Skip to main content
Connect your Redis databases to enable Tony (Database Engineer) to inspect keyspace usage, analyze command patterns, and monitor database health.

Supported Platforms

PlatformSupport
Self-hosted Redis6.x, 7.x (vanilla and Redis Stack)
Upstash RedisAll plan tiers
Redis CloudAll plan tiers

Setup

Select your Redis platform for specific connection instructions:
Two common deployment shapes are supported:
  • Vanilla Redis — minimal image, no modules. Use this when you only need core Redis commands.
  • Redis Stack — bundles RediSearch, RedisJSON, RedisTimeSeries, and Bloom. Use this when Tony needs FT.*, JSON.*, TS.*, or BF.* commands. Vanilla soft-fails those.
1

Start Redis

Vanilla Redis (no modules):
docker run -d --name redis-min \
  -p 6379:6379 \
  redis:7-alpine \
  redis-server --requirepass <admin-password> --appendonly yes
  • The admin password is set via the --requirepass server flag (the REDIS_ARGS env var only works on Redis Stack).
  • --appendonly yes enables AOF for durability across restarts.
Redis Stack (with modules + RedisInsight UI on port 8001):
docker run -d --name redis-stack \
  -p 6379:6379 -p 8001:8001 \
  -e REDIS_ARGS="--requirepass <admin-password>" \
  redis/redis-stack:latest
Verify the instance:
redis-cli -a <admin-password> ping
# PONG
2

Create Read-Only ACL User

Create a dedicated user for CloudThinker. Redis ACL usernames allow [A-Za-z0-9_-]; use cloudthinker-readonly (hyphen is the convention in Redis docs).
redis-cli -a <admin-password> ACL SETUSER cloudthinker-readonly on \
  '><readonly-password>' \
  '~*' \
  '+@read' '-@write' '-@dangerous' '-@admin'
  • on — enable the user.
  • ><readonly-password> — set the password (the > prefix is ACL syntax, your password follows).
  • ~* — match all keys. Narrow to ~app:* for stricter scoping.
  • +@read -@write -@dangerous -@admin — reads only; blocks writes, FLUSHALL/CONFIG/DEBUG/SHUTDOWN, and replication.
  • Optional stricter lockdown: append -@slow to block KEYS, SMEMBERS, HGETALL on huge collections.
3

Persist ACLs Across Restart

Mount a users.acl file so ACLs survive container restarts:
user default on ><admin-password> ~* &* +@all
user cloudthinker-readonly on ><readonly-password> ~* +@read -@write -@dangerous -@admin
Start Redis with the file mounted:
-v $PWD/users.acl:/data/users.acl
and add --aclfile /data/users.acl to the server command.
4

Verify the Read-Only User

redis-cli -u redis://cloudthinker-readonly:<readonly-password>@localhost:6379 SET foo bar
# (error) NOPERM ... has no permissions to run the 'set' command

redis-cli -u redis://cloudthinker-readonly:<readonly-password>@localhost:6379 GET foo
# works
5

Configure Network Access

Ensure CloudThinker can reach your database:
  • Add CloudThinker IPs to your firewall or security group.
  • Ensure Redis is bound to an accessible interface (avoid bind 127.0.0.1 only).
6

Get Connection String

Your connection string follows this format:
redis://cloudthinker-readonly:<readonly-password>@<your-host>:6379
Use rediss:// (note the second s) if your deployment terminates TLS.
7

Add the URL to CloudThinker

Paste the URL into your Redis connection in CloudThinker as REDIS_URL.

Required Permissions

Recommended ACL categories for the CloudThinker user:
CategorySettingWhy
+@readAllowRead keys, run INFO, CLIENT LIST, etc.
-@writeDenyBlock SET, DEL, and other mutating commands.
-@dangerousDenyBlock FLUSHALL, CONFIG, DEBUG, SHUTDOWN, replication.
-@adminDenyBlock administrative commands.
-@slow (optional)DenyBlock KEYS, SMEMBERS, HGETALL on large collections.
Key scoping (~* for all keys, or ~app:* for a prefix) should match your data model.

Agent Capabilities

Once connected, Tony can:
CapabilityDescription
Keyspace AnalysisInspect key patterns, sizes, and TTL distributions
Command StatsReview command latency and throughput via INFO commandstats
Performance MetricsMonitor memory, connections, eviction, and replication lag
Module InsightsInspect RediSearch indexes, RedisJSON documents, and TimeSeries (Redis Stack only)

Example Prompts

@tony analyze hot keys on production Redis
@tony check memory fragmentation and eviction stats
@tony review replication lag on the Redis replica

Connection Options

OptionDescriptionDefault
TLS/SSLUse rediss:// to require TLSrediss:// for Upstash, optional elsewhere
PortRedis port6379 (self-hosted, Upstash); 13xxx (Redis Cloud)
Database IndexLogical DB index0

Troubleshooting

  • Verify the username and password in the connection URL.
  • For self-hosted, confirm the user is enabled with ACL WHOAMI and ACL LIST.
  • For Upstash and Redis Cloud, make sure you copied the TCP/Redis CLI URL, not the REST or SDK URL.
  • The read-only user is working as intended for write commands.
  • If reads are also blocked, re-check the ACL rules — +@read must be granted.
  • Verify host and port are reachable from CloudThinker.
  • For self-hosted, ensure Redis is not bound only to 127.0.0.1.
  • Add CloudThinker IPs to your firewall or cloud provider allowlist.
  • Vanilla Redis does not include modules. Run Redis Stack (redis/redis-stack) or a managed equivalent.

Security Best Practices

  • Strong passwords — Use complex, unique passwords for both the admin and CloudThinker user.
  • TLS encryption — Use rediss:// whenever the deployment supports TLS.
  • Network restrictions — Restrict access to CloudThinker IPs via firewall rules or managed-service allowlists.
  • Minimal permissions — Never grant +@write, +@dangerous, or +@admin to the CloudThinker user.
  • Persist ACLs — Use aclfile for self-hosted deployments so the read-only user survives restarts.

Tony Agent

Database-focused optimization agent
https://mintcdn.com/cloudthinker/aLd-ttc-SCW-aFky/images/icons/mongodb.svg?fit=max&auto=format&n=aLd-ttc-SCW-aFky&q=85&s=6ba4577251f89473df297fbc739af375

MongoDB Connection

Setup instructions for MongoDB databases