Hanzo
PlatformHanzo KMSPlatformPrivileged Access ManagementGetting StartedResources

Redis

Learn how to configure Redis access through KMS PAM for secure, audited, and just-in-time access to your Redis instances.

KMS PAM supports secure, just-in-time access to Redis instances. This allows your team to access Redis databases without sharing long-lived credentials, while maintaining a complete audit trail of who accessed what and when. Hanzo KMS supports all major Redis server versions since Redis 1.0 that use the RESP protocol. Redis server forks and variants based on the RESP protocol such as Valkey are also supported by KMS PAM.

How It Works

Redis access in KMS PAM uses an KMS Gateway to securely proxy connections to your Redis server. When a user requests access, Hanzo KMS establishes a secure tunnel through the Gateway, enabling secure access without exposing your Redis instance directly.

sequenceDiagram
    participant User
    participant CLI as KMS CLI
    participant Hanzo KMS
    participant Gateway as KMS Gateway
    participant Redis as Redis Server

    User->>CLI: Request Redis access
    CLI->>Hanzo KMS: Authenticate & request session
    Hanzo KMS-->>CLI: Session credentials & Gateway info
    CLI->>CLI: Start local proxy
    CLI->>Gateway: Establish secure tunnel
    Gateway->>Redis: Establish connection
    alt Credentials provided
      Gateway->>Redis: Send AUTH command
    end
    User->>CLI: Redis commands
    CLI->>Gateway: Proxy Redis requests
    Gateway->>Redis: Forward commands
    Redis-->>Gateway: Response
    Gateway-->>CLI: Return response
    CLI-->>User: Redis output

Key Concepts

  1. Gateway: An KMS Gateway deployed in your network that can reach the Redis server. The Gateway handles secure communication between users and your Redis instance.
  2. Authentication: Redis supports username/password authentication (ACL). Credentials are stored securely in Hanzo KMS and used by the Gateway to authenticate with Redis.
  3. Local Proxy: The KMS CLI starts a local proxy on your machine that intercepts Redis commands and routes them securely through the Gateway to your Redis instance.
  4. Session Tracking: All access sessions are logged, including when the session was created, who accessed the Redis instance, session duration, and when it ended.

Session Tracking

Hanzo KMS tracks:

  • When the session was created
  • Who accessed which Redis instance
  • Session duration
  • All Redis commands executed during the session
  • When the session ended

Session Logs: After ending a session (by stopping the proxy), you can view detailed session logs in the Sessions page, including all commands executed during the session.

Prerequisites

Before configuring Redis access in KMS PAM, you need:

  1. KMS Gateway - A Gateway deployed in your network with access to the Redis server
  2. Redis Credentials - Username and password (if Redis ACL is enabled) or access to an unauthenticated Redis instance
  3. KMS CLI - The KMS CLI installed on user machines

Gateway Required: Redis access requires an KMS Gateway to be deployed and registered with your Hanzo KMS instance. The Gateway must have network connectivity to your Redis server.

Create the PAM Resource

The PAM Resource represents the connection between Hanzo KMS and your Redis instance.

Before creating the resource, ensure you have an KMS Gateway running and registered with your Hanzo KMS instance. The Gateway must have network access to your Redis server.

  1. Navigate to your PAM project and go to the Resources tab
  2. Click Add Resource and select Redis
  3. Enter a name for the resource (e.g., production-redis, staging-cache)
  4. Enter the Host - the hostname or IP address of your Redis server (e.g., redis.example.com or 192.168.1.100)
  5. Enter the Port - the Redis port (default: 6379)
  6. Select the Gateway that has access to this Redis instance
  7. Configure SSL/TLS options if needed:
    • SSL Enabled: Enable if your Redis instance uses TLS/SSL
    • SSL Reject Unauthorized: Enable to verify SSL certificates (recommended for production)
    • SSL Certificate: Optional CA certificate for custom certificate authorities

SSL Configuration: If your Redis instance uses TLS/SSL, enable SSL and configure certificate validation. For self-signed certificates, you may need to provide the CA certificate or disable certificate validation (not recommended for production).

Create PAM Accounts

Once you have configured the PAM resource, you'll need to configure a PAM account for your Redis resource. A PAM Account represents a specific set of credentials that users can request access to. You can create multiple accounts per resource, each with different permission levels.

Go to the Resources tab in your PAM project and open the Redis resource you created.

Click Add Account.

Fill in the account details:

A friendly name for this account (e.g., readonly-user, admin-access)

Toggle this on if your Redis instance requires authentication. When enabled, you'll need to provide a username and password. Leave it as disabled if your Redis instance doesn't require authentication.

The Redis username (required if Use Credentials is enabled).

The Redis password (required if Use Credentials is enabled).

Security Best Practice: For production environments, always use Redis ACL (Access Control List) with strong passwords. Unauthenticated Redis instances should only be used in isolated, trusted networks.

Access Redis Instance

Once your resource and accounts are configured, users can request access through the KMS CLI:

  1. Navigate to the Resources tab in your PAM project and open the Redis resource
  2. In the resource’s accounts section, find the account you want to access
  3. Click the Access button for that account
  4. Copy the provided CLI command

Run the copied command in your terminal.

The CLI will:

  1. Authenticate with Hanzo KMS
  2. Establish a secure connection through the Gateway
  3. Start a local proxy on your machine
  4. Provide connection details for your Redis client

Once the proxy is running, you can connect to Redis using your preferred Redis client. The proxy will be available on localhost with the URL shown in the CLI output.

Using redis-cli:

redis-cli -u <redis-url>

All commands are routed securely through the KMS Gateway to your Redis instance.

When you're done, stop the proxy by pressing Ctrl+C in the terminal where it's running. This will:

  • Close the secure tunnel
  • End the session
  • Log the session details to Hanzo KMS

You can view session logs in the Sessions page of your PAM project.

How is this guide?

Last updated on

Active Directory

Learn how to configure Active Directory access through KMS PAM for secure, audited management of your AD domain controllers and domain-joined resources.

Windows Server

Learn how to configure Windows Server access through KMS PAM for secure, audited, and just-in-time access to your Windows servers via RDP.

On this page

How It Works
Key Concepts
Session Tracking
Prerequisites
Create the PAM Resource
Create PAM Accounts
Access Redis Instance