Configure Access to Your Cluster

      +
      Before you can connect to a cluster in Couchbase Capella, you need to create a database credential and allow connections from your IP address.

      Unresolved include directive in modules/get-started/pages/configure-cluster-access.adoc - include::partial$invpc.adoc[]

      If you’ve selected to let Capella install Couchbase Server in Your Cloud Account (in the Public Cloud), rather than in Couchbase’s Cloud Account, then you’ll need to follow a few extra steps.

      Couchbase Capella operates on the security principle of least privilege. After you create a cluster, authorized users in your organization can log into the Capella UI and make changes to the cluster configuration. However, for any entity to read or write data on a cluster, extra steps are required.

      Enabling access to cluster data involves the following steps:

      1. Configure Database Access: Configure permissions to read or read/write data on your cluster.

      2. Allow Your Connecting IP Address: Add your IP address to the cluster’s list of allowed IPs.

      Configure Database Access

      In Couchbase Capella, only database credentials can read or write data on a cluster. The following steps describe how to create a database credential for a cluster.

      Database credentials are distinct and not associated with a particular user. They do not control access to data tools like Query Workbench in the Capella UI. Capella automatically manages this type of access based on a user’s project role.

      Permissions Required

      To create a database credential, you must have the Project Owner role for the project containing the cluster where you want to create the credential.

      To create a database credential
      1. Go to the cluster’s Connect tab.

        1. Go to the Clusters tab in the main navigation.

        2. Find and click on on the cluster that you created.

          This opens the cluster with its Overview tab selected.

        3. Click the Connect tab.

      2. Click Manage Credentials.

        This opens the Database Credentials screen that lists existing database credentials and allows you to create new ones.

      3. Click Create Database Credential

        This opens the Create Database Credentials fly-out menu.

        The 'Create Database Credentials' flyout.
      4. Specify the username and password.

        In the Create Database Credentials fly-out menu, complete the following fields:

        Username

        Note that the username cannot exceed 128 UTF-8 characters in length and cannot contain the following characters: ( ) < > @ , ; : \ " / [ ] ? = { }

        Password

        Note that passwords must be at least eight characters in length. They must also include one or more uppercase letters, lowercase letters, numbers, and special characters: @ % + \ \ / ' \ " ! # $ ^ ? : , ( ) { } [ ] ~ ` - _

        You will use the username and password to authenticate on the cluster when connecting remotely using the Couchbase SDK or other tools.

        You cannot change the password for a database credential once you create it. This constraint prevents situations where a credential password is changed in Capella but not in the application. The best practice to follow when rotating credentials is to:

        1. Create a new database credential in Capella

        2. Update your application to use the new database credential

        3. Delete the old database credential

      5. Configure access

        1. Select bucket-level access.

          In the Bucket Level Access section, use the Bucket drop-down menu to specify a bucket you want this database credential to have access to.

          For this guide, we recommend you choose the All Buckets option so that the credential will have access to all current and future buckets on this cluster. This option makes it more convenient for interacting with any sample or test buckets that you create later on.

        2. (Couchbase Server 7.0+ only) Select scope level access

          Use the Scope drop-down menu to specify a scope you want this database credential to have access to.

          For this guide, we recommend you choose the All Scopes option so that the credential will have access to all current and future scopes. This option makes it more convenient for interacting with any sample or test buckets that you create later on.

        3. Select access level.

          Use the Access drop-down menu to specify the level of access you want this database credential to have: Read, Write, or Read/Write access.

          For this guide, we recommend that you select Read/Write access.

      6. Once you’ve finished configuring the new database credential, click Create.

      To recap:
      • You created a database credential on a specific cluster.

      • You gave the database credential a username and password that can be used for authenticating on the cluster and authorized those credentials with a set of bucket-level, scope-level (if applicable), and data access permissions.

        • The database credential can’t be used for logging into the Capella UI or managing Capella features. The credentials can only be used for reading or writing bucket data using the Couchbase SDK and other supported tools.

      Feel free to move on to Allow Your Connecting IP Address below for the next step in configuring access to your cluster. If you’d like more detailed information about database permissions, refer to Configure Database Credentials.

      Allow Your Connecting IP Address

      Couchbase Capella only allows clusters to connect to trusted IP addresses. Each cluster has a configurable list of allowed IPs that it can connect to. Any attempted connection to/from an IP address that isn’t in a cluster’s list of allowed IPs will be denied.

      In order for you to connect to the cluster, you’ll need to add your IP address to the cluster’s list of allowed IPs.

      To add your IP address to the cluster’s list of allowed IPs
      1. Go to the cluster’s Connect tab.

        1. Go to the Clusters tab in the main navigation.

        2. Find and click on your cluster.

          This opens the cluster with its Overview tab selected.

        3. Click the Connect tab.

          The cluster’s 'Connect' tab.
      2. Click Allowed IPs.

        This opens the Allowed IPs fly-out menu.

        The cluster’s 'Connect' tab.
      3. Add your IP address configuration.

        In the Allow an IP section, configure the following details:

        1. Specify your IP address.

          In the IP Address or Address Space field, enter the IP address or address space that you want to allow the cluster to communicate with.

          If you plan to connect to the cluster via the Couchbase SDK on your computer (described on the next page in this guide), then you should enter the public IP address of your computer.

        2. (Optional) Configure the allowed IP to be temporary.

          Select the checkbox labeled Save as temporary to configure the IP address to only be allowed for a limited amount of time. Use the associated field and controls to specify the duration (number of hours) that the cluster will accept connections from the IP address. After the configured amount of time has elapsed, the entry will expire and the cluster will stop taking connections from the IP address.

        3. (Optional) Add a comment.

          Use the Comment field to enter a comment that will display alongside the allowed IP address. This can be helpful for informing other users in your organization about why the IP address is being allowed.

        Once you’re satisfied with the configuration, click Add IP.

        Note that the IP is added in Pending state, and is not committed until you complete the next step.

      4. After you add the IP configuration, click Save to commit it.

        This saves all IPs that are in a pending state and makes them active. Note that it takes a few minutes for the cluster to begin honoring newly allowed IPs. If you try to immediately connect to the cluster from a newly allowed IP, your connection may be blocked.

      Feel free to move on to Next Steps below. If you’d like more detailed information about allowed IPs, refer to Configure Allowed IP Addresses.

      Next Steps

      Now that you’ve created a database credential and added your IP address to the cluster’s list of allowed IPs, you can move on to the next step: Connect to Your Cluster.