Accessing Redis on Localhost with SSM

Redis TLS with SSM

Accessing Redis on Localhost with SSM

What's up Builders ! This friday a friend of mine asked me for help on his work with Redis. I was willing to help him because that would sharpen my problem solving skills. The goal was to access redis locally on his machine. The size of RDS was beyond a Terabyte and they needed a Cache for performance.

Infra Provisioning was no brainer with Redis Serverless. Few clicks in the UI and we had our Redis Cluster. It gave us an endpoint. We then installed redis-cli tool and Redis Insight for graphical View.

We tried to access it with all our forces and a day later realised that it was a VPC Endpoint after we checked it's dns on the records. It was a private IP. Facepalm !

Then we managed port forwarding. Port forwarding with SSH and also with a SSM

ssh -i <key-file> -NL <local port to expose redis to>:<redis url>:<redis port> <user>@<bastion ip> -v
ssh -i "mykey.pem" -NL 6379:prod-redis-txtayy.serverless.use1.cache.amazonaws.com:6379 ubuntu@ec2-52-4x-2x-x183.compute-1.amazonaws.com

This would expose port 6379 on our localhost

However it took me another 15 minutes to realise that AWS encrypts traffic and we had to use --tls in order to connect although the private resources were port forwarded

Similarly Port Forwarding could also be done by AWS SSM

  1. Configure Your Identity
# on your shell configure aws credentials

aws configure 

# then insert your keys and necessary regions and output formats in the prompt.


aws sts get-caller-identity
{[f
    "UserId": "AIDAFFQ3DTT7UHP",
    "Account": "65465498400",
    "Arn": "arn:aws:iam::65465498400:user/someuserxx"
}
// if you get such response then you’re loggedin else you have to configure aws again.
  1. Download Session Manager Plugin
curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/mac_arm64/sessionmanager-bundle.zip" -o "sessionmanager-bundle.zip"

unzip sessionmanager-bundle.zip

sudo ./sessionmanager-bundle/install -i /usr/local/sessionmanagerplugin -b /usr/local/bin/session-manager-plugin
  1. Connect Redis via SSM
aws ssm start-session \
    --target i-02f2fc3e98400f \
    --document-name AWS-StartPortForwardingSessionToRemoteHost \
    --parameters host="prod-redis-txtayy.serverless.use1.cache.amazonaws.com",portNumber="6379",localPortNumber="6379"

The ssm Document we are using here is

AWS-StartPortForwardingSessionToRemoteHost

If you get waiting for connection, you have forwarded the port. Let's verify with

lsof -i tcp:6379

So far so good. Congratulations! you have forwarded AWS private infra into your local machine's network; in your localhost.

Now my friend told that the lazy developer isn't happy with the cli. He needs A Graphical tool which is Redis Insight. It wasn't connecting at all. It was timing out.

Thank god it was an open source tool. I cloned Redis Insight and installed dependencies. Ran the electron app and it was running good. It had two applications, one was backend for connection and frontend (a vite app) for rendering the UI. I moved into debug mode and started locating checking the memory traces for what was happening. Alas it was the rejectUnauthorized

rejectUnauthorized: true

parameter that was causing the error. The bug was trapped

Video gif. Toddler in a bikini jumps off a low deck toward her brother, who attempts to catch her but falls backward into the sand in an adorable fail.

I made all the instances false and it was connecting. Works with hook and crook at my end after taking help from my cousin (Prabhat). But There must be a concrete solution. I refreshed my research on Certificate and Certificate Authority; Diffie-Hellman key exchange algorithm.

Now here comes the trick; Let's go the the bastion with ssh and fire this command to get our server Certificate

openssl s_client -connect prod-redis-txtayy.serverless.use1.cache.amazonaws.com:6379
 -showcerts

with openssl, you will get the details of cert that AWS uses to connect your redis server. Copy the Server Certificate and use it.

Still does not solve the problem unless you fix your DNS. Let's do it.

This was done because the certificate says the traffic is coming from prod-redis-txtayy.serverless.use1.cache.ama..

Donald Trump Wait A Minute GIF

Wait a minute it was coming from localhost or 127.0.0.1 right ?

Lets change our hosts on /etc/hosts

What we're saying is prod-redis-txtayy.serverless.use1.cache.ama.. is localhost.

Now the information in certificate is correct for the domain name. and we could actually connect with the certificate

Select use tls; Add a new certificate. I named it *.serverless.use1.cache.amazonaws.com and in paste in the key . Now we are connected via the redis insight.

The Office gif. The office is filled with disco lights. Craig Robinson as Darryl, Oscar Nunez as Oscar, and Brian Baumgartner as Kevin show us some serious dance moves.