Managing Users and Roles

IBM Cloud® Databases for etcd deployments come with authentication enabled and use etcd's built-in access control.

While technically possible - turning off etcd authentication is NOT highly discouraged. Databases for etcd automatically fixes any deployments where etcd authentication has been deliberately turned off.

The admin user

When you provision a Databases for etcd deployment, an admin user is automatically created.

Set the admin password before using it to connect.

Setting the Admin Password in the UI

Set your Admin Password through the UI by selecting your instance from the Resource List in the IBM Cloud Dashboard. Then, select Settings. Next, select Change Database Admin Password.

Setting the Admin Password in the CLI

Use the cdb user-password command from the IBM Cloud CLI Cloud Databases plug-in to set the admin password.

For example, to set the admin password for a deployment named example-deployment, use the following command:

ibmcloud cdb user-password example-deployment admin <newpassword>

Setting the Admin Password in the API

The Foundation Endpoint that is shown on the Overview panel Deployment Details section of your service provides the base URL to access this deployment through the API. Use it with the Set specified user's password endpoint to set the admin password.

curl -X PATCH `https://api.{region}.databases.cloud.ibm.com/v5/ibm/deployments/{id}/users/admin` \
-H `Authorization: Bearer <>` \
-H `Content-Type: application/json` \ 
-d `{"password":"newrootpasswordsupersecure21"}` \

Managing Users and Roles through the UI

Go to the service dashboard for your service.
Click Service Credentials to open the Service Credentials section.
Click __New Credential**.
Choose a descriptive name for your new credential.
(Optional) Specify whether the new credentials use a public or private endpoint. Use either { "service-endpoints": "public" } / { "service-endpoints": "private" } in the Add Inline Configuration Parameters field to generate connection strings that use the specified endpoint. Use of the endpoint is not enforced. It just controls which hostnames are in the connection strings. Public endpoints are generated by default.
Click Add to provision the new credentials. A username and password, and an associated etcd user is auto-generated.

The new credentials appear in the table, and the connection strings are available as JSON in a click-to-copy field under View Credentials.

Creating a user from the CLI or API doesn't automatically populate that user's connection strings into Service Credentials. If you want to add them there, you can create a new credential with the existing user information. Enter the username and password in the JSON field under Add Inline Configuration Parameters. For example, {"existing_credentials":{"username":"Robert","password":"supersecure"}}. Basically, you send in the username and password, and Service Credentials generates the connection strings with the credentials filled in.

Generating credentials from an existing user does not check for or create that user.

Users that you create through Service Credentials are given the roles readWriteAnyDatabase and dbAdminAnyDatabase.

If you need users that are created from Service Credentials to have a different role, you can use the admin user to change their role.

Managing Users and Roles through the CLI

If you need users to have a different role, you can use the admin user to change their role.

Users that are created directly from the CLI do not appear in Service Credentials, but you can add them.

If you manage your service through the Cloud Databases CLI plug-in, create a new user with cdb user-create. For example, to create a new user for an "example-deployment", use the following command:

ibmcloud cdb user-create example-deployment <newusername> <newpassword>

When the task finishes, retrieve the new user's connection strings with the ibmcloud cdb deployment-connections command.

etcd centralizes user data in the admin database. List all users and their roles and database permissions in the mongo shell by using the show users command.

ibmcloud cdb deployment-connections --start -u admin etcd-production
Database Password>>
etcd shell version v4.0.3
connecting to: etcd://....
....
replset:PRIMARY> use admin
switched to db admin
replset:PRIMARY> show users

Users that are created in the CLI get the same role as Service Credential users, rwall. They have access read and write access to all the keys in the database. If you need them to have a different role that you have created, you can use the root user to change their role.

Users that are created directly from the CLI do not appear in Service Credentials, but you can add them if you choose.

Managing Users and Roles through the API

If you need users to have a different role, use the admin user to change their role.

Users that are created directly from the API do not appear in Service Credentials, but you can add them.

The Foundation Endpoint that is shown on the Overview section of your service provides the base URL to access this deployment through the API. To create and manage users, use the base URL with the /users endpoint.

The command looks like:

curl -X POST 'https://api.{region}.databases.cloud.ibm.com/v4/ibm/deployments/{id}/users' \
-H "Authorization: Bearer $APIKEY" \
-H "Content-Type: application/json" \
-d '{"username":"jane_smith", "password":"newsupersecurepassword"}'

To retrieve a user's connection strings, use the base URL with the /users/{userid}/connections endpoint.

Users that are created in the API get the same role as Service Credential users, rwall. They have access read and write access to all the keys in the database. If you need them to have a different role that you have created, you can use the root user to change their role.

Users that are created directly from the API do not appear in Service Credentials, but you can add them if you choose.

The root user

When you provision a new deployment in IBM Cloud, you are automatically given access to the etcd root user. You can also add users in the Service Credentials panel, which allows for access to etcd to be integrated with your IBM Cloud account and IAM.

The etcd root user is intended for use as an administrative user. It is granted the root role, which gives read/write access to the entire key space, cluster operations, and privileges to create, modify, and delete other roles and users on your deployment.

etcd roles

etcd uses a system of roles to manage database and key access. Roles are used to give users a set of privileges. If you connect to your deployment using the root user and ectdctl, you can check the roles on your deployment with a command like:

ETCDCTL_API=3 etcdctl --cacert=c5f07736-d94c-11e8-a2e9-62ec2ed68f84 --endpoints=https://35dae549-2275-4d3e-baed-d86f36022336.974550db65eb4ec0983f023940bf637f.databases.appdomain.cloud:32460 --user=root:$PASSWORD role list

Create roles that grant read access, write access, or both to specific keys or ranges of keys. Refer to the etcd documentation for commands to manage roles.

Once you have created a role, assign it to a user. List the users on your deployment with a command like:

ETCDCTL_API=3 etcdctl --cacert=c5f07736-d94c-11e8-a2e9-62ec2ed68f84 --endpoints=https://35dae549-2275-4d3e-baed-d86f36022336.974550db65eb4ec0983f023940bf637f.databases.appdomain.cloud:32460 --user=root:$PASSWORD user list

Service Credential Users

Users that you create through the Service Credentials panel are given the role rwall. They have access read and write access to all the keys in the database.

If you need users that are created from Service Credentials to have a different role, you can use the root user to change their role.

Users created in etcd

Bypass creating users in Service Credentials, the CLI, the API, and create users directly in etcd.

Users who are created directly in etcd do not appear in Service Credentials, but you can add them.

The compose user

If you use etcdctl to list the users on your deployment, you might have noticed a user that is named compose. The compose user is the internal administrative account that manages replication, cluster operations, and other functions that ensure the stability of your deployment. It has the same roles and privileges as the root user. Changing or deleting to the compose user is not advised and will disrupt the stability of your deployment.