This release adds 2 notable features for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Topics
Affected surfaces
ReleasePort's take
Light signalBetterDB Agent v1.5.0 now supports AWS IAM authentication for ElastiCache (Valkey 7.2+ and Redis OSS 7.0+) using short‑lived SigV4 tokens.
Why it matters: Enables secure, token‑based access to managed caches; adopt if targeting Valkey 7.2+ or Redis 7.0+ deployments.
Summary
AI summaryAdds AWS IAM authentication support for ElastiCache using short‑lived SigV4 tokens.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Breaking | High |
TLS is now mandatory; agent exits with error if `--valkey-tls true` is not set for IAM auth mode. TLS is now mandatory; agent exits with error if `--valkey-tls true` is not set for IAM auth mode. Source: granite4.1:30b@2026-05-22-audit Confidence: low |
— |
| Feature | Medium |
Adds AWS IAM authentication support for ElastiCache for Valkey 7.2+ and Redis OSS 7.0+ via short‑lived SigV4 tokens. Adds AWS IAM authentication support for ElastiCache for Valkey 7.2+ and Redis OSS 7.0+ via short‑lived SigV4 tokens. Source: llm_adapter@2026-05-22 Confidence: high |
— |
Full changelog
ElastiCache IAM Authentication
The BetterDB Agent now supports AWS IAM authentication for ElastiCache for Valkey 7.2+ and Redis OSS 7.0+. Instead of a static password, the agent mints short-lived SigV4-signed tokens from the host's AWS credentials and rotates them automatically on every reconnect — no secrets to configure or rotate.
Setup
Enable IAM mode with --auth-mode elasticache-iam (or AGENT_AUTH_MODE=elasticache-iam) alongside three required fields:
| Flag | Env var | Description |
|------|---------|-------------|
| --auth-mode elasticache-iam | AGENT_AUTH_MODE | Enable IAM auth (default: password) |
| --aws-region | AWS_REGION | AWS region of the cluster |
| --aws-resource-name | AWS_RESOURCE_NAME | Replication group ID or serverless cache name |
| --aws-user-id | AWS_USER_ID | ElastiCache IAM user-id (must equal user-name) |
| --aws-serverless | AWS_SERVERLESS | Set to true for ElastiCache Serverless |
TLS is required — the agent will exit with a clear error if --valkey-tls true is not set.
AWS credentials are resolved from the standard chain: environment variables, ~/.aws/credentials, EC2 instance profile, and container role. On EC2, attach an instance profile with elasticache:Connect on the cluster and user ARNs and no further credential configuration is needed.
Example
docker run -d --name betterdb-agent \
--restart=always \
-e BETTERDB_TOKEN="<your-token>" \
-e BETTERDB_CLOUD_URL="wss://<your-workspace>.app.betterdb.com/agent/ws" \
-e VALKEY_HOST="<your-elasticache-endpoint>" \
-e VALKEY_PORT="6379" \
-e VALKEY_USERNAME="<your-iam-user-id>" \
-e VALKEY_TLS="true" \
-e AGENT_AUTH_MODE="elasticache-iam" \
-e AWS_REGION="us-east-1" \
-e AWS_RESOURCE_NAME="<your-cache-name>" \
-e AWS_USER_ID="<your-iam-user-id>" \
betterdb/agent
Requirements
- ElastiCache for Valkey 7.2+ or Redis OSS 7.0+
- Encryption in transit (TLS) enabled on the cluster
- An ElastiCache user with authentication-mode Type=iam — the user-id must equal the user-name
- The user assigned to a user group attached to the cluster
- An IAM policy granting elasticache:Connect on the cluster and user ARNs
See the https://docs.betterdb.com/providers/aws-elasticache for a full walkthrough including user group setup for Valkey-engine clusters.
Backwards compatibility
Password authentication is unchanged and remains the default. Existing deployments require no changes.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About BetterDB-inc/monitor
Valkey-first observability with Redis compatibility. Query real-time metrics, analyze slow commands, detect hot keys, and investigate performance issues directly from AI coding assistants.
Related context
Related tools
Beta — feedback welcome: [email protected]