Step 1: Create a serverless cache
To create a serverless cache, follow these steps.
Topics
Step 1.1: Create a serverless cache
In this step, you create a serverless cache in the default Amazon VPC in the us-east-1 region in your account using the Amazon Command Line Interface (CLI). For information on creating serverless cache using the ElastiCache console or API, see Step 1: Create a cache.
aws elasticache create-serverless-cache \ --serverless-cache-name cache-01 \ --description "ElastiCache IAM auth application" \ --engine redis
Note that the value of the Status field is set to CREATING
. It can take a minute for ElastiCache to finish creating your cache.
Step 1.2: Copy serverless cache endpoint
Verify that ElastiCache (Redis OSS) has finished creating the cache with the describe-serverless-caches
command.
aws elasticache describe-serverless-caches \ --serverless-cache-name cache-01
Copy the Endpoint Address shown in the output. You'll need this address when you create the deployment package for your Lambda function.
Step 1.3: Create IAM Role
Create an IAM trust policy document, as shown below, for your role that allows your account to assume the new role. Save the policy to a file named trust-policy.json.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:root" }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" }] }
Create an IAM policy document, as shown below. Save the policy to a file named policy.json.
{ "Version": "2012-10-17", "Statement": [ { "Effect" : "Allow", "Action" : [ "elasticache:Connect" ], "Resource" : [ "arn:aws:elasticache:us-east-1:123456789012:serverlesscache:cache-01", "arn:aws:elasticache:us-east-1:123456789012:user:iam-user-01" ] } ] }
Create an IAM role.
aws iam create-role \ --role-name "elasticache-iam-auth-app" \ --assume-role-policy-document file://trust-policy.json
Create the IAM policy.
aws iam create-policy \ --policy-name "elasticache-allow-all" \ --policy-document file://policy.json
Attach the IAM policy to the role.
aws iam attach-role-policy \ --role-name "elasticache-iam-auth-app" \ --policy-arn "arn:aws:iam::123456789012:policy/elasticache-allow-all"
Step 1.4: Create a serverless cache
Create a new default user.
aws elasticache create-user \ --user-name default \ --user-id default-user-disabled \ --engine redis \ --authentication-mode Type=no-password-required \ --access-string "off +get ~keys*"
Create a new IAM-enabled user.
aws elasticache create-user \ --user-name iam-user-01 \ --user-id iam-user-01 \ --authentication-mode Type=iam \ --engine redis \ --access-string "on ~* +@all"
Create a user group and attach the user.
aws elasticache create-user-group \ --user-group-id iam-user-group-01 \ --engine redis \ --user-ids default-user-disabled iam-user-01 aws elasticache modify-serverless-cache \ --serverless-cache-name cache-01 \ --user-group-id iam-user-group-01