Skip to content

JAVA: Add IAM authentication support for ElastiCache/MemoryDB #4891

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

JAVA: Add IAM authentication support for ElastiCache/MemoryDB #4891

wants to merge 6 commits into from

Conversation

@affonsov
Copy link
Collaborator

@affonsov affonsov commented Oct 17, 2025
edited
Loading

Overview

This PR adds support for AWS IAM authentication to the Java client, enabling secure connections to ElastiCache and MemoryDB clusters without managing passwords.

Changes

New Classes

  • IamAuthConfig: Configuration for IAM authentication with cluster name, service type, region, and optional refresh interval
  • ServiceType: Enum for ElastiCache and MemoryDB service types

Modified Classes

ServerCredentials

  • Now supports two mutually exclusive authentication modes:
    • Password-based: Uses password field (and optional username)
    • IAM-based: Uses username (required) and iamConfig
  • Added validation in constructor to enforce mutual exclusivity
  • password field is no longer @NonNull to support IAM mode

BaseClient

  • Added refreshIamToken() method for manual IAM token refresh
  • Updated updateConnectionPassword() methods to throw ConfigurationError when IAM auth is enabled
  • Added credential checks to prevent password operations with IAM

ConnectionManager

  • Updated to serialize IAM credentials to protobuf format
  • Modified updatePassword() to skip updates when using IAM authentication
  • Added getCredentials() accessor for credential validation

Native Bridge

  • Added refreshIamToken() JNI method in GlideNativeBridge
  • Implemented in GlideCoreClient with proper error handling

CommandManager

  • Added submitRefreshIamToken() method to handle IAM token refresh requests

Breaking changes:

  • ServerCredentials.password is no longer @nonnull (supports IAM mode)
  • Password and IAM config are mutually exclusive

Integration tests

  • IAM integration was manually verified in an AWS environment using an EC2 instance connected to an ElastiCache cluster with proper IAM authentication configured.

Issue link

This Pull Request is linked to issue (URL): #4498

Checklist

Before submitting the PR make sure the following are checked:

  • This Pull Request is related to one issue.
  • Commit message has a detailed description of what changed and why.
  • Tests are added or updated.
  • CHANGELOG.md and documentation files are updated.
  • Destination branch is correct - main or release
  • Create merge commit if merging release branch into main, squash otherwise.

@affonsov
feat(java): Add IAM authentication support for ElastiCache/MemoryDB
2d9ba77 
- Add IamAuthConfig and ServiceType for IAM configuration
- Update ServerCredentials to support both password and IAM auth modes
- Add refreshIamToken() method to BaseClient for manual token refresh
- Prevent updateConnectionPassword() when using IAM authentication
- Add native bridge method for IAM token refresh
- Update ConnectionManager to handle IAM credentials in protobuf
- Add unit tests for ServerCredentials validation

Breaking changes:
- ServerCredentials.password is no longer @nonnull (supports IAM mode)
- Password and IAM config are mutually exclusive

Signed-off-by: affonsov <[email protected]>
@affonsov affonsov requested a review from a team as a code owner October 17, 2025 18:28
@affonsov affonsov changed the title feat(java): Add IAM authentication support for ElastiCache/MemoryDB JAVA: Add IAM authentication support for ElastiCache/MemoryDB Oct 17, 2025
currantw
currantw reviewed Oct 22, 2025
View reviewed changes
@affonsov
Removed redudant IamConfig check
38f9520 
fixed documentatoin
refactored refreshItervalSeconds to be similar to the other clients

Signed-off-by: affonsov <[email protected]>
@affonsov
added changelog
3d069e0 
Signed-off-by: affonsov <[email protected]>
@affonsov
fix iam unit testing
c1ee224 
Signed-off-by: affonsov <[email protected]>
currantw
currantw reviewed Oct 23, 2025
View reviewed changes
Copy link
Contributor

@currantw currantw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me! 🎉
Thanks for addressing my comments.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jduo jduo jduo approved these changes

@alexr-bq alexr-bq alexr-bq approved these changes

@yipin-chen yipin-chen yipin-chen approved these changes

+1 more reviewer

@currantw currantw currantw left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@affonsov @jduo @alexr-bq @yipin-chen @currantw