---
layout: docs
page_title: Redis ElastiCache - Database - Secrets Engines
description: |-
  Redis ElastiCache is one of the supported plugins for the database secrets engine.
  This plugin generates static credentials for existing managed roles.
---

# Redis ElastiCache Database Secrets Engine

Redis ElastiCache is one of the supported plugins for the database secrets engine.
This plugin generates static credentials for existing managed roles.

See the [database secrets engine](/docs/secrets/databases) docs for
more information about setting up the database secrets engine.

## Capabilities

| Plugin Name                             | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization |
| --------------------------------------- | ------------------------ | ------------- | ------------ | ---------------------- |
| `redis-elasticache-database-plugin`     | No                       | No            | Yes          | No                     |

## Setup

1.  Enable the database secrets engine if it is not already enabled:

  ```shell-session
  $ vault secrets enable database
  Success! Enabled the database secrets engine at: database/
  ```

  By default, the secrets engine will enable at the name of the engine. To
  enable the secrets engine at a different path, use the `-path` argument.

1.  Configure Vault with the proper plugin and connection configuration:

  ```shell-session
  $ vault write database/config/my-redis-elasticache-cluster \
    plugin_name="redis-elasticache-database-plugin" \
    url="primary-endpoint.my-cluster.xxx.yyy.cache.amazonaws.com:6379" \
    username="AKI***" \
    password="ktriNYvULAWLzUmTGb***" \
    allowed_roles="*"
  ```

~> **Note**: The username and password parameters are optional. If omitted, authentication falls back on the AWS credentials provider chain.
  Using a [temporary credential](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) stored in the proper environment
  variable is the preferred configuration method.

## Usage

After the secrets engine is configured, write static roles to enable generating credentials.

### Static roles

1.  Configure a static role that maps a name in Vault to an existing Redis ElastiCache user.

  ```shell-session
  $ vault write database/static-roles/my-static-role \
      db_name="my-redis-elasticache-cluster" \
      username="my-existing-redis-user" \
      rotation_period=5m
  Success! Data written to: database/static-roles/my-static-role
  ```

1.  Retrieve the credentials from the `/static-creds` endpoint:

  ```shell-session
  $ vault read database/static-creds/my-static-role
  Key                    Value
  ---                    -----
  last_vault_rotation    2022-09-14T11:45:57.24715105-04:00
  password               GKdS6qY-UtVAMpcD9iuu
  rotation_period        5m
  ttl                    4m48s
  username               my-existing-redis-user
  ```

~> **Note**: New passwords may take up-to a couple of minutes before ElastiCache has the chance to complete their configuration.
  It is recommended to use a retry strategy when establishing new Redis ElastiCache connections. This may prevent errors when
  trying to use a password that isn't yet live on the targeted ElastiCache cluster.

## API

The full list of configurable options can be seen in the [Redis ElastiCache Database Plugin API](/api-docs/secret/databases/rediselasticache) page.

For more information on the database secrets engine's HTTP API please see the [Database Secrets Engine API](/api-docs/secret/databases) page.