0

Trying to connect to AWS Elasticache (valkey engine: serverless: version 8.0) from my Java springboot application. JDK 17 & springboot version 3.2.5.

Using Lettuce client to connect to Valkey cache (https://docs.aws.amazon.com/pdfs/AmazonElastiCache/latest/dg/redis-ug.pdf#BestPractices.Clients-lettuce)

Below is the code snippet I am using, which fails at line "client.connect()"

 public void readLettuceCacheAuth() {
 try {
 AWSCredentialsProvider awsCredentialsProvider = new DefaultAWSCredentialsProviderChain();
 IAMAuthTokenRequest iamAuthTokenRequest = new IAMAuthTokenRequest("iam-user-valkey-01", "my-cache", "us-east-1", true);
 String iamAuthToken = iamAuthTokenRequest.toSignedRequestUri(awsCredentialsProvider.getCredentials());
 log.info("iamAuthToken: " + iamAuthToken);
 RedisURI redisURI = RedisURI.builder()
 .withHost(VALKEY_CACHE_HOST)
 .withPort(VALKEY_CACHE_PORT)
 .withSsl(true)
 .withAuthentication("iam-user-valkey-01", iamAuthToken)
 .build();
 RedisClient client = RedisClient.create(redisURI);
 log.info("client => " + client);
 StatefulRedisConnection<String, String> connection = client.connect(); <== exception at this line
 log.info("connection => " + connection);
 RedisStringCommands<String, String> syncCommands = connection.sync();
 syncCommands.set("key", "value");
 String value = syncCommands.get("key");
 } catch (Exception e) {
 log.error("Lettuce error: " + e);
 }
 }

Below are the logs,

iamAuthToken: my-cache/?Action=connect&User=iam-user-valkey-01&ResourceType=ServerlessCache&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEOv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDmFwLXNvdXRoZWFzdC0yIkcwRQIhAO9SJdccIXP2Y2VDj0WxEqdCLQDLMUTbH8IRnbAS11QmAiAOjS
client => io.lettuce.core.RedisClient@504021e
Lettuce error: io.lettuce.core.RedisConnectionException: Unable to connect to my-cache-fpheum.serverless.apse2.cache.amazonaws.com/<unresolved>:6379

  1. Both Cache, Springboot application are in same VPC.

  2. Updated Cache's security group inbound rules to allow java application on port 6379.

Can someone please help what is going wrong here?

asked Jan 23, 2025 at 3:29
5
  • I mean the error you posted says <unresolved>. So check the hostname is correct? Commented Jan 23, 2025 at 6:43
  • I copied the host name (ElastiCache Endpoint) from AWS, which is => "my-cache-fpheum.serverless.apse2.cache.amazonaws.com". I don't know why it says 'Unresolved'. Commented Jan 23, 2025 at 21:50
  • yup can you double triple check this? because i tried nslookup your domain on my end and i also got unresolved (and just to clarify i know your redis is probably not open to internet, but usually the elasticache domain is resolvable by anyone on internet--even my customer production private elasticache cluster has DNS that is resolveable by anyone). Commented Jan 24, 2025 at 1:32
  • Does the user name is the same as the user id? Commented Jan 28, 2025 at 23:54
  • @avifen yes same. Commented Jan 29, 2025 at 9:11

1 Answer 1

1

I got it working after correcting below:

  1. Adding below policies to the ecs task role
 AllowElasticacheConnect: new iam.PolicyDocument({
 statements: [
 new iam.PolicyStatement({
 actions: ['elasticache:Connect'],
 effect: iam.Effect.ALLOW,
 resources: [
 `arn:aws:elasticache:ap-southeast-2:${this.account}:serverlesscache:my-cache`,
 `arn:aws:elasticache:ap-southeast-2:${this.account}:user:iam-user-valkey-01`,
 ]
 }),
 ],
 })
  1. Update security group of valkey cache and add inbound rules to allow java app
answered Jan 29, 2025 at 4:53
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.