Configure Access to Your Cluster

    Before you can connect to a cluster in Couchbase Cloud, you need to create a database user and allow connections from your IP address.

    Couchbase Cloud operates on the security principle of least privilege. After you create a cluster, authorized users in your organization can log into the Couchbase Cloud UI and make changes to the cluster configuration. However, for any entity to read or write data on a cluster, extra steps are required.

    Enabling access to cluster data involves the following steps:

    1. Configure Database Access: Configure permissions to read or read/write data on your cluster.

    2. Allow Your Connecting IP Address: Add your IP address to the cluster’s list of allowed IPs.

    Configure Database Access

    In Couchbase Cloud, only a database user can read or write data on a cluster. You can either create a database-only user, or grant database permissions to an organization user. The following steps discuss how to grant database permissions directly to yourself.

    If you don’t grant database permissions directly to yourself, then you will not be able to view or interact with several of the cluster features in the Couchbase Cloud UI, such as the Query Workbench and the document editor/viewer. This is because these features require that you have permission to read and/or write cluster data.
    To grant yourself database permissions
    1. Go to the Users tab in the main navigation.

      The 'Users' view.
    2. Search for yourself, and then click on your name.

      Clicking on your name opens your user fly-out menu:

      A user’s fly-out menu.
    3. In the Database Users section, click Add Another.

    4. Select a cluster.

      Using the Select Cluster drop-down menu that appears, select the cluster that you created. Only the clusters that you have access to will appear in the drop-down menu.

      After selecting a cluster, multiple configurable fields appear.

      The 'Clusters' section after a cluster has been selected, now showing additional configurable fields.
    5. Configure the database user.

      1. Specify a username and password.

        In the Username and Password fields, enter the username and password for the database user entity. These will be the credentials that you will use for authenticating on the cluster when connecting remotely via the Couchbase SDK or other tools. Note that the username cannot exceed 128 UTF-8 characters in length and cannot contain the following characters: ( ) < > @ , ; : \ " / [ ] ? = { }

        The password can be changed later, but there is no way to retrieve it — store a copy of the password if necessary.

      2. Configure bucket access.

        Use the Choose Buckets field to specify the data buckets on the cluster that you will have access to.

        For the purposes of this guide, it’s recommended that you leave the Choose Buckets field blank, as this grants you access to all current and future buckets. This makes it more convenient for interacting with any sample or test buckets that you create later on.

        If you wish to limit access to a specific selection of buckets, you can do so by specifying each individual bucket. Clicking on the field will show a truncated drop-down list of all of the buckets in the selected cluster. If you don’t see the desired bucket at first, you can start typing the name of the bucket until it shows up in the list.

        Use the radio buttons to select whether you will have Read or Read/Write permissions for the specified buckets.

        For the purposes of this guide, it’s recommended that you select Read/Write access. If you left the Choose Buckets field blank, this means you’ll have read/write permissions for all current and future buckets on the cluster. (Again, this makes it more convenient for interacting with any future sample or test buckets.)

    6. Once you’ve finished making the desired configurations, click Save.

    To recap:
    • You created a database user for yourself on a specific cluster.

    • You gave the database user its own username and password credentials that can be used for authenticating on the cluster, and authorized those credentials with a set of bucket-level data access permissions.

      • The database user credentials can’t be used for logging into the Couchbase Cloud UI or managing Couchbase Cloud features. The credentials can only be used for the purposes of reading or writing bucket data via the Couchbase SDK and other supported tools.

    Feel free to move on to Allow Your Connecting IP Address below for the next step in configuring access to your cluster. If you’d like more detailed information about database permissions, refer to Configure Database Users.

    Allow Your Connecting IP Address

    Couchbase Cloud only allows clusters to connect to trusted IP addresses. Each cluster has a configurable list of allowed IPs that it can connect to. Any attempted connection to/from an IP address that isn’t in a cluster’s list of allowed IPs will be denied.

    In order for you to connect to the cluster, you’ll need to add your IP address to the cluster’s list of allowed IPs.

    To add your IP address to the cluster’s list of allowed IPs
    1. Go to the cluster’s Connect tab.

      1. Go to the Clusters tab in the main navigation.

      2. Find and click on your cluster.

        This opens the cluster with its Overview tab selected.

      3. Click the Connect tab.

        The cluster’s 'Connect' tab.
    2. Click Allowed IPs.

      This opens the Allowed IPs fly-out menu.

      The cluster’s 'Connect' tab.
    3. Add your IP address configuration.

      In the Allow an IP section, configure the following details:

      1. Specify your IP address.

        In the IP Address or Address Space field, enter the IP address or address space that you want to allow the cluster to communicate with.

        If you plan to connect to the cluster via the Couchbase SDK on your computer (described on the next page in this guide), then you should enter the public IP address of your computer.

      2. (Optional) Configure the allowed IP to be temporary.

        Select the checkbox labeled Save as temporary to configure the IP address to only be allowed for a limited amount of time. Use the associated field and controls to specify the duration (number of hours) that the cluster will accept connections from the IP address. After the configured amount of time has elapsed, the entry will expire and the cluster will stop taking connections from the IP address.

      3. (Optional) Add a comment.

        Use the Comment field to enter a comment that will display alongside the allowed IP address. This can be helpful for informing other users in your organization about why the IP address is being allowed.

      Once you’re satisfied with the configuration, click Add IP.

      Note that the IP is added in Pending state, and is not committed until you complete the next step.

    4. After you add the IP configuration, click Save to commit it.

      This saves all IPs that are in a pending state and makes them active. Note that it takes a few minutes for the cluster to begin honoring newly allowed IPs. If you try to immediately connect to the cluster from a newly allowed IP, your connection may be blocked.

    Feel free to move on to Next Steps below. If you’d like more detailed information about allowed IPs, refer to Configure Allowed IP Addresses.

    Next Steps

    Now that you’ve created a database user entity for yourself and added your IP address to the cluster’s list of allowed IPs, you can move on to the next step: Connect to Your Cluster.