Kong · cloudjumpercat · Dec 15, 2025 · Nov 26, 2025 · Nov 26, 2025 · Nov 26, 2025
diff --git a/.github/styles/base/Dictionary.txt b/.github/styles/base/Dictionary.txt
@@ -935,6 +935,7 @@ Valero
 Valero
 validator
 validators
+Valkey
 vararg
 vc
 viewport

diff --git a/app/_includes/plugins/redis-cloud-auth.md b/app/_includes/plugins/redis-cloud-auth.md
@@ -0,0 +1,224 @@
+## Using cloud authentication with Redis {% new_in 3.13 %}
+
+Starting in {{site.base_gateway}} 3.13, you can authenticate with a cloud Redis provider for your Redis strategy. This allows you to seamlessly rotate credentials without relying on static passwords. 
+
+The following providers are supported:
+* AWS ElastiCache
+* Azure Managed Redis
+* Google Cloud Memorystore (with or without Valkey)
+
+Each provider also supports an instance and cluster configuration.
+
+{:.warning}
+> **Important:** {{site.base_gateway}} open source plugins do not support any Redis cloud provider cluster configurations.
+
+To configure cloud authentication with Redis, add the following parameters to your plugin configuration:
+
+{% navtabs "providers" %}
+{% navtab "AWS instance" %}
+
+You need:
+* A running Redis instance on an [AWS ElastiCache instance](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html) for Valkey 7.2 or later or ElastiCache for Redis OSS version 7.0 or later
+* The [ElastiCache user needs to set "Authentication mode" to "IAM"](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html#auth-iam-setup)
+* The following policy assigned to the IAM user/IAM role that is used to connect to the ElastiCache:
+  ```json
+  {
+      "Version": "2012-10-17",
+      "Statement": [
+          {
+              "Effect": "Allow",
+              "Action": [
+                  "elasticache:Connect"
+              ],
+              "Resource": [
+                  "arn:aws:elasticache:ARN_OF_THE_ELASTICACHE",
+                  "arn:aws:elasticache:ARN_OF_THE_ELASTICACHE_USER"
+              ]
+          }
+      ]
+  }
+  ```
+
+```yaml
+config:
+  storage: redis
+  storage_config:
+    redis:
+      host: $INSTANCE_ADDRESS
+      username: $INSTANCE_USERNAME
+      port: 6379
+      cloud_authentication:
+        auth_provider: aws
+        aws_cache_name: $AWS_CACHE_NAME
+        aws_is_serverless: false
+        aws_region: $AWS_REGION
+        aws_access_key_id: $AWS_ACCESS_KEY_ID
+        aws_secret_access_key: $AWS_ACCESS_SECRET_KEY
+```
+
+Replace the following with your actual values:
+* `$INSTANCE_ADDRESS`: The ElastiCache instance address.
+* `$INSTANCE_USERNAME`: The ElastiCache username with [IAM Auth mode configured](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html#auth-iam-setup).
+* `$AWS_CACHE_NAME`: Name of your AWS ElastiCache instance.
+* `$AWS_REGION`: Your AWS ElastiCache instance region.
+* `$AWS_ACCESS_KEY_ID`: (Optional) Your AWS access key ID. 
+* `$AWS_ACCESS_SECRET_KEY`: (Optional) Your AWS secret access key.
+{% endnavtab %}
+{% navtab "AWS cluster" %}
+
+You need:
+* A running Redis instance on an [AWS ElastiCache cluster](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html) for Valkey 7.2 or later or ElastiCache for Redis OSS version 7.0 or later
+* The [ElastiCache user needs to set "Authentication mode" to "IAM"](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html#auth-iam-setup)
+* The following policy assigned to the IAM user/IAM role that is used to connect to the ElastiCache:
+  ```json
+  {
+      "Version": "2012-10-17",
+      "Statement": [
+          {
+              "Effect": "Allow",
+              "Action": [
+                  "elasticache:Connect"
+              ],
+              "Resource": [
+                  "arn:aws:elasticache:ARN_OF_THE_ELASTICACHE",
+                  "arn:aws:elasticache:ARN_OF_THE_ELASTICACHE_USER"
+              ]
+          }
+      ]
+  }
+  ```
+
+```yaml
+config:
+  storage: redis
+  storage_config:
+    redis:
+      cluster_nodes:
+      - ip: $CLUSTER_ADDRESS
+        port: 6379
+      username: $CLUSTER_USERNAME
+      port: 6379
+      cloud_authentication:
+        auth_provider: aws
+        aws_cache_name: $AWS_CACHE_NAME
+        aws_is_serverless: false
+        aws_region: $AWS_REGION 
+        aws_access_key_id: $AWS_ACCESS_KEY_ID
+        aws_secret_access_key: $AWS_ACCESS_SECRET_KEY 
+```
+
+Replace the following with your actual values:
+* `$CLUSTER_ADDRESS`: The ElastiCache cluster address.
+* `$CLUSTER_USERNAME`: The ElastiCache username with [IAM Auth mode configured](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html#auth-iam-setup).
+* `$AWS_CACHE_NAME`: Name of your AWS ElastiCache cluster.
+* `$AWS_REGION`: Your AWS ElastiCache cluster region.
+* `$AWS_ACCESS_KEY_ID`: (Optional) Your AWS access key ID. 
+* `$AWS_ACCESS_SECRET_KEY`: (Optional) Your AWS secret access key.
+{% endnavtab %}
+{% navtab "Azure instance" %}
+
+You need:
+* A running Redis instance on an [Azure Managed Redis instance](https://learn.microsoft.com/en-us/azure/redis/entra-for-authentication) with Entra authentication configured
+* Add the [user/service principal/identity to the "Microsoft Entra Authentication Redis user" list](https://learn.microsoft.com/en-us/azure/redis/entra-for-authentication#add-users-or-system-principal-to-your-cache) for the Azure Managed Redis instance
+
+```yaml
+config:
+  storage: redis
+  storage_config:
+    redis:
+      host: $INSTANCE_ADDRESS
+      username: $INSTANCE_USERNAME
+      port: 6379
+      cloud_authentication:
+        auth_provider: azure
+        azure_client_id: $AZURE_CLIENT_ID
+        azure_client_secret: $AZURE_CLIENT_SECRET
+        azure_tenant_id: $AZURE_TENANT_ID
+```
+Replace the following with your actual values:
+* `$INSTANCE_ADDRESS`: The Azure Managed Redis instance address.
+* `$INSTANCE_USERNAME`: The object (principal) ID of the Principal/Identity with essential access.
+* `$AZURE_CLIENT_ID`: The client ID of the Principal/Identity.
+* `$AZURE_CLIENT_SECRET`: (Optional) The client secret of the Principal/Identity. 
+* `$AZURE_TENANT_ID`: (Optional) The tenant ID of the Principal/Identity.
+
+{% endnavtab %}
+{% navtab "Azure cluster" %}
+
+You need:
+* A running Redis instance on an [Azure Managed Redis cluster](https://learn.microsoft.com/en-us/azure/redis/entra-for-authentication) with Entra authentication configured
+* Add the [user/service principal/identity to the "Microsoft Entra Authentication Redis user" list](https://learn.microsoft.com/en-us/azure/redis/entra-for-authentication#add-users-or-system-principal-to-your-cache) for the Azure Managed Redis instance
+
+```yaml
+config:
+  storage: redis
+  storage_config:
+    redis:
+      cluster_nodes:
+      - ip: $CLUSTER_ADDRESS
+        port: 6379
+      username: $CLUSTER_USERNAME
+      port: 6379
+      cloud_authentication:
+        auth_provider: azure
+        azure_client_id: $AZURE_CLIENT_ID
+        azure_client_secret: $AZURE_CLIENT_SECRET
+        azure_tenant_id: $AZURE_TENANT_ID
+```
+Replace the following with your actual values:
+* `$CLUSTER_ADDRESS`: The Azure Managed Redis cluster address.
+* `$CLUSTER_USERNAME`: The object (principal) ID of the Principal/Identity with essential access.
+* `$AZURE_CLIENT_ID`: The client ID of the Principal/Identity.
+* `$AZURE_CLIENT_SECRET`: (Optional) The client secret of the Principal/Identity. 
+* `$AZURE_TENANT_ID`: (Optional) The tenant ID of the Principal/Identity.
+
+{% endnavtab %}
+{% navtab "GCP instance" %}
+
+You need:
+* A running Redis instance on an [Google Cloud Memorystore instance](https://cloud.google.com/memorystore/docs/cluster/about-iam-auth)
+* Assign the principal to the corresponding role: 
+    * [Cloud Memorystore Redis DB Connection User(`roles/redis.dbConnectionUser`)](https://docs.cloud.google.com/memorystore/docs/cluster/about-iam-auth) for Memorystore for Redis Cluster
+    * [Memorystore DB Connector User (`roles/memorystore.dbConnectionUser`)](https://docs.cloud.google.com/memorystore/docs/valkey/about-iam-auth) for Memorystore for Valkey
+
+```yaml
+config:
+  storage: redis
+  storage_config:
+    redis:
+      host: $INSTANCE_ADDRESS
+      port: 6379
+      cloud_authentication:
+        auth_provider: gcp
+        gcp_service_account_json: $GCP_SERVICE_ACCOUNT
+```
+Replace the following with your actual values:
+* `$INSTANCE_ADDRESS`: The Memorystore instance address.
+* `$GCP_SERVICE_ACCOUNT`: (Optional) The GCP service account JSON.
+{% endnavtab %}
+{% navtab "GCP cluster" %}
+
+You need:
+* A running Redis instance on an [Google Cloud Memorystore cluster](https://cloud.google.com/memorystore/docs/cluster/about-iam-auth)
+* Assign the principal to the corresponding role: 
+    * [Cloud Memorystore Redis DB Connection User(`roles/redis.dbConnectionUser`)](https://docs.cloud.google.com/memorystore/docs/cluster/about-iam-auth) for Memorystore for Redis Cluster
+    * [Memorystore DB Connector User (`roles/memorystore.dbConnectionUser`)](https://docs.cloud.google.com/memorystore/docs/valkey/about-iam-auth) for Memorystore for Valkey
+
+```yaml
+config:
+  storage: redis
+  storage_config:
+    redis:
+      cluster_nodes:
+      - ip: $CLUSTER_ADDRESS
+        port: 6379 
+      port: 6379
+      cloud_authentication:
+        auth_provider: gcp
+        gcp_service_account_json: $GCP_SERVICE_ACCOUNT
+```
+Replace the following with your actual values:
+* `$CLUSTER_ADDRESS`: The Memorystore cluster address.
+* `$GCP_SERVICE_ACCOUNT`: The GCP service account JSON.
+{% endnavtab %}
+{% endnavtabs %}
diff --git a/app/_kong_plugins/acme/examples/redis-aws-instance.yaml b/app/_kong_plugins/acme/examples/redis-aws-instance.yaml
@@ -0,0 +1,91 @@
+title: ACME with Redis storage and AWS ElastiCache instance auth
+description: |
+  Configure the ACME plugin with Redis as a storage backend using AWS ElastiCache instance auth
+
+weight: 860
+
+requirements:
+- A public IP and a resolvable DNS
+- '{{site.base_gateway}} accepts proxy traffic on port 80'
+- A running Redis instance on an [AWS ElastiCache instance](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html) for Valkey 7.2 or later or ElastiCache for Redis OSS version 7.0 or later
+- The [ElastiCache user needs to set "Authentication mode" to "IAM"](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html#auth-iam-setup)
+- |
+  The following policy assigned to the IAM user/IAM role that is used to connect to the ElastiCache:
+  ```json
+  {
+      "Version": "2012-10-17",
+      "Statement": [
+          {
+              "Effect": "Allow",
+              "Action": [
+                  "elasticache:Connect"
+              ],
+              "Resource": [
+                  "arn:aws:elasticache:ARN_OF_THE_ELASTICACHE",
+                  "arn:aws:elasticache:ARN_OF_THE_ELASTICACHE_USER"
+              ]
+          }
+      ]
+  }
+  ```
+
+config:
+  account_email: ${email}
+  account_key:
+    key_id: ${key_id}
+    key_set: ${key_set}
+  domains:
+    - ${domain}
+  tos_accepted: true
+  storage: redis
+  storage_config:
+    redis:
+      host: ${instance_address}
+      username: ${instance_username}
+      port: 6379
+      cloud_authentication:
+        auth_provider: aws
+        aws_cache_name: ${aws_cache}
+        aws_is_serverless: false
+        aws_region: ${aws_region}
+        aws_access_key_id: ${aws_key_id}
+        aws_secret_access_key: ${aws_secret_key}
+
+variables:
+  email:
+    value: $EMAIL
+    description: The account identifier.
+  key_id:
+    value: $KEY_ID
+    description: The kid of a [Key](/gateway/entities/key/).
+  key_set:
+    value: $KEY_SET
+    description: The name of a [Key Set](/gateway/entities/key-set/) to associate the Key ID with.
+  domain:
+    value: $DOMAIN
+    description: An array of strings representing hosts.
+  instance_address:
+    value: $INSTANCE_ADDRESS
+    description: The ElastiCache instance address.
+  instance_username:
+    value: $INSTANCE_USERNAME
+    description: The ElastiCache username with [IAM Auth mode configured](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html#auth-iam-setup).
+  aws_cache:
+    value: $AWS_CACHE_NAME
+    description: Name of your AWS ElastiCache instance.
+  aws_region:
+    value: $AWS_REGION 
+    description: Your AWS ElastiCache instance region.
+  aws_key_id:
+    value: $AWS_ACCESS_KEY_ID 
+    description: (Optional) Your AWS access key ID. 
+  aws_secret_key:
+    value: $AWS_ACCESS_SECRET_KEY 
+    description: (Optional) Your AWS secret access key.
+
+tools:
+  - deck
+  - admin-api
+  - konnect-api
+  - kic
+  - terraform
diff --git a/app/_kong_plugins/acme/examples/redis-azure-instance.yaml b/app/_kong_plugins/acme/examples/redis-azure-instance.yaml
@@ -0,0 +1,67 @@
+title: ACME with Redis storage and Azure Managed Redis instance auth
+description: |
+  Configure the ACME plugin with Redis as a storage backend using Azure Managed Redis instance auth
+
+weight: 860
+
+requirements:
+- A public IP and a resolvable DNS
+- '{{site.base_gateway}} accepts proxy traffic on port 80'
+- A running Redis instance on an [Azure Managed Redis instance](https://learn.microsoft.com/en-us/azure/redis/entra-for-authentication) with Entra authentication configured
+- Add the [user/service principal/identity to the "Microsoft Entra Authentication Redis user" list](https://learn.microsoft.com/en-us/azure/redis/entra-for-authentication#add-users-or-system-principal-to-your-cache) for the Azure Managed Redis instance
+
+config:
+  account_email: ${email}
+  account_key:
+    key_id: ${key_id}
+    key_set: ${key_set}
+  domains:
+    - ${domain}
+  tos_accepted: true
+  storage: redis
+  storage_config:
+    redis:
+      host: ${instance_address}
+      username: ${instance_username}
+      port: 6379
+      cloud_authentication:
+        auth_provider: azure
+        azure_client_id: ${azure_client_id}
+        azure_client_secret: ${azure_client_secret}
+        azure_tenant_id: ${azure_tenant_id}
+
+variables:
+  email:
+    value: $EMAIL
+    description: The account identifier.
+  key_id:
+    value: $KEY_ID
+    description: The kid of a [Key](/gateway/entities/key/).
+  key_set:
+    value: $KEY_SET
+    description: The name of a [Key Set](/gateway/entities/key-set/) to associate the Key ID with.
+  domain:
+    value: $DOMAIN
+    description: An array of strings representing hosts.
+  instance_address:
+    value: $INSTANCE_ADDRESS
+    description: The Azure Managed Redis instance address.
+  instance_username:
+    value: $INSTANCE_USERNAME
+    description: The object (principal) ID of the Principal/Identity with essential access.
+  azure_client_id:
+    value: $AZURE_CLIENT_ID
+    description: The client ID of the Principal/Identity. 
+  azure_client_secret:
+    value: $AZURE_CLIENT_SECRET
+    description: (Optional) The client secret of the Principal/Identity.
+  azure_tenant_id:
+    value: $AZURE_TENANT_ID
+    description: (Optional) The tenant ID of the Principal/Identity.
+
+tools:
+  - deck
+  - admin-api
+  - konnect-api
+  - kic
+  - terraform
-Original file line number
+Diff line change
@@ Expand Up / @@ -935,6 +935,7 @@ Valero @@
     Valero
     validator
     validators
+    Valkey
     vararg
     vc
     viewport
@@ Expand Down @@