DEV Community

Cover image for Locking It Down with Redis ACLs: A Dev's Guide to Secure Access
Athreya aka Maneshwar
Athreya aka Maneshwar

Posted on • Edited on

Locking It Down with Redis ACLs: A Dev's Guide to Secure Access

Hello, I'm Maneshwar. I'm working on FreeDevTools online currently building **one place for all dev tools, cheat codes, and TLDRs* — a free, open-source hub where developers can quickly find and use tools without any hassle of searching all over the internet.


Redis has long been the go-to for fast in-memory d
ata, whether it's caching, job queues, pub/sub, or real-time analytics.

But with great power comes the need for great control.

If you've ever worried about giving too much access to too many Redis clients, it's time you got familiar with Redis ACLs (Access Control Lists).

Whether you're a backend dev, a DevOps engineer, or just someone who’s tired of redis-cli users running KEYS * in production — this blog is for you.

Why Redis ACLs?

Prior to Redis 6, Redis had only one global password. Anyone with access to Redis could do anything — flush databases, delete keys, rewrite config, and more.

That’s not ideal when you're scaling up with multiple services, teams, or environments.

Enter ACLs: user-based access control introduced in Redis 6.

With Redis ACLs, you can:

Create named users
Assign specific permissions (read-only, streams-only, pub/sub, etc.)
Control what commands and keys each user can access
Use hashed passwords and role-based restrictions

Redis ACL Essentials

Redis ACLs work by defining users in either the redis.conf or a dedicated ACL file.

Let’s break down a typical ACL entry:

user runner-8 on >mySecretPass +xadd +xread ~logs_stream
Enter fullscreen mode Exit fullscreen mode

This means:

  • runner-8 is the username
  • on → user is enabled
  • > mySecretPass → password (in plaintext)
  • +xadd +xread → only allowed to run XADD and XREAD (Redis Streams)
  • ~logs_stream → can only access key logs_stream

You can also hash passwords with SHA256:

user runner-8 on sanitize-payload #<sha256-hash> +xadd ~logs_stream
Enter fullscreen mode Exit fullscreen mode

Creating ACL Users: Manual & Automated

Option 1: Manually via redis-cli

Connect to your Redis server and run:

ACL SETUSER runner-8 on >mySecretPass +xadd +xread ~logs_stream
Enter fullscreen mode Exit fullscreen mode

To verify:

ACL LIST
Enter fullscreen mode Exit fullscreen mode

To see current user:

ACL WHOAMI
Enter fullscreen mode Exit fullscreen mode

To delete a user:

ACL DELUSER runner-8
Enter fullscreen mode Exit fullscreen mode

But this won't persist across restarts unless saved to an ACL file.


Option 2: Define ACLs in users.acl file

Create (or edit) your ACL file:

sudo nano /etc/redis/users.acl
Enter fullscreen mode Exit fullscreen mode

Add:

user default on >supersecret +@all ~*
user runner-8 on >mySecretPass +xadd +xread ~logs_stream
Enter fullscreen mode Exit fullscreen mode

Then make sure your redis.conf has this line:

aclfile /etc/redis/users.acl
Enter fullscreen mode Exit fullscreen mode

Restart Redis:

sudo systemctl restart redis
Enter fullscreen mode Exit fullscreen mode

Example: Isolating Access for Asynq Workers

Let’s say you have a Go service using Asynq for background jobs. You don’t want it touching anything except:

  • A stream named logs_stream
  • Heartbeat keys like runners:heartbeat
  • Pub/Sub channels used by Asynq

You’d write:

user runner-8 on >Masd2dnnsd +xadd +xread +xrange +xrevrange +subscribe +psubscribe +publish +unsubscribe ~logs_stream ~runners:heartbeat ~__asynq* ~asynq*
Enter fullscreen mode Exit fullscreen mode

In ACL terms:

  • +xadd/xread/... → Redis Stream commands
  • +subscribe/... → Pub/Sub permissions
  • ~key → key patterns the user can access

And then use in code:

asynq.RedisClientOpt{
  Addr: "localhost:6379",
  Username: "runner-8",
  Password: "Masd2dnnsd",
}
Enter fullscreen mode Exit fullscreen mode

Testing Access

Try running:

redis-cli -u redis://runner-8:Masd2dnnsd@localhost:6379
Enter fullscreen mode Exit fullscreen mode

Inside:

SET foo bar
# → (error) NOPERM this user has no permissions to run the 'SET' command

XADD logs_stream * message "hello"
# → OK
Enter fullscreen mode Exit fullscreen mode

Bonus: Use Ansible to Manage Redis ACLs

An example Ansible task:

- name: Configure Redis ACL file
  copy:
    dest: /etc/redis/users.acl
    content: |
      user default on >supersecret +@all ~*
      user runner-8 on >Masd2dnnsd +xadd +xread +xrange +xrevrange +subscribe +psubscribe +publish +unsubscribe ~logs_stream ~runners:heartbeat ~__asynq* ~asynq*
    owner: redis
    group: redis
    mode: "0644"

- name: Ensure Redis uses ACL file
  lineinfile:
    path: /etc/redis/redis.conf
    regexp: '^aclfile '
    line: 'aclfile /etc/redis/users.acl'

- name: Restart Redis
  systemd:
    name: redis-server
    state: restarted
Enter fullscreen mode Exit fullscreen mode

Summary

Redis ACLs give you powerful, fine-grained access control. Whether you're running job queues, microservices, or multi-tenant systems, ACLs help you enforce the principle of least privilege.

No more all-or-nothing access. Just clean, secure, permission-scoped access — Redis style.

Got Redis ACL horror stories or wins? Drop them in the comments. Or let me know if you want aprebuilt ACL policy template for your app or worker.

FreeDevTools

I’ve been building FreeDevTools.

A collection of UI/UX-focused tools crafted to simplify workflows, save time, and reduce friction in searching tools/materials.

Any feedback or contributors are welcome!

It’s online, open-source, and ready for anyone to use.

👉 Check it out: FreeDevTools
⭐ Star it on GitHub: freedevtools

Let’s make it even better together.

Top comments (0)