Redis Entra ID

1.1.2 · active · verified Thu Apr 16

The `redis-entraid` Python package simplifies authentication with Azure Managed Redis and Azure Cache for Redis using Microsoft Entra ID (formerly Azure Active Directory). It handles fetching and renewing authentication tokens in the background, building on `redis-py`. The current version is 1.1.2, released on March 26, 2026. This library appears to have a regular release cadence with several updates in the past year.

Common errors

```
ERR WRONGPASS invalid username-password pair
```
cause The Entra ID authentication token used by the Redis connection has expired and was not successfully renewed.

fix This error indicates a failure in the automatic token renewal. Verify that the `azure-identity` (or other underlying identity provider) configuration is correct and has the necessary permissions to refresh tokens. Check application logs for messages related to token acquisition failures.
```
redis.exceptions.ConnectionError: [Errno 111] Connection refused
```
cause The Redis client attempted to connect without TLS/SSL, or the hostname/port is incorrect, or network connectivity issues.

fix Ensure `ssl=True` is passed to the `redis.Redis` constructor. Double-check the `host` and `port` values for your Azure Redis instance. Confirm network access from your application to the Redis endpoint.
```
An error occurred: Failed to acquire token! Identity provider request failed! Failed to acquire token! (or similar messages involving 'TokenRequestException')
```
cause The `azure-identity` library or the underlying MSAL client could not successfully obtain an Entra ID token, possibly due to incorrect credentials, insufficient permissions for the service principal/managed identity, or network issues contacting Azure AD endpoints.

fix Review your Azure Entra ID application registration, service principal, or managed identity configuration. Ensure the client ID, tenant ID, and client secret (if applicable) are correct and that the identity has permissions to access the Redis cache. Verify network access to `login.microsoftonline.com` or your specific Azure AD authority.

Warnings

breaking Python 3.9 support was dropped in `redis-entraid` version 1.1.0. If you are using Python 3.9, you must use `redis-entraid` version 1.0.0 or downgrade your Python version.
Fix: Upgrade to Python 3.10+ if using `redis-entraid` >= 1.1.0. Otherwise, pin `redis-entraid==1.0.0` for Python 3.9 projects.
gotcha Azure Redis with Entra ID authentication strictly requires TLS/SSL connections. Attempting to connect without `ssl=True` in the `redis.Redis` client configuration will result in connection errors.
Fix: Always include `ssl=True` when initializing the `redis.Redis` client for Entra ID authenticated connections.
gotcha Long-lived connections may fail after an Entra ID token expires (typically ~24 hours) if the token renewal mechanism is not properly configured or if there are underlying issues preventing automatic refresh. This can manifest as `ERR WRONGPASS`.
Fix: The `redis-entraid` library is designed to handle token renewal automatically. Ensure your environment allows the underlying credential provider (e.g., `DefaultAzureCredential`) to acquire new tokens. Monitor logs for token acquisition failures. In some legacy configurations, a temporary workaround might involve gracefully restarting connections before token expiration.

Install

pip install redis-entraid Install stable version

Imports

Redis
```
from redis import Redis
```
The core Redis client class from the `redis-py` library.
create_from_default_azure_credential
```
from redis_entraid.cred_provider import create_from_default_azure_credential
```
Factory method to create a credential provider using Azure's DefaultAzureCredential.
DefaultAzureCredential
```
from azure.identity import DefaultAzureCredential
```
Used to instantiate a credential object that `redis-entraid` can leverage.

Quickstart

This quickstart demonstrates how to connect to an Azure Managed Redis or Azure Cache for Redis instance using Microsoft Entra ID authentication with `redis-entraid` and `DefaultAzureCredential`. Ensure you have configured environment variables for `DefaultAzureCredential` (e.g., `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`) or that your application runs with an assigned Managed Identity. Replace `your_redis_cache_name.redis.cache.windows.net` with your actual Redis endpoint and set the correct port (e.g., 10000 for Azure Managed Redis or 6380 for Azure Cache for Redis).

import os
from redis import Redis
from azure.identity import DefaultAzureCredential
from redis_entraid.cred_provider import create_from_default_azure_credential

# --- Environment Variables (for DefaultAzureCredential to pick up) ---
# Set these in your environment, e.g., in a .env file or directly:
# os.environ['AZURE_TENANT_ID'] = 'YOUR_TENANT_ID'
# os.environ['AZURE_CLIENT_ID'] = 'YOUR_CLIENT_ID'
# os.environ['AZURE_CLIENT_SECRET'] = 'YOUR_CLIENT_SECRET'
# OR ensure a Managed Identity is assigned to your application/VM.

# --- Redis Connection Details ---
# Your Azure Managed Redis or Azure Cache for Redis hostname and port
# Default port for Azure Managed Redis is 10000, for Azure Cache for Redis it's 6380.
REDIS_HOST = os.environ.get('REDIS_HOST', 'your_redis_cache_name.redis.cache.windows.net')
REDIS_PORT = int(os.environ.get('REDIS_PORT', 10000)) 

def connect_with_entra_id():
    try:
        # DefaultAzureCredential will attempt to authenticate via various methods
        # including environment variables, managed identity, etc.
        # Scopes are crucial for Entra ID authentication with Redis.
        credential_provider = create_from_default_azure_credential(
            ("https://redis.azure.com/.default",)
        )
        
        # Azure enforces TLS for Entra ID authentication.
        # decode_responses=True automatically decodes responses to Python strings.
        r = Redis(
            host=REDIS_HOST,
            port=REDIS_PORT,
            ssl=True,
            decode_responses=True,
            credential_provider=credential_provider
        )

        # Test the connection
        if r.ping():
            print(f"Successfully connected to Redis at {REDIS_HOST}:{REDIS_PORT} with Entra ID.")
            r.set("mykey", "Hello from redis-entraid!")
            value = r.get("mykey")
            print(f"Retrieved value: {value}")
        else:
            print("Redis ping failed.")

    except Exception as e:
        print(f"An error occurred: {e}")

if __name__ == "__main__":
    connect_with_entra_id()

view raw JSON →