Skip to main content

Requirements

Networking

Certain ports must be accessible to connect to Formal Resources. You can listen on multiple ports simultaneously for various Resources. For accessing Redis, you may assign any port except 8080 (Connector’s health check port). Ensure your security groups are configured to allow traffic on the designated port.

Connect to Redis

redis-cli

To connect using redis-cli, execute the following command:
redis-cli -h CONNECTOR_HOSTNAME -p PORT -a FORMAL_PASSWORD
Make sure to replace CONNECTOR_HOSTNAME, PORT, and FORMAL_PASSWORD with the right values. To learn more about users, check out Native Users.
You can access your Formal Credentials in the Formal console.
You are free to use any preferred client.

Redis Cluster

Formal supports Redis Cluster when clients connect to the Connector over TLS. Cluster nodes often advertise private addresses in redirects and topology replies. The Connector rewrites those addresses to Connector hostnames and routes reconnects to the right node using SNI. The Resource hostname should be the cluster endpoint, or another stable seed endpoint that returns cluster topology. Any cluster-aware Redis client should work.
redis-cli -c cannot be used with Connector-routed Redis Cluster today. It applies one --sni value across cluster-mode reconnects, but the Connector routes each node reconnect using that node’s rewritten hostname. See the related redis-cli cluster redirect issue.

IAM authentication (Amazon ElastiCache)

Formal can authenticate to Amazon ElastiCache (Valkey 7.2+ or Redis OSS 7+) using AWS IAM. The Connector generates a short-lived IAM authentication token and sends it as the password in the upstream AUTH command. Create an ElastiCache user with its authentication mode set to IAM, and set the Formal native user’s username to that ElastiCache user id. Configure the Redis Native User to use IAM authentication:
  • AWS IAM: the Connector signs the token with the IAM role of its running environment. That role is the principal and needs the elasticache:Connect permission below.
  • AWS IAM with a role to assume: provide a role ARN such as arn:aws:iam::123456789012:role/formal-redis-role. The Connector assumes that role before signing, and the assumed role is the principal that needs elasticache:Connect.
Grant the elasticache:Connect action to the IAM principal for both the cache and the user:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "elasticache:Connect",
      "Resource": [
        "arn:aws:elasticache:us-east-1:123456789012:serverlesscache:<cache-name>",
        "arn:aws:elasticache:us-east-1:123456789012:user:<user-name>"
      ]
    }
  ]
}
The signing region comes from the Connector’s AWS configuration, so it must match the cache’s region.
ElastiCache requires in-transit encryption (TLS) for IAM authentication.

Policy Evaluation

Formal supports the following policy evaluation stages for Redis:
  • Session: Evaluate and enforce policies at connection time
  • Request: Evaluate and enforce policies at request time before command execution

End-user Identity Propagation

Formal supports end-user identity propagation for Redis commands. To enable this, you can use the CLIENT SETNAME command to set the end-user identity.
CLIENT SETNAME formal_enduser=example@example.com
This will set the end-user identity to example@example.com for the current connection.