How do I connect to an Amazon ElastiCache In-Transit encryption-enabled Redis node using redis-cli?

Last updated: 2020-07-09

The Redis Command Line Interface (redis-cli) does not support SSL-enabled clients. How do I access data from an Amazon ElastiCache In-Transit encryption-enabled Redis node?

Short description

The redis-cli client doesn't support SSL/TLS connections. To use the redis-cli to access an ElastiCache for Redis node (cluster mode disabled) with in-transit encryption, use the stunnel package in your Linux-based clients. The stunnel command creates an SSL tunnel to Redis nodes specified in the stunnel configuration. After establishing the tunnel, you can use the redis-cli to connect an in-transit encryption enabled cluster node.

Note: To connect to Redis nodes (cluster-mode enabled) with in-transit encryption, use Redis clients that natively support SSL and Cluster Mode Enabled Clusters. For more information, see on the Redis website.


1.    Connect to your Linux client instance using SSH and install the stunnel package:

On CentOS-based systems:

$sudo yum install stunnel

On Debian-based systems (Ubuntu 16):

$sudo apt-get install stunnel

2.    In the redis-cli.conf file, add a Redis cluster endpoint to one or more connection parameters:

# cat /etc/stunnel/redis-cli.conf
fips = no
setuid = root
setgid = root
pid = /var/run/
debug = 7
options = NO_SSLv2
options = NO_SSLv3
  client = yes
  accept =
  connect =
  client = yes
  accept =
  connect =

In this example, the config file has two connections, the redis-cli and the redis-cli-replica. The parameters are set as follows:

  • client set to yes, to specify this stunnel instance is a client.
  • accept is set to the client IP. In this example, the primary is set to the Redis default of on port 6379. The replica must call a different port and it is set to 6380. You can use the ephemeral ports 1024 to 65535.
  • connect is set to the Redis server endpoint. For more information, see Finding connection endpoints.

3.    Start stunnel.

$ sudo stunnel /etc/stunnel/redis-cli.conf

Use the netstat command to confirm that the tunnels have started:

# netstat -tulnp | grep -i stunnel
tcp    0      0*        LISTEN      3189/stunnel
tcp    0      0*        LISTEN      3189/stunnel

4.    You can now use the redis-cli to connect to the encrypted Redis node using the local endpoint of the tunnel:

# redis-cli -h localhost -p 6379 -a MySecretPassword
localhost:6379>set foo "bar"
localhost:6379>get foo

Note: If your instance is password-protected, then the -a MySecretPassword option in redis-cli performs the authentication without needing the AUTH command. For more information, see redis-cli, the Redis command line interface on the Redis website.

This example uses telnet to connect to the Redis server:

# telnet localhost 6379
Connected to localhost.
Escape character is '^]'.
auth MySecretPassword
+OKget foo

Run the pkill command to stop and close the SSL tunnels:

$ sudo pkill stunnel

Did this article help?

Need more help?