Creating a user
Yandex Managed Service for Valkey™ can create Valkey™ users and configure their permissions for commands, keys, and Pub/Sub channels in the cluster using Valkey™ access control lists (ACLs).
Valkey™ ACLs address two primary objectives:
- Ensure security by enforcing fine-grained access control to commands and keys.
- Prevent accidental errors caused by user actions or software failures.
Creating a cluster automatically creates a default user. This user has permissions to access all keys and Pub/Sub channels in the cluster and can execute all commands except administrative ones. You can view the user's detailed permissions in the user info.
Creating a user
If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.
To create a Valkey™ user:
-
View the description of the CLI command to create s user:
yc managed-redis user create --help -
To create a user, run the command below. Note that some flags are omitted:
yc managed-redis user create <username> \ --cluster-id=<cluster_ID> \ --password="<user_password>" \ --disabled \ --raw="<permissions>" \ --categories="<permissions_for_command_categories>" \ --commands="<permissions_for_commands>" \ --patterns="<permissions_for_key_templates>" \ --pub-sub-channels="<permissions_for_channels>" \ --sanitize-payload=<data_cleanup>Where:
-
--cluster-id: Cluster ID.You can get the cluster ID with the list of clusters in the folder.
-
--password: Password. The password must be from 8 to 128 characters long. -
--disabled: Disables the user. The default value isfalse. -
--raw: String of space-separated permissions. Also, the string must set the user status:on: User is enabled.off: User is disabled.
Example:
on ~data:* &* +@set +@hash +get +set.Note
The
--rawflag cannot be used with separate permission flags or with--disabled. -
--categories: String of space-separated permissions for command categories. -
--commands: String of space-separated permissions for commands. -
--patterns: String of space-separated permissions for key templates. -
--pub-sub-channels: String of space-separated permissions for Pub/Sub channels. -
--sanitize-payload: Data cleanup. The possible values are:sanitize-payload: Data cleanup is enabled. This is the default value.skip-sanitize-payload: Data cleanup is disabled.
Note
The user cannot get permissions for administrative commands of the
+@admincategory and some commands.For more information about access control lists, see this Valkey™ ACL guide.
-
-
Open the current Terraform configuration file describing your infrastructure.
For more information about creating this file, see this guide.
-
To create a user, add the
yandex_mdb_redis_userresource:resource "yandex_mdb_redis_user" "<local_resource_name>" { cluster_id = <cluster_ID> name = "<username>" passwords = ["<user_password>"] enabled = <user_status> permissions = { categories = "<permissions_for_command_categories>" commands = "<permissions_for_commands>" patterns = "<permissions_for_key_templates>" pub_sub_channels = "<permissions_for_channels>" sanitize_payload = "<data_cleanup>" } }Where:
-
cluster_id: Cluster ID. -
name: Username. -
passwords: Password. The password must be from 8 to 128 characters long.You can specify only one password.
-
enabled: User status. The possible values are:true: User is enabled.false: User is disabled.
-
permissions: User permission settings:-
categories: String of space-separated permissions for command categories. -
commands: String of space-separated permissions for commands. -
patterns: String of space-separated permissions for key templates. -
pub_sub_channels: String of space-separated permissions for Pub/Sub channels. -
sanitize_payload: Data cleanup. The possible values are:sanitize-payload: Data cleanup is enabled. This is the default value.skip-sanitize-payload: Data cleanup is disabled.
Note
The user cannot get permissions for administrative commands of the
+@admincategory and some commands.For more information about access control lists, see this Valkey™ ACL guide.
-
-
-
Validate your configuration.
-
In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
-
Run this command:
terraform validateTerraform will show any errors found in your configuration files.
-
-
Confirm resource changes.
-
Run this command to view the planned changes:
terraform planIf you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
-
If everything looks correct, apply the changes:
-
Run this command:
terraform apply -
Confirm updating the resources.
-
Wait for the operation to complete.
-
-
-
Make sure the user is created by running this CLI command:
yc managed-redis user get <username> \ --cluster-id=<cluster_ID>Learn more on how to get information about a user here.
Time limits
A Terraform provider sets the timeout for Yandex Managed Service for Valkey™ cluster operations:
- Creating a cluster, including by restoring one from a backup: 15 minutes.
- Editing a cluster: 60 minutes.
- Deleting a cluster: 15 minutes.
Operations exceeding the set timeout are interrupted.
How do I change these limits?
Add the timeouts block to the cluster description, for example:
resource "yandex_mdb_redis_cluster" "<cluster_name>" {
...
timeouts {
create = "1h30m" # 1 hour 30 minutes
update = "2h" # 2 hours
delete = "30m" # 30 minutes
}
}
-
Get an IAM token for API authentication and save it as an environment variable:
export IAM_TOKEN="<IAM_token>" -
Create a file named
body.jsonand paste the following code into it:{ "userSpec": { "name": "<username>", "passwords": [ "<user_password>" ], "permissions": { "patterns": "<permissions_for_key_templates>", "pubSubChannels": "<permissions_for_channels>", "categories": "<permissions_for_command_categories>", "commands": "<permissions_for_commands>", "sanitizePayload": "<data_cleanup>" }, "enabled": <user_status> } }Where
userSpecrepresents the user settings:-
name: Username. -
passwords: Password. The password must be from 8 to 128 characters long.You can specify only one password.
-
permissions: User permission settings:-
patterns: String of space-separated permissions for key templates. -
pubSubChannels: String of space-separated permissions for Pub/Sub channels. -
categories: String of space-separated permissions for command categories. -
commands: String of space-separated permissions for commands. -
sanitizePayload: Data cleanup. The possible values are:sanitize-payload: Data cleanup is enabled. This is the default value.skip-sanitize-payload: Data cleanup is disabled.
Note
The user cannot get permissions for administrative commands of the
+@admincategory and some commands.For more information about access control lists, see this Valkey™ ACL guide.
-
-
enabled: User status. The possible values are:true: User is enabled.false: User is disabled.
-
-
Use the User.Create method and send the following request, e.g., via cURL:
curl \ --request POST \ --header "Authorization: Bearer $IAM_TOKEN" \ --header "Content-Type: application/json" \ --url 'https://mdb.api.cloud.yandex.net/managed-redis/v1/clusters/<cluster_ID>/users' \ --data "@body.json"You can get the cluster ID with the list of clusters in the folder.
-
Check the server response to make sure your request was successful.
-
Get an IAM token for API authentication and save it as an environment variable:
export IAM_TOKEN="<IAM_token>" -
Clone the cloudapi repository:
cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapiBelow, we assume the repository contents are stored in the
~/cloudapi/directory. -
Create a file named
body.jsonand paste the following code into it:{ "cluster_id": "<cluster_ID>", "user_spec": { "name": "<username>", "passwords": [ "<user_password>" ], "permissions": { "patterns": "<permissions_for_key_templates>", "pub_sub_channels": "<permissions_for_channels>", "categories": "<permissions_for_command_categories>", "commands": "<permissions_for_commands>", "sanitize_payload": "<data_cleanup>" }, "enabled": <user_status> } }Where:
-
cluster_id: Cluster ID.You can get the cluster ID with the list of clusters in the folder.
-
user_spec: User settings:-
name: Username. -
passwords: Password. The password must be from 8 to 128 characters long.You can specify only one password.
-
permissions: User permission settings:-
patterns: String of space-separated permissions for key templates. -
pub_sub_channels: String of space-separated permissions for Pub/Sub channels. -
categories: String of space-separated permissions for command categories. -
commands: String of space-separated permissions for commands. -
sanitize_payload: Data cleanup. The possible values are:sanitize-payload: Data cleanup is enabled. This is the default value.skip-sanitize-payload: Data cleanup is disabled.
Note
The user cannot get permissions for administrative commands of the
+@admincategory and some commands.For more information about access control lists, see this Valkey™ ACL guide.
-
-
enabled: User status. The possible values are:true: User is enabled.false: User is disabled.
-
-
-
Use the UserService.Create call and send the following request, e.g., via gRPCurl:
grpcurl \ -format json \ -import-path ~/cloudapi/ \ -import-path ~/cloudapi/third_party/googleapis/ \ -proto ~/cloudapi/yandex/cloud/mdb/redis/v1/user_service.proto \ -rpc-header "Authorization: Bearer $IAM_TOKEN" \ -d @ \ mdb.api.cloud.yandex.net:443 \ yandex.cloud.mdb.redis.v1.UserService.Create \ < body.json -
View the server response to make sure your request was successful.