Creating a user
Yandex Managed Service for Valkey™ can create Valkey™ users and configure their permissions for commands, keys, and Pub/Sub channels in the cluster using Valkey™ access control lists (ACLs).
Valkey™ ACLs address two primary objectives:
- Ensure security by enforcing fine-grained access to commands and keys.
- Prevent accidental errors caused by user actions or software failures.
Creating a cluster automatically creates a default user. This user can access all keys and Pub/Sub channels in the cluster and can run all commands except administrative ones. You can view the user’s detailed permissions in the user info.
Creating a user
If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.
To create a Valkey™ user:
-
See the description of the CLI command for creating a user:
yc managed-redis user create --help -
Run this command to create a user (our example lists only some flags):
yc managed-redis user create <username> \ --cluster-id=<cluster_ID> \ --password="<user_password>" \ --disabled \ --raw="<permissions>" \ --categories="<permissions_for_command_categories>" \ --commands="<permissions_for_commands>" \ --patterns="<permissions_for_key_patterns>" \ --pub-sub-channels="<permissions_for_channels>" \ --sanitize-payload=<data_cleanup>Where:
-
--cluster-id: Cluster ID.You can get the cluster ID with the list of clusters in the folder.
-
--password: User password. It must be from 8 to 128 characters long. -
--disabled: Disables the user. The default value isfalse. -
--raw: String of space-separated permissions. Also, the string must set the user status:on: User is enabled.off: User is disabled.
Example:
on ~data:* &* +@set +@hash +get +set.Note
The
--rawflag cannot be used with separate permission flags or with--disabled. -
--categories: String of space-separated permissions for command categories. -
--commands: String of space-separated permissions for commands. -
--patterns: String of space-separated permissions for key patterns. -
--pub-sub-channels: String of space-separated permissions for Pub/Sub channels. -
--sanitize-payload: Data cleanup. The possible values are:sanitize-payload: Data cleanup is enabled. This is the default value.skip-sanitize-payload: Data cleanup is disabled.
Note
The user cannot get permissions for administrative commands of the
+@admincategory and certain commands.For more information about access control lists, see this Valkey™ ACL guide.
-
-
Open the current Terraform configuration file describing your infrastructure.
To learn how to create this file, see Creating a cluster.
-
To create a user, add the
yandex_mdb_redis_userresource:resource "yandex_mdb_redis_user" "<local_resource_name>" { cluster_id = <cluster_ID> name = "<username>" passwords = ["<user_password>"] enabled = <user_status> permissions = { categories = "<permissions_for_command_categories>" commands = "<permissions_for_commands>" patterns = "<permissions_for_key_patterns>" pub_sub_channels = "<permissions_for_channels>" sanitize_payload = "<data_cleanup>" } }Where:
-
cluster_id: Cluster ID. -
name: Username. -
passwords: Password. It must be from 8 to 128 characters long.You can specify only one password.
-
enabled: User status. The possible values are:true: User is enabled.false: User is disabled.
-
permissions: User permission settings:-
categories: String of space-separated permissions for command categories. -
commands: String of space-separated permissions for commands. -
patterns: String of space-separated permissions for key patterns. -
pub_sub_channels: String of space-separated permissions for Pub/Sub channels. -
sanitize_payload: Data cleanup. The possible values are:sanitize-payload: Data cleanup is enabled. This is the default value.skip-sanitize-payload: Data cleanup is disabled.
Note
The user cannot get permissions for administrative commands of the
+@admincategory and certain commands.For more information about access control lists, see this Valkey™ ACL guide.
-
-
-
Validate your configuration.
-
In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
-
Run this command:
terraform validateTerraform will show any errors found in your configuration files.
-
-
Confirm resource changes.
-
Run this command to view the planned changes:
terraform planIf you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
-
If everything looks correct, apply the changes:
-
Run this command:
terraform apply -
Confirm updating the resources.
-
Wait for the operation to complete.
-
-
-
Make sure the user is created by running this CLI command:
yc managed-redis user get <username> \ --cluster-id=<cluster_ID>Learn more on how to get information about a user here.
Timeouts
The Terraform provider sets the following timeouts for Yandex Managed Service for Valkey™ cluster operations:
- Creating a cluster, including by restoring it from a backup: 15 minutes.
- Editing a cluster: 60 minutes.
- Deleting a cluster: 15 minutes.
Operations exceeding the timeout are aborted.
How do I change these limits?
Add the timeouts section to your cluster description, such as the following:
resource "yandex_mdb_redis_cluster_v2" "<cluster_name>" {
...
timeouts {
create = "1h30m" # 1 hour 30 minutes
update = "2h" # 2 hours
delete = "30m" # 30 minutes
}
}
-
Get an IAM token for API authentication and place it in an environment variable:
export IAM_TOKEN="<IAM_token>" -
Create a file named
body.jsonand paste the following code into it:{ "userSpec": { "name": "<username>", "passwords": [ "<user_password>" ], "permissions": { "patterns": "<permissions_for_key_patterns>", "pubSubChannels": "<permissions_for_channels>", "categories": "<permissions_for_command_categories>", "commands": "<permissions_for_commands>", "sanitizePayload": "<data_cleanup>" }, "enabled": <user_status> } }Where
userSpecstands for the user settings:-
name: Username. -
passwords: Password. It must be from 8 to 128 characters long.You can specify only one password.
-
permissions: User permission settings:-
patterns: String of space-separated permissions for key patterns. -
pubSubChannels: String of space-separated permissions for Pub/Sub channels. -
categories: String of space-separated permissions for command categories. -
commands: String of space-separated permissions for commands. -
sanitizePayload: Data cleanup. The possible values are:sanitize-payload: Data cleanup is enabled. This is the default value.skip-sanitize-payload: Data cleanup is disabled.
Note
The user cannot get permissions for administrative commands of the
+@admincategory and certain commands.For more information about access control lists, see this Valkey™ ACL guide.
-
-
enabled: User status. The possible values are:true: User is enabled.false: User is disabled.
-
-
Call the User.Create method, e.g., via the following cURL request:
curl \ --request POST \ --header "Authorization: Bearer $IAM_TOKEN" \ --header "Content-Type: application/json" \ --url 'https://mdb.api.cloud.yandex.net/managed-redis/v1/clusters/<cluster_ID>/users' \ --data "@body.json"You can get the cluster ID with the list of clusters in the folder.
-
Check the server response to make sure your request was successful.
-
Get an IAM token for API authentication and place it in an environment variable:
export IAM_TOKEN="<IAM_token>" -
Clone the cloudapi repository:
cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapiBelow, we assume that the repository contents reside in the
~/cloudapi/directory. -
Create a file named
body.jsonand paste the following code into it:{ "cluster_id": "<cluster_ID>", "user_spec": { "name": "<username>", "passwords": [ "<user_password>" ], "permissions": { "patterns": "<permissions_for_key_patterns>", "pub_sub_channels": "<permissions_for_channels>", "categories": "<permissions_for_command_categories>", "commands": "<permissions_for_commands>", "sanitize_payload": "<data_cleanup>" }, "enabled": <user_status> } }Where:
-
cluster_id: Cluster ID.You can get the cluster ID with the list of clusters in the folder.
-
user_spec: User settings:-
name: Username. -
passwords: Password. It must be from 8 to 128 characters long.You can specify only one password.
-
permissions: User permission settings:-
patterns: String of space-separated permissions for key patterns. -
pub_sub_channels: String of space-separated permissions for Pub/Sub channels. -
categories: String of space-separated permissions for command categories. -
commands: String of space-separated permissions for commands. -
sanitize_payload: Data cleanup. The possible values are:sanitize-payload: Data cleanup is enabled. This is the default value.skip-sanitize-payload: Data cleanup is disabled.
Note
The user cannot get permissions for administrative commands of the
+@admincategory and certain commands.For more information about access control lists, see this Valkey™ ACL guide.
-
-
enabled: User status. The possible values are:true: User is enabled.false: User is disabled.
-
-
-
Call the UserService.Create method, e.g., via the following gRPCurl request:
grpcurl \ -format json \ -import-path ~/cloudapi/ \ -import-path ~/cloudapi/third_party/googleapis/ \ -proto ~/cloudapi/yandex/cloud/mdb/redis/v1/user_service.proto \ -rpc-header "Authorization: Bearer $IAM_TOKEN" \ -d @ \ mdb.api.cloud.yandex.net:443 \ yandex.cloud.mdb.redis.v1.UserService.Create \ < body.json -
Check the server response to make sure your request was successful.