Support for Redis AWS IAM auth

[mish-elle]

Closes #8177

Background

Self-hosters running Hive on AWS with AWS ElastiCache Redis currently have no way to use IAM-based authentication for Redis connections, which forces them to use static passwords.

This PR adds opt-in AWS IAM authentication support for ElastiCache Redis across all services that communicate with Redis: api, schema, server, tokens, usage, and workflows. It also adds Redis Cluster mode support.

This PR is part of the following issue. We will have separate PRs for each IAM support to help decrease the scope per PR.

• IAM authentication support for Redis, Kafka, S3 and PG #7780

Description

The ElastiCache IAM token generation logic lives in two new modules inside service-common:

• service-common/src/iam-aws.ts: A generic AWS SigV4 pre-signed token generation and a reusable periodic token refresh timer with retry/backoff logic. This is necessary since Elasticache does not have a dedicated signer like MSK or RDS.
• service-common/src/iam-redis.ts: ElastiCache-specific helpers built on top of iam-aws. Handles token generation (generateIamAuthToken), in-place re-authentication for both standalone and cluster connections (refreshIamAuth), periodic token rotation (startIamTokenRefresh), and credential resolution (resolveRedisCredentials).

When Redis IAM auth is enabled:

1. Generates an initial token at startup using resolveRedisCredentials()
2. Connects to Redis using the token as the password and the configured Redis username
3. Starts a background refresh timer startIamTokenRefresh() that rotates the token every ~12 minutes (15-min SigV4 TTL minus 3-min buffer), with jitter to prevent thundering-herd refreshes across instances
4. On each refresh, issues AUTH commands to re-authenticate active connections (including per-node AUTH for cluster mode)

Redis Cluster mode is added as an opt-in feature REDIS_CLUSTER_MODE_ENABLED=1. When enabled, services connect using Redis.Cluster from ioredis with dnsLookup configured to pass addresses through directly (required for ElastiCache's DNS-based endpoint resolution).

Note that the underlying ioredis library does not support dynamic passwords, so using a token refresh timer is the workaround for now until ioredis supports dynamic passwords.

• feat(auth): add support for function for password redis/ioredis#2039

New environment variables introduced

Variable	Required	Description
AWS_REGION	No	Default AWS region for the service. Used as the fallback for all AWS connections.
REDIS_USERNAME	No	Redis Access Control List username.
REDIS_CLUSTER_MODE_ENABLED	No	Set to 1 to connect using Redis Cluster mode.
REDIS_AWS_IAM_AUTH_ENABLED	No	Set to 1 to enable IAM authentication for Redis.
REDIS_AWS_REGION	No	Optional override for the Redis region (defaults to AWS_REGION).
REDIS_AWS_IAM_CACHE_NAME	No	ElastiCache cache name used as the hostname for the SigV4 signer. Required when IAM is enabled.

Environment Variable Validation

When REDIS_AWS_IAM_AUTH_ENABLED=1, the environment validation enforces:

• REDIS_TLS_ENABLED=1 (ElastiCache IAM requires TLS)
• REDIS_AWS_IAM_CACHE_NAME must be set
• REDIS_AWS_REGION or AWS_REGION must be set

Pnpm-lock file generation

Like MSK, the CI pipelines will fail because of the pnpm-lock file. We're downgrading dependencies and not building a few packages, due to constraints in our environment. Is it possible for a code maintainer to help us generate the pnpm-lock file?

Checklist

• Input validation
• Output encoding
• Authentication management
• Session management
• Access control
• Cryptographic practices
• Error handling and logging
• Data protection
• Communication security
• System configuration
• Database security
• File management
• Memory management
• Testing

[gemini-code-assist]

Code Review

This pull request introduces opt-in AWS IAM authentication for ElastiCache Redis connections and supports Redis Cluster mode across multiple services. The reviewer identified critical issues where the PubSub subscriber Redis clients in both the server and workflows services are not registered for IAM token refresh, which will cause subscription failures after the initial 15-minute token expires. Additionally, the reviewer noted that if the AUTH command fails during a refresh, the password is not updated, potentially leading to permanent authentication failures upon reconnection. Lastly, unreferencing the interval timer in startTokenRefreshTimer was suggested to prevent blocking clean process termination during graceful shutdowns.

[n1ru4l]

Thank you for the contribution, could you please address the comments I pointed out? Things are getting a bit too much duplicated and I would prefer a central place where we manage these.

[mish-elle]

Hey @n1ru4l sorry about the delay,

• All redis client creation is abstracted to service-commons/redis-client.ts createRedisClient() function.
• Redis validations happens on service-commons/redis-config-validation.ts
• Additionally, while I was removing all direct ioredis imports there's a ioredis version mismatch between the ioredis bentocache is expecting, 5.10.1, and the version that the repo uses, 5.8.2, which causes issues during runtime connection timeouts on bentocache falling back to localhost. For now I've added an pnpm override since I wasn't sure if you wanted to handle the ioredis upgrade in another git issue/PR.

[n1ru4l]

@mish-elle Please feel free to bump the ioredis version to 5.10.1 instead of using the override.

[n1ru4l]

Hey @mish-elle, I have some more feedback for you that I would like to see implemented. Aside from these points the implementation looks solid to me. 🙏

[mish-elle]

Hey @mish-elle, I have some more feedback for you that I would like to see implemented. Aside from these points the implementation looks solid to me. 🙏

Thanks for the detailed feedback, @n1ru4l! I believed I addressed everything mentioned, please let me know if we need additional changes.

[n1ru4l]

@mish-elle Thank you, we are close to getting this in! 🥳 Could you please have a stab at the typescript and linting issues?

[n1ru4l]

@mish-elle I added two more comments:

• one for cluster error handling
• one alternative proposal for the abort logic

Once these two are addressed, we are good to merge 👍

[mish-elle]

Actually there seems to be a minor issue with the subscriber reconnecting with a stale token, causing WRONG user/pass pair error and the container crashes, looking into it 🤔

[mish-elle]

Actually there seems to be a minor issue with the subscriber reconnecting with a stale token, causing WRONG user/pass pair error and the container crashes, looking into it 🤔

Cluster.nodes('all') delegates to ConnectionPool.getNodes(), which only returns pool nodes discovered via CLUSTER SLOTS, it never includes the ClusterSubscriber's internal Redis, which is created separately with password: options.password (a value copy) and stored in this.subscriber.

This means refreshIamAuth's loop over nodes('all') never updates the subscriber's password, so after a disconnect it reconnects with the stale startup token -> WRONGPASS -> crash. We'll add getClusterSubscriberInstance() to access the internal subscriber and update its options.password directly (since AUTH can't be sent to a connection in SUBSCRIBE mode).

[dotansimha]

Thanks @mish-elle ! I approved the PR, it seems like it needs a slight rebase and then we can run ci and merge :)

[dotansimha]

Thanks @mish-elle , I ran the full ci checks in #8177 , once cleared, i'll merge this one :)