Configure Database Credentials

    +
    Database credentials provide programmatic and application-level access to data on a cluster. Only database credentials can access data.

    About Database Credentials

    Database credentials are separate from organization roles. While organization roles control what you can do within an organization, such as create clouds or manage projects, a database credential is still required to access data on a cluster. Database credentials are also distinct from project roles, but only project members with the Project Owner role can create them.

    A database credential is specific to a cluster and consists of a username, password, and a set of bucket or scope access levels. It is required for applications to remotely authenticate on a cluster and access bucket data.

    Database credentials are distinct and not associated with a particular user. They do not control access to data tools like Query Workbench in the Capella UI. Capella automatically manages this type of access based on a user’s project role.

    Database Credentials and Access

    • Couchbase 7.0+

    • Couchbase 6.6

    You assign database credentials on a per bucket or per scope basis. For example, you could assign a database credential access to all buckets and scopes in a cluster, assign different access levels to different buckets, or assign access to just a single scope. This system allows you to mix and match access levels to different buckets and scopes in a cluster to satisfy your application and security requirements.

    The following table describes the available bucket access options and their associated privileges.

    Table 1. Database Access Privileges Couchbase Server 7.0+
    Access Description

    Read

    Write

    Read/Write

    Grants the privileges of the following Couchbase roles:

    • All the privileges of Read.

    • All the privileges of Write.

    You assign database credentials on a per bucket basis. For example, you could assign a database credential read/write access to just one of three buckets in your cluster while not providing any access to the others. This system allows you to mix and match access levels to different buckets in a cluster to satisfy your application and security requirements.

    The following table describes the available bucket access levels and their associated privileges.

    Table 2. Database Access Privileges Couchbase Server 6.6
    Access Description

    Read

    Grants the privileges of the following Couchbase roles:

    Read/Write

    Grants the privileges of the following Couchbase roles:

    Accessing Database Credentials

    Permissions Required

    To access the database credentials for a cluster, you must have any one of the following roles for the project containing the cluster:

    Note that only the Project Owner role allows you to create and modify database credentials.

    1. Go to the cluster’s Connect tab.

      1. Go to the Clusters tab in the main navigation.

      2. Find and click on the cluster that you wish to modify.

        This opens the cluster with its Overview tab selected.

      3. Click the Connect tab.

    2. Click Manage Credentials.

      This opens the Database Credentials screen, which lists any existing database credentials and allows you to create new ones.

    Database Credentials Summary

    The database credentials summary is in a table format, with sortable columns and rows for each database credential. This table is also paginated and can be adjusted to show more items on each page.

    The database credentials list displays the following information about each credential:

    Username

    The name that identifies the database credential.

    Created By

    The organization user that created the database credential.

    Created On

    The creation date of the database credential and its age. The color-coded status indicator in this column is based on age to help identify older credentials that need rotation. The colors indicate the following:

    • Green: Under 90 days old

    • Yellow: 90 — 180 days old

    • Red: Over 180 days old

    A Trash icon shown at the end of each row can be used to delete the corresponding database credential.

    Creating Database Credentials

    Permissions Required

    To create a database credential, you must have the Project Owner role for the project that contains the cluster where you want to create the credential.

    1. Go to the cluster’s Connect tab.

      1. Go to the Clusters tab in the main navigation.

      2. Find and click on the cluster where you want to create a database credential.

        This opens the cluster with its Overview tab selected.

      3. Click the Connect tab.

    2. Click Manage Credentials.

      This opens the Database Credentials screen which lists any existing database credentials and allows you to create new ones.

    3. Click Create Database Credential

      This opens the Create Database Credentials fly-out menu.

    4. Specify the username and password.

      In the Create Database Credentials fly-out menu, complete the following fields:

      Username

      Note that the username cannot exceed 128 UTF-8 characters in length and cannot contain the following characters: ( ) < > @ , ; : \ " / [ ] ? = { }

      Password

      Note that passwords must be at least eight characters in length. They must also include one or more uppercase letters, lowercase letters, numbers, and special characters: @ % + \ \ / ' \ " ! # $ ^ ? : , ( ) { } [ ] ~ ` - _

      You cannot change the password for a database credential after a database credential is created. This constraint prevents situations where the password for a credential is changed in Capella but not in an application. The best practice to follow when rotating credentials is to:

      1. Create a new database credential in Capella

      2. Update your application to use the new database credential

      3. Delete the old database credential

    5. Configure access

      1. Select bucket-level access.

        In the Bucket Level Access section, use the Bucket drop-down menu to specify a bucket you want this database credential to have access to. You also have the option to give access to all buckets in the cluster.

      2. Select scope level access (Couchbase Server 7.0+ only)

        Use the Scope drop-down menu to specify a scope you want this database credential to have access to. You also have the option to provide access to all scopes within the current bucket.

      3. Select access level.

        Use the Access drop-down menu to specify if you want this database credential to have read, write, or read/write access to the currently selected bucket and scope (Couchbase Server 7.0+ only).

    6. (Optional) Add another level of access.

      Database credentials can access multiple buckets and scopes (Couchbase Server 7.0+ only).

      1. Click Add Another.

        Another line is added to Bucket Level Access section where you can again select a bucket and scope (Couchbase Server 7.0+ only) that you want this database credential to access.

    7. Once you’ve finished making the desired configurations, click Create.

      It’s important to remember that you can’t use database credentials to log into the Couchbase Capella UI or manage Capella features. You can only use database credentials for reading or writing bucket data using the Couchbase SDK and other supported tools.

    Modify Database Credentials

    Permissions Required

    To modify a database credential, you must have the Project Owner role for the project that contains the database credential in question.

    1. Go to the cluster’s Connect tab.

      1. Go to the Clusters tab in the main navigation.

      2. Find and click on the cluster with the database credential that you wish to modify.

        This opens the cluster with its Overview tab selected.

      3. Click the Connect tab.

    2. Click Manage Credentials.

      This opens the Database Credentials screen that lists any existing database credentials.

    3. Look for the database credential whose access level you wish to modify, and then click on its name.

      This opens the database credential’s fly-out menu.

    4. In the Bucket Level Access section, change the access level(s).

      1. To grant access to all current and future buckets on the cluster, use the Bucket drop-down menu to select the All Buckets option and use the Access drop-down menu to specify the level of access the database credential should have on those buckets.

      2. To grant granular access to individual buckets, use the Bucket drop-down menu to select which bucket the database user should have access to. Next, use the Access drop-down menu to specify the level of access it should have to the chosen bucket.

    5. Once you’ve finished making the desired modifications, click Update.

    Deleting Database Credentials

    Permissions Required

    To delete a database credential, you must have the Project Owner role for the project that contains the database credential in question.

    Deleting a credential can cause an application that is actively using that credential to stop functioning. Always ensure that you’ve updated your application to use new credentials before completing this action.

    1. Go to the cluster’s Connect tab.

      1. Go to the Clusters tab in the main navigation.

      2. Find and click on the cluster with the database credential that you wish to delete.

        This opens the cluster with its Overview tab selected.

      3. Click the Connect tab.

    2. Click Manage Credentials.

      This opens the Database Credentials screen that lists any existing database credentials.

    3. Look for the database credential you want to delete, and then click the Trash icon at the far end of its row.

      This opens the Delete Database Credentials fly-out menu.

    4. Type delete into the provided field and click Delete.

      The database credential is deleted.

    You can also delete a database credential from within the credential’s fly-out menu by clicking the Trash icon in the top-right corner.