> ## Documentation Index
> Fetch the complete documentation index at: https://docs.formal.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Redis

> How to connect to a Redis Resource using the Formal Connector

## Requirements

### Networking

Certain ports must be accessible to connect to Formal Resources. You can listen on multiple ports simultaneously for various Resources.

For accessing Redis, you may assign any port except 8080 (Connector's health check port). Ensure your security groups are configured to allow traffic on the designated port.

## Connect to Redis

### redis-cli

To connect using redis-cli, execute the following command:

```bash theme={null}
redis-cli -h CONNECTOR_HOSTNAME -p PORT -a FORMAL_PASSWORD
```

Make sure to replace `CONNECTOR_HOSTNAME`, `PORT`, and `FORMAL_PASSWORD` with the right values. To learn more about users, check out [Native Users](/docs/guides/core-concepts/resources/native_users).

<Note>
  You can access your Formal Credentials in the [Formal
  console](https://app.formal.ai).
</Note>

<Note>You are free to use any preferred client.</Note>

### Redis Cluster

Formal supports Redis Cluster when clients connect to the Connector over TLS. Cluster nodes often advertise private addresses in redirects and topology replies. The Connector rewrites those addresses to Connector hostnames and routes reconnects to the right node using SNI.

The Resource hostname should be the cluster endpoint, or another stable seed endpoint that returns cluster topology. Any cluster-aware Redis client should work.

<Warning>
  `redis-cli -c` cannot be used with Connector-routed Redis Cluster today. It applies one `--sni` value across cluster-mode reconnects, but the Connector routes each node reconnect using that node's rewritten hostname. See the related [redis-cli cluster redirect issue](https://github.com/redis/redis/issues/12266).
</Warning>

### IAM authentication (Amazon ElastiCache)

Formal can authenticate to Amazon ElastiCache (Valkey 7.2+ or Redis OSS 7+) using AWS IAM. The Connector generates a short-lived IAM authentication token and sends it as the password in the upstream `AUTH` command.

Create an ElastiCache user with its authentication mode set to IAM, and set the Formal native user's username to that ElastiCache user id.

Configure the Redis [Native User](/docs/guides/core-concepts/resources/native_users) to use IAM authentication:

* **AWS IAM**: the Connector signs the token with the IAM role of its running environment. That role is the principal and needs the `elasticache:Connect` permission below.
* **AWS IAM with a role to assume**: provide a role ARN such as `arn:aws:iam::123456789012:role/formal-redis-role`. The Connector assumes that role before signing, and the assumed role is the principal that needs `elasticache:Connect`.

Grant the `elasticache:Connect` action to the IAM principal for both the cache and the user:

```json theme={null}
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "elasticache:Connect",
      "Resource": [
        "arn:aws:elasticache:us-east-1:123456789012:serverlesscache:<cache-name>",
        "arn:aws:elasticache:us-east-1:123456789012:user:<user-name>"
      ]
    }
  ]
}
```

The signing region comes from the Connector's AWS configuration, so it must match the cache's region.

<Note>ElastiCache requires in-transit encryption (TLS) for IAM authentication.</Note>

## Policy Evaluation

Formal supports the following policy evaluation stages for Redis:

* **Session**: Evaluate and enforce policies at connection time
* **Request**: Evaluate and enforce policies at request time before command execution

## End-user Identity Propagation

Formal supports end-user identity propagation for Redis commands. To enable this, you can use the `CLIENT SETNAME` command to set the end-user identity.

```
CLIENT SETNAME formal_enduser=example@example.com
```

This will set the end-user identity to `example@example.com` for the current connection.
