Skip to main content

Documentation Index

Fetch the complete documentation index at: https://infisical.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

The Infisical AWS MemoryDB dynamic secret generates short-lived MemoryDB users (Valkey or Redis OSS engine) and attaches them to the ACL already associated with your target cluster. Each lease creates a new MemoryDB user with a fresh password; revocation deletes the user.

Prerequisites

  1. A MemoryDB cluster with an ACL attached. If your cluster is still on the default open-access ACL, attach a real ACL before configuring the dynamic secret — Infisical will refuse to add users to a cluster with no ACL.
  2. An AWS IAM user for Infisical to use, with an access key ID and secret access key. Attach the following policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "memorydb:DescribeClusters",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "memorydb:CreateUser",
        "memorydb:DeleteUser",
        "memorydb:UpdateACL"
      ],
      "Resource": "arn:aws:memorydb:*:*:user/inf-*"
    },
    {
      "Effect": "Allow",
      "Action": "memorydb:UpdateACL",
      "Resource": "arn:aws:memorydb:*:*:acl/*"
    }
  ]
}
A few notes on the policy:
  • memorydb:DescribeClusters doesn’t support resource-level scoping, so it must be "Resource": "*".
  • The user/inf-* pattern matches the inf- username prefix Infisical applies to every generated user.
  • memorydb:UpdateACL is granted on both the user ARN and the ACL ARN because AWS evaluates the action against every resource it touches in a single call (the ACL plus each user being added or removed).
  • If you’d like to pin the ACL more tightly, replace acl/* with acl/<your-acl-name>.
New leases may take a short while to become usable while MemoryDB propagates the user across the cluster’s shards. We recommend a retry strategy when first connecting with newly-issued credentials.

Set up Dynamic Secrets with AWS MemoryDB

1

Open Secret Overview Dashboard

Open the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret.
2

Click on the 'Add Dynamic Secret' button

Add Dynamic Secret Button
3

Select AWS MemoryDB

Dynamic Secret Modal
4

Provide the inputs for dynamic secret parameters

AWS MemoryDB Input Form
Secret Name
string
required
Name by which you want the secret to be referenced.
Default TTL
string
required
Default time-to-live for a generated secret (this can be changed after the secret is created).
Max TTL
string
required
Maximum time-to-live for a generated secret.
Cluster name
string
required
The name of the MemoryDB cluster Infisical should provision users for.
Region
string
required
The AWS region the MemoryDB cluster lives in (e.g. us-east-1).
Access Key ID
string
required
Access key ID of the AWS IAM user from the prerequisites.
Secret Access Key
string
required
Secret access key of the AWS IAM user from the prerequisites.
5

(Optional) Modify MemoryDB Statements

Modify MemoryDB Statements
Username Template
string
default:"{{randomUsername}}"
Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.Allowed template variables are:
  • {{randomUsername}}: Random username string.
  • {{unixTimestamp}}: Current Unix timestamp at the time of lease creation.
  • {{identity.name}}: Name of the identity that is generating the lease.
  • {{dynamicSecret.name}}: Name of the associated dynamic secret.
  • {{dynamicSecret.type}}: Type of the associated dynamic secret.
  • {{random N}}: Random string of N characters.
Allowed template functions are:
  • truncate: Truncates a string to a specified length.
  • replace: Replaces a substring with another value.
  • uppercase: Converts a string to uppercase.
  • lowercase: Converts a string to lowercase.
Examples:
{{ randomUsername }}                                            // 3POnzeFyK9gW2nioK0q2gMjr6CZqsRiX
{{ unixTimestamp }}                                             // 17490641580
{{ identity.name }}                                             // <identity-name>
{{ random 5 }}                                                  // x9K2m
{{ truncate identity.name 4 }}                                  // test
{{ replace identity.name '<identity-name>' 'new-value' }}       // new-value
Creation Statement
string
A JSON payload passed to MemoryDB’s CreateUser API. {{username}} and {{password}} are substituted with Infisical-generated values at lease time. Use the AccessString field to scope each lease’s permissions.Default:
{
  "UserName": "{{username}}",
  "AccessString": "on ~* +@all",
  "AuthenticationMode": { "Type": "password", "Passwords": ["{{password}}"] }
}
Revocation Statement
string
A JSON payload passed to MemoryDB’s DeleteUser API. {{username}} is substituted at revoke time.Default:
{ "UserName": "{{username}}" }
6

Click `Submit`

Infisical will verify it can reach the cluster with the provided credentials and validate the statements.
7

Generate dynamic secrets

Once configured, click Generate on the dynamic secret row (or New Lease in the lease list) to provision a lease.Dynamic SecretDynamic SecretSpecify a TTL within the configured Max TTL.Provision LeaseThe generated username and password are shown once on lease creation.Provision Lease

Audit or Revoke Leases

Click any dynamic secret on the dashboard to see active leases, their expiration times, and revoke them early if needed. Lease Data

Renew Leases

Click Renew on an active lease to extend its TTL. Renew Lease
Renewals cannot exceed the Max TTL set when the dynamic secret was configured.