Integrate Azure Cache for Redis with Service Connector

Article
2025-03-14

This article covers supported authentication methods, clients, and sample code you can use to connect your apps to Azure Cache for Redis using Service Connector.In this article, you'll also find default environment variable names, values, and configuration obtained when creating service connections.

Supported compute services

You can use Service Connector to connect the following compute services to Azure Cache for Redis:

Azure App Service
Azure Container Apps
Azure Functions
Azure Kubernetes Service (AKS)
Azure Spring Apps

Supported authentication and client types

The following table shows which combinations of authentication methods and clients are supported for connecting your compute service to Azure Cache for Redis by using Service Connector. "Yes" means that the combination is supported. "No" means that it isn't supported.

Client type	System-assigned managed identity	User-assigned managed identity	Secret / connection string	Service principal
.NET	Yes	Yes	Yes	Yes
Go	No	No	Yes	No
Java	Yes	Yes	Yes	Yes
Java - Spring Boot	No	No	Yes	No
Node.js	Yes	Yes	Yes	Yes
Python	Yes	Yes	Yes	Yes
None	Yes	Yes	Yes	Yes

Default environment variable names or application properties and sample code

Use the following environment variable names and application properties to connect compute services to your Redis server. To learn more about naming conventions, check the Service Connector internals article.

System-assigned managed identity

Default environment variable name	Description	Sample value
`AZURE_REDIS_HOST`	Redis endpoint	`<RedisName>.redis.cache.windows.net`

Sample code

The following steps and code show you how to use a system-assigned managed identity to connect to Redis.

Install dependencies.

dotnet add package Microsoft.Azure.StackExchangeRedis --version 3.2.0

Add the authentication logic with environment variables set by Service Connector. For more information, see Microsoft.Azure.StackExchangeRedis Extension.

using StackExchange.Redis;
var cacheHostName = Environment.GetEnvironmentVariable("AZURE_REDIS_HOST");
var configurationOptions = ConfigurationOptions.Parse($"{cacheHostName}:6380");

// Uncomment the following lines corresponding to the authentication type you want to use.
// For system-assigned identity.
// await configurationOptions.ConfigureForAzureWithTokenCredentialAsync(new DefaultAzureCredential());

// For user-assigned identity.
// var managedIdentityClientId = Environment.GetEnvironmentVariable("AZURE_REDIS_CLIENTID");
// await configurationOptions.ConfigureForAzureWithUserAssignedManagedIdentityAsync(managedIdentityClientId);

// Service principal secret.
// var clientId = Environment.GetEnvironmentVariable("AZURE_REDIS_CLIENTID");
// var tenantId = Environment.GetEnvironmentVariable("AZURE_REDIS_TENANTID");
// var secret = Environment.GetEnvironmentVariable("AZURE_REDIS_CLIENTSECRET");
// await configurationOptions.ConfigureForAzureWithServicePrincipalAsync(clientId, tenantId, secret);


var connectionMultiplexer = await ConnectionMultiplexer.ConnectAsync(configurationOptions);

Add the following dependency in your pom.xml file:

<dependency>
    <groupId>com.azure</groupId>
    <artifactId>azure-identity</artifactId>
    <version>1.11.2</version> <!-- {x-version-update;com.azure:azure-identity;dependency} -->
</dependency>

<dependency>
    <groupId>redis.clients</groupId>
    <artifactId>jedis</artifactId>
    <version>5.1.0</version>  <!-- {x-version-update;redis.clients:jedis;external_dependency} -->
</dependency>

Add the authentication logic with environment variables set by Service Connector. For more information, see Azure-AAD-Authentication-With-Jedis.

import redis.clients.jedis.DefaultJedisClientConfig;
import redis.clients.jedis.Jedis;
import redis.clients.jedis.JedisShardInfo;
import java.net.URI;

// Uncomment the following lines corresponding to the authentication type you want to use.
// For system-assigned identity.
// DefaultAzureCredential defaultAzureCredential = new DefaultAzureCredentialBuilder().build();

// For user-assigned identity.
// String clientId = System.getenv("AZURE_REDIS_CLIENTID");
// DefaultAzureCredential defaultAzureCredential = new DefaultAzureCredentialBuilder().managedIdentityClientId(clientId).build();

// For AKS workload identity.
// String clientId = System.getenv("AZURE_REDIS_CLIENTID");
// DefaultAzureCredential defaultAzureCredential = new DefaultAzureCredentialBuilder().workloadIdentityClientId(clientId).build();

// For service principal.
// String clientId = System.getenv("AZURE_REDIS_CLIENTID");
// String secret = System.getenv("AZURE_REDIS_CLIENTSECRET");
// String tenant = System.getenv("AZURE_REDIS_TENANTID");
// ClientSecretCredential defaultAzureCredential = new ClientSecretCredentialBuilder().tenantId(tenant).clientId(clientId).clientSecret(secret).build();

String token = defaultAzureCredential
.getToken(new TokenRequestContext()
    .addScopes("https://redis.azure.com/.default")).block().getToken();

// SSL connection is required.
boolean useSsl = true;
// TODO: Replace Host Name with Azure Cache for Redis Host Name.
String username = extractUsernameFromToken(token);
String cacheHostname = System.getenv("AZURE_REDIS_HOST");

// Create Jedis client and connect to Azure Cache for Redis over the TLS/SSL port using the access token as password.
// Note, Redis Cache host name and port are required below.
Jedis jedis = new Jedis(cacheHostname, 6380, DefaultJedisClientConfig.builder()
    .password(token) // Microsoft Entra access token as password is required.
    .user(username) // Username is Required
    .ssl(useSsl) // SSL Connection is Required
    .build());

// Set a value against your key in the Redis cache.
jedis.set("Az:key", "testValue");
System.out.println(jedis.get("Az:key"));

// Close the Jedis Client
jedis.close();

Install dependencies.
```
pip install redis azure-identity
```

Add the authentication logic with environment variables set by Service Connector. For more information, see azure-aad-auth-with-redis-py.

import os
import time
import logging
import redis
import base64
import json
from azure.identity import DefaultAzureCredential

host = os.getenv('AZURE_REDIS_HOST')
scope = "https://redis.azure.com/.default"
port = 6380  # Required

def extract_username_from_token(token):
    parts = token.split('.')
    base64_str = parts[1]

    if len(base64_str) % 4 == 2:
        base64_str += "=="
    elif len(base64_str) % 4 == 3:
        base64_str += "="

    json_bytes = base64.b64decode(base64_str)
    json_str = json_bytes.decode('utf-8')
    jwt = json.loads(json_str)

    return jwt['oid']

def re_authentication():
    _LOGGER = logging.getLogger(__name__)
    # Uncomment the following lines corresponding to the authentication type you want to use.
    # For system-assigned identity.
    # cred = DefaultAzureCredential()

    # For user-assigned identity.
    # client_id = os.getenv('AZURE_REDIS_CLIENTID')
    # cred = DefaultAzureCredential(managed_identity_client_id=client_id)

    # For user-assigned identity.
    # client_id = os.getenv('AZURE_REDIS_CLIENTID')
    # cred = DefaultAzureCredential(managed_identity_client_id=client_id)

    # For service principal.
    # tenant_id = os.getenv("AZURE_TENANT_ID")
    # client_id = os.getenv("AZURE_CLIENT_ID")
    # client_secret = os.getenv("AZURE_CLIENT_SECRET")
    # cred = ServicePrincipalCredentials(tenant=tenant_id, client_id=client_id, secret=client_secret)

    token = cred.get_token(scope)
    user_name = extract_username_from_token(token.token)
    r = redis.Redis(host=host,
                    port=port,
                    ssl=True,   # ssl connection is required.
                    username=user_name,
                    password=token.token,
                    decode_responses=True)
    max_retry = 3
    for index in range(max_retry):
        try:
            if _need_refreshing(token):
                _LOGGER.info("Refreshing token...")
                tmp_token = cred.get_token(scope)
                if tmp_token:
                    token = tmp_token
                r.execute_command("AUTH", user_name, token.token)
            r.set("Az:key1", "value1")
            t = r.get("Az:key1")
            print(t)
            break
        except redis.ConnectionError:
            _LOGGER.info("Connection lost. Reconnecting.")
            token = cred.get_token(scope)
            r = redis.Redis(host=host,
                            port=port,
                            ssl=True,   # ssl connection is required.
                            username=user_name,
                            password=token.token,
                            decode_responses=True)
        except Exception:
            _LOGGER.info("Unknown failures.")
            break


def _need_refreshing(token, refresh_offset=300):
    return not token or token.expires_on - time.time() < refresh_offset

if __name__ == '__main__':
    re_authentication()

Install dependencies.
```
npm install redis @azure/identity
```

Add the authentication logic with environment variables set by Service Connector. For more information, see Azure Cache for Redis: Microsoft Entra ID with node-redis client library.

import { createClient } from "redis";
import { DefaultAzureCredential } from "@azure/identity";

function extractUsernameFromToken(accessToken: AccessToken): string{
    const base64Metadata = accessToken.token.split(".")[1];
    const { oid } = JSON.parse(
        Buffer.from(base64Metadata, "base64").toString("utf8"),
    );
    return oid;
}

async function main() {
    // Uncomment the following lines corresponding to the authentication type you want to use.  
    // For system-assigned identity.
    // const credential = new DefaultAzureCredential();

    // For user-assigned identity.
    // const clientId = process.env.AZURE_REDIS_CLIENTID;
    // const credential = new DefaultAzureCredential({
    //     managedIdentityClientId: clientId
    // });

    // For service principal.
    // const tenantId = process.env.AZURE_REDIS_TENANTID;
    // const clientId = process.env.AZURE_REDIS_CLIENTID;
    // const clientSecret = process.env.AZURE_REDIS_CLIENTSECRET;
    // const credential = new ClientSecretCredential(tenantId, clientId, clientSecret);

    // Fetch a Microsoft Entra token to be used for authentication. This token will be used as the password.
    const redisScope = "https://redis.azure.com/.default";
    let accessToken = await credential.getToken(redisScope);
    console.log("access Token", accessToken);
    const host = process.env.AZURE_REDIS_HOST;

    // Create redis client and connect to Azure Cache for Redis over the TLS port using the access token as password.
    const client = createClient({
        username: extractUsernameFromToken(accessToken),
        password: accessToken.token,
        url: `redis://${host}:6380`,
        pingInterval: 100000,
        socket: { 
        tls: true,
        keepAlive: 0 
        },
    });

    client.on("error", (err) => console.log("Redis Client Error", err));
    await client.connect();
    // Set a value against your key in Azure Redis Cache.
    await client.set("Az:key", "value1312");
    // Get value of your key in Azure Redis Cache.
    console.log("value-", await client.get("Az:key"));
}

main().catch((err) => {
    console.log("error code: ", err.code);
    console.log("error message: ", err.message);
    console.log("error stack: ", err.stack);
});

User-assigned managed identity

Default environment variable name	Description	Sample value
`AZURE_REDIS_HOST`	Redis endpoint	`<RedisName>.redis.cache.windows.net`
`AZURE_REDIS_CLIENTID`	Managed-identity client ID	`<client-ID>`

Sample code

The following steps and code show you how to use a user-assigned managed identity to connect to Redis.

Install dependencies.

dotnet add package Microsoft.Azure.StackExchangeRedis --version 3.2.0

Add the authentication logic with environment variables set by Service Connector. For more information, see Microsoft.Azure.StackExchangeRedis Extension.

using StackExchange.Redis;
var cacheHostName = Environment.GetEnvironmentVariable("AZURE_REDIS_HOST");
var configurationOptions = ConfigurationOptions.Parse($"{cacheHostName}:6380");

// Uncomment the following lines corresponding to the authentication type you want to use.
// For system-assigned identity.
// await configurationOptions.ConfigureForAzureWithTokenCredentialAsync(new DefaultAzureCredential());

// For user-assigned identity.
// var managedIdentityClientId = Environment.GetEnvironmentVariable("AZURE_REDIS_CLIENTID");
// await configurationOptions.ConfigureForAzureWithUserAssignedManagedIdentityAsync(managedIdentityClientId);

// Service principal secret.
// var clientId = Environment.GetEnvironmentVariable("AZURE_REDIS_CLIENTID");
// var tenantId = Environment.GetEnvironmentVariable("AZURE_REDIS_TENANTID");
// var secret = Environment.GetEnvironmentVariable("AZURE_REDIS_CLIENTSECRET");
// await configurationOptions.ConfigureForAzureWithServicePrincipalAsync(clientId, tenantId, secret);


var connectionMultiplexer = await ConnectionMultiplexer.ConnectAsync(configurationOptions);

Add the following dependency in your pom.xml file:

<dependency>
    <groupId>com.azure</groupId>
    <artifactId>azure-identity</artifactId>
    <version>1.11.2</version> <!-- {x-version-update;com.azure:azure-identity;dependency} -->
</dependency>

<dependency>
    <groupId>redis.clients</groupId>
    <artifactId>jedis</artifactId>
    <version>5.1.0</version>  <!-- {x-version-update;redis.clients:jedis;external_dependency} -->
</dependency>

Add the authentication logic with environment variables set by Service Connector. For more information, see Azure-AAD-Authentication-With-Jedis.

import redis.clients.jedis.DefaultJedisClientConfig;
import redis.clients.jedis.Jedis;
import redis.clients.jedis.JedisShardInfo;
import java.net.URI;

// Uncomment the following lines corresponding to the authentication type you want to use.
// For system-assigned identity.
// DefaultAzureCredential defaultAzureCredential = new DefaultAzureCredentialBuilder().build();

// For user-assigned identity.
// String clientId = System.getenv("AZURE_REDIS_CLIENTID");
// DefaultAzureCredential defaultAzureCredential = new DefaultAzureCredentialBuilder().managedIdentityClientId(clientId).build();

// For AKS workload identity.
// String clientId = System.getenv("AZURE_REDIS_CLIENTID");
// DefaultAzureCredential defaultAzureCredential = new DefaultAzureCredentialBuilder().workloadIdentityClientId(clientId).build();

// For service principal.
// String clientId = System.getenv("AZURE_REDIS_CLIENTID");
// String secret = System.getenv("AZURE_REDIS_CLIENTSECRET");
// String tenant = System.getenv("AZURE_REDIS_TENANTID");
// ClientSecretCredential defaultAzureCredential = new ClientSecretCredentialBuilder().tenantId(tenant).clientId(clientId).clientSecret(secret).build();

String token = defaultAzureCredential
.getToken(new TokenRequestContext()
    .addScopes("https://redis.azure.com/.default")).block().getToken();

// SSL connection is required.
boolean useSsl = true;
// TODO: Replace Host Name with Azure Cache for Redis Host Name.
String username = extractUsernameFromToken(token);
String cacheHostname = System.getenv("AZURE_REDIS_HOST");

// Create Jedis client and connect to Azure Cache for Redis over the TLS/SSL port using the access token as password.
// Note, Redis Cache host name and port are required below.
Jedis jedis = new Jedis(cacheHostname, 6380, DefaultJedisClientConfig.builder()
    .password(token) // Microsoft Entra access token as password is required.
    .user(username) // Username is Required
    .ssl(useSsl) // SSL Connection is Required
    .build());

// Set a value against your key in the Redis cache.
jedis.set("Az:key", "testValue");
System.out.println(jedis.get("Az:key"));

// Close the Jedis Client
jedis.close();

Install dependencies.
```
pip install redis azure-identity
```

Add the authentication logic with environment variables set by Service Connector. For more information, see azure-aad-auth-with-redis-py.

import os
import time
import logging
import redis
import base64
import json
from azure.identity import DefaultAzureCredential

host = os.getenv('AZURE_REDIS_HOST')
scope = "https://redis.azure.com/.default"
port = 6380  # Required

def extract_username_from_token(token):
    parts = token.split('.')
    base64_str = parts[1]

    if len(base64_str) % 4 == 2:
        base64_str += "=="
    elif len(base64_str) % 4 == 3:
        base64_str += "="

    json_bytes = base64.b64decode(base64_str)
    json_str = json_bytes.decode('utf-8')
    jwt = json.loads(json_str)

    return jwt['oid']

def re_authentication():
    _LOGGER = logging.getLogger(__name__)
    # Uncomment the following lines corresponding to the authentication type you want to use.
    # For system-assigned identity.
    # cred = DefaultAzureCredential()

    # For user-assigned identity.
    # client_id = os.getenv('AZURE_REDIS_CLIENTID')
    # cred = DefaultAzureCredential(managed_identity_client_id=client_id)

    # For user-assigned identity.
    # client_id = os.getenv('AZURE_REDIS_CLIENTID')
    # cred = DefaultAzureCredential(managed_identity_client_id=client_id)

    # For service principal.
    # tenant_id = os.getenv("AZURE_TENANT_ID")
    # client_id = os.getenv("AZURE_CLIENT_ID")
    # client_secret = os.getenv("AZURE_CLIENT_SECRET")
    # cred = ServicePrincipalCredentials(tenant=tenant_id, client_id=client_id, secret=client_secret)

    token = cred.get_token(scope)
    user_name = extract_username_from_token(token.token)
    r = redis.Redis(host=host,
                    port=port,
                    ssl=True,   # ssl connection is required.
                    username=user_name,
                    password=token.token,
                    decode_responses=True)
    max_retry = 3
    for index in range(max_retry):
        try:
            if _need_refreshing(token):
                _LOGGER.info("Refreshing token...")
                tmp_token = cred.get_token(scope)
                if tmp_token:
                    token = tmp_token
                r.execute_command("AUTH", user_name, token.token)
            r.set("Az:key1", "value1")
            t = r.get("Az:key1")
            print(t)
            break
        except redis.ConnectionError:
            _LOGGER.info("Connection lost. Reconnecting.")
            token = cred.get_token(scope)
            r = redis.Redis(host=host,
                            port=port,
                            ssl=True,   # ssl connection is required.
                            username=user_name,
                            password=token.token,
                            decode_responses=True)
        except Exception:
            _LOGGER.info("Unknown failures.")
            break


def _need_refreshing(token, refresh_offset=300):
    return not token or token.expires_on - time.time() < refresh_offset

if __name__ == '__main__':
    re_authentication()

Install dependencies.
```
npm install redis @azure/identity
```

Add the authentication logic with environment variables set by Service Connector. For more information, see Azure Cache for Redis: Microsoft Entra ID with node-redis client library.

import { createClient } from "redis";
import { DefaultAzureCredential } from "@azure/identity";

function extractUsernameFromToken(accessToken: AccessToken): string{
    const base64Metadata = accessToken.token.split(".")[1];
    const { oid } = JSON.parse(
        Buffer.from(base64Metadata, "base64").toString("utf8"),
    );
    return oid;
}

async function main() {
    // Uncomment the following lines corresponding to the authentication type you want to use.  
    // For system-assigned identity.
    // const credential = new DefaultAzureCredential();

    // For user-assigned identity.
    // const clientId = process.env.AZURE_REDIS_CLIENTID;
    // const credential = new DefaultAzureCredential({
    //     managedIdentityClientId: clientId
    // });

    // For service principal.
    // const tenantId = process.env.AZURE_REDIS_TENANTID;
    // const clientId = process.env.AZURE_REDIS_CLIENTID;
    // const clientSecret = process.env.AZURE_REDIS_CLIENTSECRET;
    // const credential = new ClientSecretCredential(tenantId, clientId, clientSecret);

    // Fetch a Microsoft Entra token to be used for authentication. This token will be used as the password.
    const redisScope = "https://redis.azure.com/.default";
    let accessToken = await credential.getToken(redisScope);
    console.log("access Token", accessToken);
    const host = process.env.AZURE_REDIS_HOST;

    // Create redis client and connect to Azure Cache for Redis over the TLS port using the access token as password.
    const client = createClient({
        username: extractUsernameFromToken(accessToken),
        password: accessToken.token,
        url: `redis://${host}:6380`,
        pingInterval: 100000,
        socket: { 
        tls: true,
        keepAlive: 0 
        },
    });

    client.on("error", (err) => console.log("Redis Client Error", err));
    await client.connect();
    // Set a value against your key in Azure Redis Cache.
    await client.set("Az:key", "value1312");
    // Get value of your key in Azure Redis Cache.
    console.log("value-", await client.get("Az:key"));
}

main().catch((err) => {
    console.log("error code: ", err.code);
    console.log("error message: ", err.message);
    console.log("error stack: ", err.stack);
});

Connection string

Warning

We recommend that you use the most secure authentication flow available. The authentication flow described here requires a very high degree of trust in the application, and carries risks that aren't present in other flows. You should use this flow only when more secure flows, such as managed identities, aren't viable.

Default environment variable name	Description	Example value
`AZURE_REDIS_CONNECTIONSTRING`	`StackExchange.Redis` connection string	`<redis-server-name>.redis.cache.windows.net:6380,password=<redis-key>,ssl=True,defaultDatabase=0`

Default environment variable name	Description	Example value
`AZURE_REDIS_CONNECTIONSTRING`	Jedis connection string	`rediss://:<redis-key>@<redis-server-name>.redis.cache.windows.net:6380/0`

Application properties	Description	Example value
`spring.redis.host`	Redis host	`<redis-server-name>.redis.cache.windows.net`
`spring.redis.port`	Redis port	`6380`
`spring.redis.database`	Redis database	`0`
`spring.redis.password`	Redis key	`<redis-key>`
`spring.redis.ssl`	SSL setting	`true`

Default environment variable name	Description	Example value
`AZURE_REDIS_CONNECTIONSTRING`	`redis-py` connection string	`rediss://:<redis-key>@<redis-server-name>.redis.cache.windows.net:6380/0`

Default environment variable name	Description	Example value
`AZURE_REDIS_CONNECTIONSTRING`	`redis-py` connection string	`rediss://:<redis-key>@<redis-server-name>.redis.cache.windows.net:6380/0`

Default environment variable name	Description	Example value
`AZURE_REDIS_CONNECTIONSTRING`	`node-redis` connection string	`rediss://:<redis-key>@<redis-server-name>.redis.cache.windows.net:6380/0`

Default environment variable name	Description	Example value
`AZURE_REDIS_HOST`	Redis host	`<redis-server-name>.redis.cache.windows.net`
`AZURE_REDIS_PORT`	Redis port	`6380`
`AZURE_REDIS_DATABASE`	Redis database	`0`
`AZURE_REDIS_PASSWORD`	Redis key	`<redis-key>`
`AZURE_REDIS_SSL`	SSL setting	`true`

Sample code

The following steps and code show you how to use a connection string to connect to Azure Cache for Redis.

Install dependencies.

dotnet add package StackExchange.Redis --version 2.6.122