Manage Cluster Access Credentials
- Capella Operational
Cluster access credentials provide programmatic and application-level access to data on a cluster. Only cluster access credentials can access data.
This page provides information about cluster access credentials and how they work. You’ll also find procedures for creating and managing cluster access credentials for a cluster through the Capella UI, allowing you to provide programmatic and application-level access to data.
|
Capella Management API
You can also configure your cluster access credentials using the Capella Management REST API. |
About Cluster Access Credentials
Cluster access credentials are separate from organization roles and project roles. Your Capella user account’s organization and project roles control your access to areas of the Capella UI, while cluster access credentials control programmatic and application-level access to data.
Cluster access credentials are specific to a cluster and consist of a cluster access name, password, and a set of bucket, scope, and collection access levels.
|
Cluster access credentials are distinct and not associated with a particular user. They do not control access to data tools, like the Query tab in the Capella UI. |
Cluster Access Credentials and Access
In the Capella UI, you assign cluster access credentials on a per-bucket, per-scope, and per-collection basis. For example, you could assign cluster access credentials access to all buckets and scopes in a cluster, assign different access levels to individual buckets, or assign access to just a single collection. This system allows you to mix and match access levels to different buckets, scopes, and collections in a cluster to satisfy your application and security requirements.
The following table describes the available bucket access options and their associated privileges.
| Access | Description |
|---|---|
|
Grants the privileges of the following Couchbase roles:
1. The
external_stats_reader role is only granted when cluster access credentials are given read access to all buckets in a cluster.
|
|
Grants the privileges of the following Couchbase roles: |
|
View Cluster Access Credentials
The Cluster Access page lists existing cluster access credentials for a cluster in a table format, with sortable columns and rows for each entry. You can also create, modify, and delete cluster access credentials from this page.
Each cluster access credentials row contains the following information:
- Cluster Access Name
-
The name that identifies the cluster access credentials.
- Created By
-
The organization user who created the cluster access credentials.
- Created On
-
The creation date and age of the cluster access credentials. The color-coded status indicator in this column uses age to help identify older credentials that need rotation:
-
Green: Under 90 days old
-
Yellow: 90—180 days old
-
Red: Over 180 days old
-
Create Cluster Access Credentials
Use cluster access credentials to read or write bucket data using the Couchbase SDK and other supported tools.
Prerequisites
To create cluster access credentials, you need the following:
-
The
Project Ownerrole for the project containing the cluster where you’re creating the cluster access credentials.
Procedure
-
Open the Cluster Access page for your cluster:
-
With the Projects tab in your organization open, click the project with the cluster you’re working with.
-
With the Operational tab open, select your cluster.
-
Click the Settings tab.
-
In the navigation menu, click Cluster Access.
-
-
Click Create Access
-
Specify the cluster access name and password:
- Cluster Access Name
-
The cluster access name cannot exceed 35 characters in length and can’t contain the following characters:
( ) < > @ , ; : \ " / [ ] ? = { } - Password
-
Passwords must be at least eight characters in length. They need one or more uppercase letters, lowercase letters, numbers, and special characters:
^ $ ( ) ? " ! @ # % , ' : _ ~ ` = + -
-
Select bucket-level access.
In the Bucket Level Access section, use the Bucket drop-down menu to specify a bucket you want these cluster access credentials to access. To grant access to all current and future buckets in the cluster, choose the All Buckets option.
-
Select scope-level access.
Use the Scope drop-down menu to specify the scope you want your cluster access credentials to access. To grant access to all current and future scopes in the selected bucket, choose the All Scopes option.
-
Select collection-level access.
Use the Collection drop-down menu to specify a collection you want your cluster access credentials to access. To grant access to all current and future collections in the selected scope, choose the All Collections option.
-
Select access level.
Use the Access drop-down menu to specify Read, Write, or Read/Write access to the chosen bucket and scope selection.
-
(Optional) Add another level of access.
Cluster access credentials can access a selection of multiple buckets, scopes, and collections in a cluster.
-
Click Add Another Selection.
The Bucket Level Access section adds another line where you can select another bucket, scope, and collection for these cluster access credentials.
-
-
Once you have finished configuring the levels of access, click Create Cluster Access.
Modify Cluster Access Credentials
After creating cluster access credentials, you can change the password or the levels of bucket access.
Prerequisites
To modify cluster access credentials, you need the following:
-
The
Project Ownerrole for the project with the cluster access credentials.
Procedure
-
Open the Cluster Access page for your cluster:
-
With the Projects tab in your organization open, click the project with the cluster you’re working with.
-
With the Operational tab open, select your cluster.
-
Click the Settings tab.
-
In the navigation menu, click Cluster Access.
-
-
Click the access name of the cluster access credentials you’re modifying.
-
Using the Change Password button, you can change the password for the cluster access credentials.
See access selection for password requirement information.
To maintain cluster access for any applications using these credentials, you must update your applications to use the new password. -
In the Bucket Level Access section, change any existing levels of access or add more.
See the access selection steps for creating cluster access credentials for details on choosing bucket, scope, and collection access levels.
-
Once you have made your changes, click Apply.
Delete Cluster Access Credentials
|
Deleting cluster access credentials can cause an application that’s using them to stop functioning. Always make sure that you have updated your application to use new credentials before deleting cluster access credentials. |
Prerequisites
To delete cluster access credentials, you need the following:
-
The
Project Ownerrole for the project with the cluster access credentials you’re deleting.
Procedure
-
Open the Cluster Access page for your cluster:
-
With the Projects tab in your organization open, click the project with the cluster you’re working with.
-
With the Operational tab open, select your cluster.
-
Click the Settings tab.
-
In the navigation menu, click Cluster Access.
-
-
At the end of the row for the cluster access credentials you want to delete, click the Trash icon .
This opens the Delete Cluster Access dialog.
-
Type
deleteinto the provided field and click Delete Cluster Access.A small notification indicates that Capella successfully deleted the cluster access credentials.
Manage Cluster Access with Hashicorp Vault
The Couchbase Capella Hashicorp Vault plug-in can serve as a centralized hub for secrets management. In addition to managing existing credentials, Vault’s Cluster Secrets Engine generates dynamic, short-lived cluster access credentials. This streamlines the management of cluster connections and roles, and you can customize permissions and TTL settings.
For more information, see the Hashicorp Vault plug-in for Capella.