Step 1: Create a cluster - Amazon MemoryDB
Step 1.1: Create a clusterStep 1.2: Copy the cluster endpointStep 1.3: Create IAM RoleStep 1.4: Create an Access Control List (ACL)
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Step 1: Create a cluster

To create a cluster, follow these steps.

Step 1.1: Create a cluster

In this step, you create a cluster in the default Amazon VPC in the us-east-1 region in your account using the Amazon Command Line Interface (CLI). For information on creating cluster using the MemoryDB console or API, see see Step 1: Create a cluster.

aws memorydb create-cluster --cluster-name cluster-01 --engine-version 7.0 --acl-name open-access \
--description "MemoryDB IAM auth application" \
--node-type db.r6g.large

Note that the value of the Status field is set to CREATING. It can take a few minutes for MemoryDB to finish creating your cluster.

Step 1.2: Copy the cluster endpoint

Verify that MemoryDB has finished creating the cluster with the describe-clusters command.

aws memorydb describe-clusters \
--cluster-name cluster-01

Copy the Cluster Endpoint Address shown in the output. You'll need this address when you create the deployment package for your Lambda function.

Step 1.3: Create IAM Role

  1. Create an IAM trust policy document, as shown below, for your role that allows your account to assume the new role. Save the policy to a file named trust-policy.json. Be sure to replace account_id 123456789012 in this policy with your account_id.

    {
"Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Principal": { "AWS": "arn:aws:iam::123456789012:root" },
        "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }]
}

  2. Create an IAM policy document, as shown below. Save the policy to a file named policy.json. Be sure to replace account_id 123456789012 in this policy with your account_id. 

    {
"Version": "2012-10-17",
  "Statement": [
    {
      "Effect" : "Allow",
      "Action" : [
        "memorydb:Connect"
      ],
      "Resource" : [
        "arn:aws:memorydb:us-east-1:123456789012:cluster/cluster-01",
        "arn:aws:memorydb:us-east-1:123456789012:user/iam-user-01"
      ]
    }
  ]
}

  3. Create an IAM role.

    aws iam create-role \
--role-name "memorydb-iam-auth-app" \
--assume-role-policy-document file://trust-policy.json

  4. Create the IAM policy.

    aws iam create-policy \
  --policy-name "memorydb-allow-all" \
  --policy-document file://policy.json

  5. Attach the IAM policy to the role. Be sure to replace account_id 123456789012 in this policy-arn with your account_id. 

    aws iam attach-role-policy \
 --role-name "memorydb-iam-auth-app" \
 --policy-arn "arn:aws:iam::123456789012:policy/memorydb-allow-all"

Step 1.4: Create an Access Control List (ACL)

  1. Create a new IAM-enabled user.

    aws memorydb create-user \
  --user-name iam-user-01 \
--authentication-mode Type=iam \
--access-string "on ~* +@all"

  2. Create an ACL and attach it to the cluster.

    aws memorydb create-acl \
  --acl-name iam-acl-01 \
  --user-names iam-user-01

aws memorydb update-cluster \
  --cluster-name cluster-01 \
  --acl-name iam-acl-01