Add IAM authentication support for Valkey-GLIDE (ElastiCache/MemoryDB)

README.md

@@ -13,6 +13,7 @@ This project provides both the [core Spring Data Valkey library](spring-data-val
 * `ValkeyTemplate` that provides a high level abstraction for performing various Valkey operations, exception translation and serialization support.
 * Pubsub support (such as a MessageListenerContainer for message-driven POJOs).
 * OpenTelemetry instrumentation support when using the Valkey GLIDE client for emitting traces and metrics for Valkey operations.
+* AWS IAM authentication support for Valkey GLIDE when connecting to Amazon ElastiCache or MemoryDB, with automatic token generation and refresh.
 * Valkey Sentinel support is currently available in Jedis and Lettuce, while support in Valkey GLIDE is planned for a future release.
 * Reactive API using Lettuce.
 * JDK, String, JSON and Spring Object/XML mapping serializers.
@@ -34,6 +35,7 @@ This project provides both the [core Spring Data Valkey library](spring-data-val
 * SSL/TLS connection support with Spring Boot SSL bundles.
 * Spring Boot Actuator health indicators and metrics for Valkey connections.
 * Property-based OpenTelemetry configuration for Valkey GLIDE, enabling automatic trace and metric export without application code changes.
+* Property-based IAM authentication configuration for Valkey GLIDE when connecting to AWS ElastiCache or MemoryDB, with automatic token generation and refresh.
 * `@DataValkeyTest` slice test annotation for focused Valkey testing.
 * Testcontainers integration with `@ServiceConnection` annotation.
 * Docker Compose support for automatic service detection and startup.

examples/README.md

@@ -41,6 +41,7 @@ Replace `quickstart` with any example name below. To run from project root, use
 | **scripting** | Lua script execution (EVAL, EVALSHA) for atomic operations |
 | **telemetry** | OpenTelemetry instrumentation with manual SDK setup for tracing and metrics |
 | **boot-telemetry** | Spring Boot with OpenTelemetry enabled via configuration properties and Docker Compose |
+| **boot-iam-auth** | Spring Boot using AWS IAM authentication via Valkey-GLIDE to connect to Amazon ElastiCache or Amazon MemoryDB clusters |
 
 ## Notes
 

examples/boot-iam-auth/README.md

@@ -0,0 +1,79 @@
+# Spring Data Valkey – IAM Authentication Example
+
+This example demonstrates how to use **AWS IAM authentication** with Valkey-GLIDE for connecting
+to **Amazon ElastiCache** or **Amazon MemoryDB** clusters.
+
+## Overview
+
+Instead of using static passwords, IAM authentication allows you to authenticate using AWS IAM
+credentials. The GLIDE client automatically generates and refreshes short-lived IAM authentication
+tokens, providing a more secure authentication mechanism.
+
+## Prerequisites
+
+1. **AWS ElastiCache or MemoryDB cluster** with IAM authentication enabled
+2. **AWS credentials** configured in your environment (via environment variables, IAM role, or `~/.aws/credentials`)
+3. **IAM policy** granting `elasticache:Connect` (for ElastiCache) or `memorydb:Connect` (for MemoryDB)
+4. **TLS enabled** on the cluster (required for IAM authentication)
+
+## Configuration
+
+Update `src/main/resources/application.properties` with your cluster details:
+
+```properties
+spring.data.valkey.host=your-cluster-endpoint.cache.amazonaws.com
+spring.data.valkey.port=6379
+spring.data.valkey.username=your-iam-user-id
+spring.data.valkey.ssl.enabled=true
+spring.data.valkey.client-type=valkeyglide
+
+spring.data.valkey.valkey-glide.iam-authentication.cluster-name=your-cluster-name
+spring.data.valkey.valkey-glide.iam-authentication.service=ELASTICACHE
+spring.data.valkey.valkey-glide.iam-authentication.region=us-east-1
+```
+
+### Configuration Properties
+
+| Property | Description | Required |
+|---|---|---|
+| `iam-authentication.cluster-name` | Name of the ElastiCache/MemoryDB cluster | Yes |
+| `iam-authentication.service` | AWS service type: `ELASTICACHE` or `MEMORYDB` | Yes |
+| `iam-authentication.region` | AWS region (e.g., `us-east-1`) | Yes |
+| `iam-authentication.refresh-interval-seconds` | Token refresh interval (default: 300s) | No |
+
+## Programmatic Configuration
+
+You can also configure IAM authentication programmatically:
+
+```java
+@Bean
+public ValkeyGlideConnectionFactory valkeyConnectionFactory() {
+    ValkeyClusterConfiguration clusterConfig = new ValkeyClusterConfiguration();
+    clusterConfig.addClusterNode(new ValkeyClusterNode("your-endpoint", 6379));
+    clusterConfig.setUsername("your-iam-user-id");
+
+    ValkeyGlideClientConfiguration clientConfig = ValkeyGlideClientConfiguration.builder()
+        .useSsl()
+        .useIamAuthentication(new IamAuthenticationForGlide(
+            "your-cluster-name",
+            AwsServiceType.ELASTICACHE,
+            "us-east-1",
+            null  // use default refresh interval
+        ))
+        .build();
+
+    return new ValkeyGlideConnectionFactory(clusterConfig, clientConfig);
+}
+```
+
+## Running
+
+```bash
+mvn exec:java -pl examples/boot-iam-auth
+```
+
+## References
+
+- [Valkey-GLIDE IAM Authentication](https://github.com/valkey-io/valkey-glide/wiki/General-Concepts#aws-iam-authentication-with-glide)
+- [Using IAM with GLIDE for ElastiCache and MemoryDB](https://github.com/valkey-io/valkey-glide/wiki/General-Concepts#using-iam-authentication-with-glide-for-elasticache-and-memorydb)
+- [Java Example](https://github.com/valkey-io/valkey-glide/wiki/Java-Wrapper#example---using-iam-authentication-with-glide-for-elasticache-and-memorydb)

examples/boot-iam-auth/pom.xml

@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+		 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+
+	<parent>
+		<groupId>io.valkey.springframework</groupId>
+		<artifactId>spring-data-valkey-examples</artifactId>
+		<version>0.2.0</version>
+	</parent>
+
+    <artifactId>spring-data-valkey-example-boot-iam-auth</artifactId>
+    <name>Spring Data Valkey - Spring Boot IAM Authentication Example</name>
+
+  	<properties>
+		<exec.mainClass>example.bootiamauth.SpringBootIamAuthExample</exec.mainClass>
+	</properties>
+
+	<dependencies>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>io.valkey.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-data-valkey</artifactId>
+		</dependency>
+	</dependencies>
+
+	<build>
+		<extensions>
+			<extension>
+				<groupId>kr.motd.maven</groupId>
+				<artifactId>os-maven-plugin</artifactId>
+				<version>1.7.1</version>
+			</extension>
+		</extensions>
+		<plugins>
+			<plugin>
+				<groupId>org.codehaus.mojo</groupId>
+				<artifactId>exec-maven-plugin</artifactId>
+				<configuration>
+  					<mainClass>example.bootiamauth.SpringBootIamAuthExample</mainClass>
+				</configuration>
+			</plugin>
+		</plugins>
+	</build>
+</project>

examples/boot-iam-auth/src/main/java/example/bootiamauth/SpringBootIamAuthExample.java

@@ -0,0 +1,77 @@
+package example.bootiamauth;
+
+import io.valkey.springframework.data.valkey.core.StringValkeyTemplate;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.CommandLineRunner;
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+/**
+ * Minimal Spring Boot example that demonstrates IAM authentication
+ * with Valkey-GLIDE for AWS ElastiCache or MemoryDB.
+ *
+ * <p>This example shows how to use AWS IAM-based authentication instead of
+ * password-based authentication when connecting to an ElastiCache or MemoryDB
+ * cluster via GLIDE.</p>
+ *
+ * <h2>Prerequisites</h2>
+ * <ul>
+ *   <li>An ElastiCache or MemoryDB cluster with IAM authentication enabled</li>
+ *   <li>AWS credentials configured (e.g., via environment variables, IAM role, or ~/.aws/credentials)</li>
+ *   <li>The IAM user/role must have the {@code elasticache:Connect} or {@code memorydb:Connect} permission</li>
+ *   <li>TLS must be enabled (required for IAM authentication)</li>
+ * </ul>
+ *
+ * <h2>Configuration</h2>
+ * <p>Update {@code application.properties} with your cluster details:</p>
+ * <pre>
+ * spring.data.valkey.host=your-cluster-endpoint.cache.amazonaws.com
+ * spring.data.valkey.port=6379
+ * spring.data.valkey.username=your-iam-user-id
+ * spring.data.valkey.ssl.enabled=true
+ * spring.data.valkey.client-type=valkeyglide
+ *
+ * spring.data.valkey.valkey-glide.iam-authentication.cluster-name=your-cluster-name
+ * spring.data.valkey.valkey-glide.iam-authentication.service=ELASTICACHE
+ * spring.data.valkey.valkey-glide.iam-authentication.region=us-east-1
+ * </pre>
+ *
+ * @see <a href="https://github.com/valkey-io/valkey-glide/wiki/General-Concepts#aws-iam-authentication-with-glide">
+ *     Valkey-GLIDE IAM Authentication Documentation</a>
+ */
+@SpringBootApplication
+public class SpringBootIamAuthExample implements CommandLineRunner {
+
+    @Autowired
+    private StringValkeyTemplate valkeyTemplate;
+
+    public static void main(String[] args) {
+        SpringApplication.run(SpringBootIamAuthExample.class, args);
+    }
+
+    @Override
+    public void run(String... args) {
+
+        System.out.println("=== IAM Authentication with Valkey-GLIDE ===");
+        System.out.println("Connected successfully using IAM authentication!");
+
+        // Simple read/write operations
+        int iterations = 5;
+        for (int i = 0; i < iterations; i++) {
+            String key = "iam-test-key-" + i;
+            String value = "iam-test-value-" + i;
+
+            valkeyTemplate.opsForValue().set(key, value);
+            String readBack = valkeyTemplate.opsForValue().get(key);
+            System.out.println("  " + key + " = " + readBack);
+        }
+
+        System.out.println("Completed " + iterations + " iterations of Valkey commands with IAM auth.");
+
+        // Cleanup
+        for (int i = 0; i < iterations; i++) {
+            valkeyTemplate.delete("iam-test-key-" + i);
+        }
+        System.out.println("Cleanup complete.");
+    }
+}

examples/boot-iam-auth/src/main/resources/application.properties

@@ -0,0 +1,28 @@
+# ============================================================
+# IAM Authentication Example for AWS ElastiCache / MemoryDB
+# ============================================================
+#
+# Update these properties with your actual cluster details.
+# AWS credentials must be available in the environment
+# (e.g., via environment variables, IAM role, or ~/.aws/credentials).
+
+# Cluster endpoint
+spring.data.valkey.host=your-cluster-endpoint.cache.amazonaws.com
+spring.data.valkey.port=6379
+
+# The IAM user ID used for authentication
+spring.data.valkey.username=your-iam-user-id
+
+# TLS is required for IAM authentication
+spring.data.valkey.ssl.enabled=true
+
+# Use Valkey-GLIDE as the client driver
+spring.data.valkey.client-type=valkeyglide
+
+# IAM Authentication configuration
+# All three properties (cluster-name, service, region) are required.
+spring.data.valkey.valkey-glide.iam-authentication.cluster-name=your-cluster-name
+spring.data.valkey.valkey-glide.iam-authentication.service=ELASTICACHE
+spring.data.valkey.valkey-glide.iam-authentication.region=us-east-1
+# Optional: refresh interval in seconds (default: 300)
+# spring.data.valkey.valkey-glide.iam-authentication.refresh-interval-seconds=300

examples/boot-iam-auth/src/main/resources/logback.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+    <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+        <encoder>
+            <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
+        </encoder>
+    </appender>
+    <root level="INFO">
+        <appender-ref ref="STDOUT" />
+    </root>
+</configuration>

examples/pom.xml

@@ -18,6 +18,7 @@
 	<description>Example projects demonstrating Spring Data Valkey features</description>
 
 	<modules>
+		<module>boot-iam-auth</module>
 		<module>boot-telemetry</module>
 		<module>cache</module>
 		<module>cluster</module>

spring-boot-starter-data-valkey/src/main/java/io/valkey/springframework/boot/autoconfigure/data/valkey/ValkeyGlideConnectionConfiguration.java

@@ -133,6 +133,30 @@ private ValkeyGlideClientConfiguration getValkeyGlideClientConfiguration(
 			builder.useOpenTelemetry(otelConfig);
 		}
 
+		// Apply IAM authentication configuration if configured
+		ValkeyProperties.ValkeyGlide.IamAuthentication iamProperties = valkeyGlideProperties.getIamAuthentication();
+		if (iamProperties != null) {
+			if (!StringUtils.hasText(iamProperties.getClusterName())
+					|| !StringUtils.hasText(iamProperties.getService())
+					|| !StringUtils.hasText(iamProperties.getRegion())) {
+				throw new IllegalArgumentException(
+					"IAM authentication requires all of: cluster-name, service, and region. "
+					+ "Please set spring.data.valkey.valkey-glide.iam-authentication.cluster-name, "
+					+ "spring.data.valkey.valkey-glide.iam-authentication.service, and "
+					+ "spring.data.valkey.valkey-glide.iam-authentication.region");
+			}
+			ValkeyGlideClientConfiguration.AwsServiceType serviceType =
+				ValkeyGlideClientConfiguration.AwsServiceType.valueOf(iamProperties.getService().toUpperCase());
+			ValkeyGlideClientConfiguration.IamAuthenticationForGlide iamConfig =
+				new ValkeyGlideClientConfiguration.IamAuthenticationForGlide(
+					iamProperties.getClusterName(),
+					serviceType,
+					iamProperties.getRegion(),
+					iamProperties.getRefreshIntervalSeconds()
+				);
+			builder.useIamAuthentication(iamConfig);
+		}
+
 		builderCustomizers.orderedStream().forEach((customizer) -> customizer.customize(builder));
 		return builder.build();
 	}