Configuring Trust Framework attribute caching for development

While building and testing policies in a development environment, you can define an external attribute cache for the Trust Framework.

When you set the Policy Decision Service to external policy decision point (PDP) mode, the Policy Editor is configured by default to cache attribute values in memory on the PingAuthorize Server (for any attributes with a [defined caching strategy](../pingauthorize_policy_administration_guide/paz_attr_caching.html)). Alternatively, you can define an external attribute cache using Redis by configuring the `options.yml` file. The available Redis modes include:

* Single Redis instance

* Single Redis instance using TLS

* Replicated Redis

* Redis Sentinel

* Amazon Web Services (AWS) ElastiCache Redis

![Screen capture of the Redis mode options for embedded PDP mode with the single Redis instance configuration highlighted](_images/dld1670853034070.png)

## AWS IAM authentication for ElastiCache Redis

When AWS Identity and Access Management (IAM) authentication is configured, the PDP obtains short-lived authentication tokens from AWS through SigV4 signing and uses them as the Redis `AUTH` password on every connection.

* The authentication tokens refresh automatically before they expire.

* TLS is enforced whenever credentials are configured. This is because ElastiCache rejects unencrypted `AUTH` requests.

* AWS credentials are resolved from the standard AWS SDK provider chain, for example: environment variables, a shared credentials file, AWS IAM roles for service accounts (IRSA), or AWS Instance Metadata Service (IMDS).

To configure IAM authentication for ElastiCache, make sure the IAM principal running the PDP has the following permissions:

* `elasticache:Connect` scoped to the user and replication group Amazon Resource Names (ARNs)

* `elasticache:DescribeCacheClusters` to enable node discovery.

  Learn more in [Using identity-based policies for ElastiCache](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/IAM.IdentityBasedPolicies.html) in the AWS documentation.

  > **Collapse: Example IAM policy**
  >
  > ```json
  > {
  >   "Version": "2012-10-17",
  >   "Statement": [
  >     {
  >       "Effect": "Allow",
  >       "Action": "elasticache:Connect",
  >       "Resource": [
  >         "arn:aws:elasticache:us-east-1:123456789012:replicationgroup:my-replication-group-id",
  >         "arn:aws:elasticache:us-east-1:123456789012:user:my-elasticache-iam-user"
  >       ]
  >     },
  >     {
  >       "Effect": "Allow",
  >       "Action": "elasticache:DescribeCacheClusters",
  >       "Resource": "*"
  >     }
  >   ]
  > }
  > ```

|   |                                                                                                                                                                                                                                                        |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|   | IAM authentication failures can reveal service or attribute cache errors. Learn more about how to resolve these in [Troubleshooting AWS IAM authentication issues](../troubleshooting_pingauthorize_server/paz_troubleshoot_aws_iam_auth_issues.html). |

## Steps

1. Make a copy of the default options file:

   ```shell
   $ cp config/options.yml my-options.yml
   ```

2. In the `cache` section of the new options file, uncomment the line `provider: redis` to enable the Redis caching options.

3. Uncomment the desired Redis `cacheConfig` block, then set `mode` and `nodeAddresses` to reflect your Redis instance settings:

   ```
   cache:
     provider: redis
     cacheConfig:
       mode: single_instance
       nodeAddresses: redis://localhost:6379
   #   username: <optional>
   #   password: <optional>
   ```

4. Choose one of the following methods to authenticate to your Redis instance:

   * **Static password**: Uncomment `username` and `password` and set them to the appropriate values.

   * **IAM authentication (ElastiCache only)**: To configure IAM authentication:

     1. In the copied `options.yml` file, uncomment the `username` field and set it to the ElastiCache User ID. AWS requires an exact match between these values for IAM authentication.

        |   |                                                                                                                                                                                                |
        | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
        |   | Don't set a value for the `password` property. IAM mode replaces the static Redis password with a short-lived SigV4-signed token that is used as the Redis `AUTH` password on each connection. |

     2. Set `useIamAuth` to `true`.

        ### Example:

        ```
        cache:
          provider: redis
          cacheConfig:
            mode: elasticache
            replicationGroupId: <your-replication-group-id>
            username: <your-elasticache-iam-user>
            useIamAuth: true
        ```

5. Stop the Policy Editor:

   ```shell
   $ bin/stop-server
   ```

6. Run `setup` using the `--optionsFile` argument and customize all other options as appropriate for your needs:

   ```shell
   $ bin/setup demo \
     --adminUsername admin \
     --generateSelfSignedCertificate \
     --decisionPointSharedSecret pingauthorize \
     --hostname  <pap-hostname>  \
     --port <pap-port>  \
     --adminPort <admin-port>  \
     --licenseKeyFile <path-to-license>  \
     --optionsFile my-options.yml
   ```

7. Start the Policy Editor:

   ```shell
   $ bin/start-server
   ```

## Migrating from static to IAM authentication

PDPs that target the same replication group can mix static and IAM authentication because each PDP resolves its own configuration independently. This supports a phased migration approach:

1. In AWS, create a new ElastiCache user with authentication type set to **IAM**, and add it to the same user group as the existing static user.

2. Migrate PDPs from static authentication to IAM authentication one at a time.

3. After updating each PDP, confirm it's connecting successfully before migrating the next one. Check for `pdp-unavailable` alerts or `WRONGPASS` errors in the logs. Learn more in [Troubleshooting AWS IAM authentication issues](../troubleshooting_pingauthorize_server/paz_troubleshoot_aws_iam_auth_issues.html).

4. After confirming that all PDPs are using IAM authentication, remove the static user from the user group.
