Tair (Redis OSS-compatible) (Redis-compatible) instances provide three authentication methods: password-only login (compatible with native Redis), username and password login (recommended for production environments), and password-free access in a Virtual Private Cloud (VPC). This topic describes the usage and limitations of each method, which apply to any connection tool, such as redis-cli, Data Management (DMS), or a software development kit (SDK).
Prerequisites
Add the client's IP address to the instance's whitelist. For more information, see Configure a whitelist.
Regardless of the authentication method, you must add the client's IP address or CIDR block to the instance whitelist. If you cannot connect to the instance, use the connection diagnostics feature to verify the client's IP address.
Comparison of authentication methods
An instance supports the following three authentication methods. Choose a method based on your business scenario.
Authentication method | Applicable network | Applicable account | Recommended scenario | Security level |
Password-only login | VPC/public network | Default account only | For users accustomed to native Redis or for single-application access. | Medium |
Username and password login (Recommended) | VPC/public network | default accounts and custom accounts | Multi-account isolation, production environments | High |
VPC password-free access | VPC only | Default account only | Simple tests within the same VPC | Low (a strict whitelist is required) |
Password-only login
How to log in: Enter only the password. A username is not required.
Limits: This method works only for the instance's default account. The name of the default account is the instance ID, such as
r-bp1jpghfglv6******, ordefault. You can view the name of the default account on the Account Management page in the console.You cannot use this method to log in to other custom accounts.
Features: This method is identical to the native Redis login method, making it familiar to many users. However, because each instance has only one default account, you may need to share this account across multiple applications.
redis-cli connection example:
# The default account is r-bp1jpghfglv6******, and the password is Rp829dlwa. redis-cli -h r-bp1zx****.redis.rds.aliyuncs.com -p 6379 -a Rp829dlwa
Username and password login (recommended)
How to log in: Enter the username and password in the
user:passwordformat, separated by a colon (:).NoteWhen using a third-party management tool such as RDM, enter
user:passwordin the password field.When using Data Management (DMS), enter the username and password in the Database Account and Database Password fields, respectively.
Instances compatible with Redis 6.0 or later also support the native
AUTH user passwordcommand.
Limits: None. This method can be used to log in to both default and custom accounts.
Features: You can create multiple accounts for an instance and assign a different account to each application. This improves data security. For more information about how to create a database account, see Create and manage accounts.
redis-cli connection example:
# The custom account is testaccount, and the password is Rp829dlwa. # Format 1: user:password. # This format is applicable to all Tair and open source Redis instances. redis-cli -h r-bp1zx****.redis.rds.aliyuncs.com -p 6379 -a testaccount:Rp829dlwa # Format 2: user password. # This format is applicable to Tair or open source Redis instances that are compatible with Redis 6.0 or later. redis-cli -h r-bp1zx****.redis.rds.aliyuncs.com -p 6379 AUTH testaccount Rp829dlwa
Password-free access
With password-free access, any client in the same VPC that can reach the instance can log in by using the default account. In production environments, we recommend that you use this feature with a minimal whitelist and audit logs. Do not set the whitelist to 0.0.0.0/0.
How to log in: No username or password is required.
Limits:
Client: The client must be deployed in the same VPC as the instance.
Instance: The password-free access feature must be enabled for the instance. For more information, see Enable password-free access over VPC.
This method allows you to connect only to the instance's default account and only over an internal endpoint. After you log in to the instance, you can perform read and write operations.
Features: This method provides password-free login. By default, it allows access from any client in the same VPC. To enhance security, you can use the
#no_loose_check-whitelist-alwaysparameter to enforce whitelist checks. For more information, see Tair Enterprise Edition instance parameters and Open source Redis-compatible instance parameters.redis-cli connection example:
# Log in to the instance without a password. redis-cli -h r-bp1zx****.redis.rds.aliyuncs.com -p 6379
Common errors
If you forget your password or have not set one, you can reset it. For more information, see Change or reset the password.
Error message | Cause and solution |
| The password is invalid. Ensure you enter the username and password in the correct format. For more details, see the "Username and password login (recommended)" section. |