Redis access keys are the two secret values Azure provides for key-based Redis authentication. Think of them as a primary and secondary password pair for the cache. The pair exists so you can rotate one key while applications continue using the other. They are useful for legacy clients and quick connection setup, but they are not fine-grained identities. A team should know where both keys are stored, which one applications use, who can reveal them, and how rotation works before production traffic depends on them.
Redis access keys are the paired primary and secondary secrets used for key-based authentication to Azure Cache for Redis or Azure Managed Redis when that mode is enabled. The two-key design supports rotation by moving clients between keys before regenerating the inactive value.
In Azure architecture, Redis access keys belong to authentication and secret-management design for cache clients. They appear on Azure Cache for Redis and Azure Managed Redis configurations when access-key authentication is enabled. The control plane can list or regenerate the keys, while applications use one key through a connection string or Redis client setting. The key pair interacts with Key Vault, app configuration, managed identities, private endpoints, diagnostics, and deployment automation. It is separate from RBAC authorization and different from Entra-based Redis users or data access policies.
Why it matters
Redis access keys matter because the pair determines whether key rotation can happen without downtime. A single-secret mindset leads to outages: teams regenerate a key, clients still use it, and the cache suddenly rejects connections. The primary-secondary pattern gives operators a safer path, but only if applications can switch secrets cleanly. The keys also matter for security posture. If both keys are copied into uncontrolled places, rotation loses value because every secret version is exposed. Clear ownership of the pair lets teams support legacy authentication, migrate toward identity-based access, and recover from leaks without guessing which applications will fail. Rotation discipline prevents guesswork.
⌁
Where you see it
Signals, screens, and Azure surfaces where this term usually becomes operational.
Signal 01
The Redis Authentication blade shows primary and secondary access keys, plus controls for regenerating keys or disabling access-key authentication on supported cache types during rotation reviews.
Signal 02
Azure CLI commands list-keys and regenerate-key expose or rotate the paired secret values, so output handling and command permissions become audit concerns during secret-handling audits.
Signal 03
Key Vault secret history, app settings, deployment variables, and AKS secrets reveal which Redis access key version each workload currently uses during deployment validation after rollout checks.
✦
When this becomes relevant
Specific situations where this term helps solve real Azure design, operations, migration, security, reliability, cost, or governance problems.
Perform zero-downtime rotation by moving clients from the primary key to the secondary key before regenerating the primary value.
Separate emergency leak response from routine credential hygiene by knowing which member of the key pair was exposed.
Migrate legacy clients gradually while new services use Entra authentication and custom Redis data access policies.
Audit applications that still depend on shared Redis secrets before disabling access-key authentication on a managed cache.
Coordinate multi-service deployments so secret version changes, client restarts, and key regeneration happen in a safe sequence.
◆
Real-world case studies
Different enterprise-style examples that show the term being used to hit measurable objectives.
Scenario, objectives, solution, measured impact, and takeaway.
📌Scenario
An airline loyalty platform used Redis to cache member balances and offer eligibility. Rotations were rare because teams feared breaking mobile, call-center, and partner APIs at the same time.
🎯Business/Technical Objectives
Create a quarterly Redis access keys rotation process.
Keep customer-facing APIs online during key changes.
Stop storing both keys in shared configuration files.
Produce audit evidence without exposing secret values.
✅Solution Using Redis access keys
The platform team designed a primary-secondary rotation workflow. Applications were moved to Key Vault references that could switch between Redis access keys through secret versions. During each rotation, operators confirmed the cache resource with Azure CLI, updated clients to the alternate key, watched connection metrics, and regenerated only the inactive key. Partner APIs were tested separately because they reloaded configuration on a longer schedule. The final evidence package contained timestamps, key type changed, secret version IDs, and application health checks, but never stored the key values themselves.
📈Results & Business Impact
Quarterly rotation became a 75-minute standard change instead of a once-a-year exception.
No loyalty lookup outage occurred across three completed rotations.
Shared configuration files were retired from all production services.
Audit review time dropped by 40 percent because evidence was consistent and nonsecret.
💡Key Takeaway for Glossary Readers
Redis access keys are safest when the pair is managed as a rotation system, not as two passwords copied across teams.
Case study 02
Industrial IoT provider cleans up unmanaged key copies
Scenario, objectives, solution, measured impact, and takeaway.
📌Scenario
An industrial IoT provider found Redis keys in gateway installer scripts, support notes, and old container environment files. The cache supported device command throttling for factories in multiple countries.
🎯Business/Technical Objectives
Find every workload still holding either Redis access key.
Move credentials into managed secret references.
Regenerate exposed values without interrupting device command flow.
Prepare for a later Entra authentication pilot.
✅Solution Using Redis access keys
The operations team treated Redis access keys as a discovery and cleanup project. They inventoried app settings, pipeline variables, container definitions, and Key Vault secrets, then classified consumers by primary or secondary use. One region at a time, gateways were updated to pull the secondary key from a managed secret, validated against command-throttling metrics, and then the primary key was regenerated. Old scripts were removed from deployment repositories. New gateway builds were tagged so support could see which secret version each site was using.
📈Results & Business Impact
Unmanaged key copies were reduced from 31 locations to three controlled Key Vault references.
Factory command throttling stayed within normal latency during regional rollouts.
The exposed primary key was retired without a global gateway restart.
The Entra authentication pilot began with a clean inventory of remaining key consumers.
💡Key Takeaway for Glossary Readers
A Redis access keys cleanup succeeds when secret discovery, regional rollout, and regeneration are handled as one coordinated operation.
Scenario, objectives, solution, measured impact, and takeaway.
📌Scenario
An online education platform relied on Redis for exam session state during national testing weeks. A previous unplanned key change had forced thousands of students to restart sessions.
🎯Business/Technical Objectives
Rehearse Redis access keys rotation before exam season.
Ensure clients could switch keys without losing active sessions.
Limit key-listing permission to the platform automation account.
Create a rollback procedure for failed configuration reloads.
✅Solution Using Redis access keys
The team created a staging cache that mirrored production connection behavior. They practiced moving services from the primary key to the secondary key through Key Vault references, then regenerated the inactive key and observed session stability. Production rotation was scheduled before the testing freeze. Azure CLI commands were run by an automation identity with just enough permission to list and regenerate keys. Application Insights tracked reconnects, session errors, and database fallback calls. The runbook included a rollback step to restore the prior secret version if a service failed to reload.
📈Results & Business Impact
Exam-season Redis rotations completed with zero student session loss.
Key-listing permissions were reduced from 14 people to one automation identity.
Configuration reload failures were caught in staging before the production freeze.
Redis-related support tickets during testing dropped by 55 percent.
💡Key Takeaway for Glossary Readers
Redis access keys can support high-stakes workloads when rotation is rehearsed under realistic client behavior before the pressure window.
Why use Azure CLI for this?
Azure CLI is useful for Redis access keys because a rotation runbook needs predictable inputs and outputs. The portal can show the pair, but CLI lets engineers list keys, regenerate a specific Primary or Secondary value, query metadata, and capture nonsecret evidence consistently across dev, test, and production. I prefer CLI for rehearsed rotations because it reduces ambiguity: the command says exactly which cache, resource group, subscription, and key type changed. It also integrates with Key Vault updates and deployment scripts without turning secret handling into manual screenshots. It also lets automation enforce the same sequence for every cache environment consistently.
CLI use cases
List access keys during an approved window and immediately store the selected value as a new Key Vault secret version.
Regenerate Primary or Secondary specifically, instead of treating the two Redis access keys as a single credential.
Compare cache resources across environments to confirm access-key authentication is enabled only where intended.
Query Redis metadata without printing secret values during standard inventory or compliance evidence collection.
Coordinate rotation scripts that update app settings, restart clients, and then regenerate the inactive key.
Before you run CLI
Confirm the correct tenant, subscription, resource group, cache name, and whether the cache uses az redis or az redisenterprise commands.
Check whether access-key authentication is enabled, because list-keys can fail or be inappropriate when keys are disabled.
Identify which applications use primary, which use secondary, and which can reload secrets without a restart.
Use least-privilege permissions because listing keys exposes secrets and regeneration can break production clients.
Plan output format, Key Vault updates, client rollout order, monitoring, and rollback before regenerating either key.
What output tells you
primaryKey and secondaryKey fields represent the two active shared secrets for clients using key-based authentication.
A regeneration command confirms which key type changed, helping operators avoid invalidating the wrong client secret.
Cache metadata such as host name, ports, SKU, and provisioning state confirms the key pair belongs to the intended resource.
Access-key authentication fields show whether clients may use the key pair or must authenticate through another method.
Secret version IDs in downstream systems show whether applications actually picked up the intended rotated key.
Mapped Azure CLI commands
Redis access keys CLI Commands
az redis show --name <cache-name> --resource-group <resource-group>
az redisdiscoverDatabases
az redis list-keys --name <cache-name> --resource-group <resource-group>
az redisdiscoverDatabases
az redis regenerate-keys --name <cache-name> --resource-group <resource-group> --key-type Primary
az redisoperateDatabases
az redis regenerate-keys --name <cache-name> --resource-group <resource-group> --key-type Secondary
az redisoperateDatabases
az redisenterprise database list-keys --cluster-name <cache-name> --resource-group <resource-group>
az redisenterprise databasediscoverDatabases
az redisenterprise database regenerate-key --cluster-name <cache-name> --resource-group <resource-group> --key-type Secondary
az redisenterprise databaseoperateDatabases
az keyvault secret list --vault-name <vault-name> --query "[].name"
az keyvault secretdiscoverDatabases
Architecture context
A ten-year Azure architect views Redis access keys as a shared-secret lane that must be intentionally designed beside the preferred identity lane. In a mature architecture, each cache has documented consumers, a Key Vault location, rotation cadence, allowed operators, and monitoring for connection failures. Application platforms such as App Service, AKS, Functions, and container jobs reference a current secret version instead of embedding key values. The cache may sit behind private networking, but network reachability is not authentication. For Azure Managed Redis, the target state may be Entra authentication, with access keys enabled only for workloads that still need them.
Security
Security impact is direct. Redis access keys are broad secrets, and either key can allow client access when key-based authentication is enabled. Restrict list and regenerate permissions, avoid exporting keys in normal inventory reports, and treat shell history, CI logs, support bundles, and application telemetry as possible leak paths. Store keys in Key Vault or equivalent managed secret storage, use private endpoints where appropriate, and prefer Entra authentication for workloads that can support it. If a key is exposed, rotate the affected key, review the alternate key, and investigate whether cached data or sessions were accessed. Review both keys after an incident because the unused alternate may also be exposed.
Cost
Redis access keys have no line item, but weak key management creates cost through outages, incident response, and duplicated engineering work. Emergency rotations pull application, security, and operations teams away from planned delivery. If key exposure forces session invalidation or cache rebuilds, customer support and compute load can rise. Poorly controlled keys may also prevent retiring legacy authentication, delaying a move to cleaner Entra-based access and policy assignments. The cost-conscious approach is not to overengineer every small cache; it is to centralize secret storage, automate rotation evidence, and avoid uncontrolled copies that turn routine maintenance into an incident. Routine hygiene prevents expensive emergency meetings and unplanned customer-impact investigations.
Reliability
Reliability depends on using the pair correctly. The primary and secondary keys make zero-downtime rotation possible, but they do not guarantee it. Applications must be able to read a new secret version, refresh connection pools, and reconnect before the old key is regenerated. Some services require restarts; others can reload configuration dynamically. Multi-region and active geo-replicated Redis designs add another layer because each cache endpoint and key path must be understood before failover. A reliable rotation plan sequences secret update, client validation, key regeneration, monitoring, and rollback instead of treating the pair as two interchangeable passwords. Keep rollback references ready until every client confirms stable Redis connectivity.
Performance
The key pair does not change Redis command throughput, memory latency, or cache size. Performance impact appears during rotation, failover, or incident response. If clients cannot reload a new key cleanly, they may create reconnect storms, exhaust connection pools, or fall back to slower databases. If operators cannot tell which key is active, troubleshooting takes longer and application latency remains elevated. Using managed secret references, staged deployments, and connection metrics makes rotation operationally faster. For high-throughput workloads, rehearse key changes before peak events so authentication churn does not mask real Redis capacity issues. Practiced rotation prevents authentication churn from becoming a false performance incident.
Operations
Operators manage Redis access keys through lifecycle tasks: inventory which caches allow keys, list secrets only when required, rotate primary and secondary values, distribute updated secrets, and verify client health. They use CLI, Key Vault, deployment records, and Azure Monitor together. During change windows, operators check which applications use primary versus secondary, regenerate only the intended key, and watch connection errors, server load, cache hit ratio, and application retries. Good operations also include periodic access reviews. The team should be able to answer who can reveal keys and when the last successful rotation happened. Operators also review stale secret versions so old keys do not remain usable accidentally.
Common mistakes
Saving both keys in the same unmanaged place, which defeats the safety benefit of a primary-secondary pair.
Regenerating both keys in one change window before every dependent application has reloaded its secret.
Assuming private endpoint access makes leaked Redis keys harmless once a compromised workload is already on the network.
Letting deployment slots, scheduled jobs, or old containers keep using a regenerated key after the main app was updated.
Running list-keys for routine inventory and accidentally storing secret values in exported compliance files.