content/influxdb3/clustered/admin/users/add.md
Add a user with administrative access to your InfluxDB cluster through your
identity provider and your InfluxDB
AppInstance resource:
Use your identity provider to create an OAuth2 account for the user that needs administrative access to your InfluxDB cluster.
Refer to your identity provider's documentation for information about adding users:
Add the user to your InfluxDB AppInstance resource.
You can edit your AppInstance resource directly in your myinfluxdb.yml,
or, if you're using the
InfluxDB Clustered Helm chart,
you can add users to your values.yaml to modify your AppInstance
resource. Required credentials depend on your identity provider.
{{< tabs-wrapper >}} {{% tabs %}} AppInstance Helm {{% /tabs %}}
{{% tab-content %}}
<!----------------------------- BEGIN AppInstance ----------------------------->If editing your AppInstance resource directly, provide values for the
following fields in your myinfluxdb.yml configuration file:
spec.package.spec.admin
identityProvider: Identity provider name.
If using Microsoft Entra ID (formerly Azure Active Directory), set the name
to azure.jwksEndpoint: JWKS endpoint provide by your identity provider.users: List of OAuth2 users to grant administrative access to your
InfluxDB cluster. IDs are provided by your identity provider.Below are examples for Keycloak, Auth0, and Microsoft Entra ID, but other OAuth2 providers should work as well:
{{< code-tabs-wrapper >}} {{% code-tabs %}} Keycloak Auth0 Microsoft Entra ID {{% /code-tabs %}} {{% code-tab-content %}}
{{% code-callout "keycloak" "green" %}} {{% code-placeholders "KEYCLOAK_(HOST|REALM|USER_ID)" %}}
apiVersion: kubecfg.dev/v1alpha1
kind: AppInstance
# ...
spec:
package:
spec:
admin:
identityProvider: keycloak
jwksEndpoint: |-
https://KEYCLOAK_HOST/auth/realms/KEYCLOAK_REALM/protocol/openid-connect/certs
users:
# All fields are required but `firstName`, `lastName`, and `email` can be
# arbitrary values. However, `id` must match the user ID provided by Keycloak.
- id: KEYCLOAK_USER_ID
firstName: Marty
lastName: McFly
email: [email protected]
{{% /code-placeholders %}} {{% /code-callout %}}
Replace the following:
KEYCLOAK_HOST{{% /code-placeholder-key %}}:
Host and port of your Keycloak serverKEYCLOAK_REALM{{% /code-placeholder-key %}}:
Keycloak realmKEYCLOAK_USER_ID{{% /code-placeholder-key %}}:
Keycloak user ID to grant InfluxDB administrative access to
(See Find user IDs with Keycloak){{% /code-tab-content %}} {{% code-tab-content %}}
{{% code-callout "auth0" "green" %}} {{% code-placeholders "AUTH0_(HOST|USER_ID)" %}}
apiVersion: kubecfg.dev/v1alpha1
kind: AppInstance
# ...
spec:
package:
spec:
admin:
identityProvider: auth0
jwksEndpoint: |-
https://AUTH0_HOST/.well-known/openid-configuration
users:
# All fields are required but `firstName`, `lastName`, and `email` can be
# arbitrary values. However, `id` must match the user ID provided by Auth0.
- id: AUTH0_USER_ID
firstName: Marty
lastName: McFly
email: [email protected]
{{% /code-placeholders %}} {{% /code-callout %}}
Replace the following:
AUTH0_HOST{{% /code-placeholder-key %}}:
Host and port of your Auth0 serverAUTH0_USER_ID{{% /code-placeholder-key %}}:
Auth0 user ID to grant InfluxDB administrative access to{{% /code-tab-content %}} {{% code-tab-content %}}
{{% code-callout "azure" "green" %}} {{% code-placeholders "AZURE_(USER|TENANT)_ID" %}}
apiVersion: kubecfg.dev/v1alpha1
kind: AppInstance
# ...
spec:
package:
spec:
admin:
identityProvider: azure
jwksEndpoint: |-
https://login.microsoftonline.com/AZURE_TENANT_ID/discovery/v2.0/keys
users:
# All fields are required but `firstName`, `lastName`, and `email` can be
# arbitrary values. However, `id` must match the user ID provided by Azure.
- id: AZURE_USER_ID
firstName: Marty
lastName: McFly
email: [email protected]
{{% /code-placeholders %}} {{% /code-callout %}}
Replace the following:
AZURE_TENANT_ID{{% /code-placeholder-key %}}:
Microsoft Entra tenant IDAZURE_USER_ID{{% /code-placeholder-key %}}:
Microsoft Entra user ID to grant InfluxDB administrative access to
(See Find user IDs with Microsoft Entra ID){{% /code-tab-content %}} {{< /code-tabs-wrapper >}}
<!------------------------------ END AppInstance ------------------------------>{{% /tab-content %}} {{% tab-content %}}
<!--------------------------------- BEGIN Helm -------------------------------->If using the InfluxDB Clustered Helm chart, provide values for the following
fields in your values.yaml:
admin
identityProvider: Identity provider name.
If using Microsoft Entra ID (formerly Azure Active Directory), set the name
to azure.jwksEndpoint: JWKS endpoint provide by your identity provider.users: List of OAuth2 users to grant administrative access to your
InfluxDB cluster. IDs are provided by your identity provider.Below are examples for Keycloak, Auth0, and Microsoft Entra ID, but other OAuth2 providers should work as well:
{{< code-tabs-wrapper >}} {{% code-tabs %}} Keycloak Auth0 Microsoft Entra ID {{% /code-tabs %}} {{% code-tab-content %}}
{{% code-callout "keycloak" "green" %}} {{% code-placeholders "KEYCLOAK_(HOST|REALM|USER_ID)" %}}
admin:
# The identity provider to be used (such as "keycloak", "auth0", or "azure")
# Note, use "azure" for Azure Active Directory
identityProvider: keycloak
# The JWKS endpoint provided by the Identity Provider
jwksEndpoint: |-
https://KEYCLOAK_HOST/auth/realms/KEYCLOAK_REALM/protocol/openid-connect/certs
# The list of users to grant access to Clustered via influxctl
users:
# All fields are required but `firstName`, `lastName`, and `email` can be
# arbitrary values. However, `id` must match the user ID provided by Keycloak.
- id: KEYCLOAK_USER_ID
firstName: Marty
lastName: McFly
email: [email protected]
{{% /code-placeholders %}} {{% /code-callout %}}
Replace the following:
KEYCLOAK_HOST{{% /code-placeholder-key %}}:
Host and port of your Keycloak serverKEYCLOAK_REALM{{% /code-placeholder-key %}}:
Keycloak realmKEYCLOAK_USER_ID{{% /code-placeholder-key %}}:
Keycloak user ID to grant InfluxDB administrative access to{{% /code-tab-content %}} {{% code-tab-content %}}
{{% code-callout "auth0" "green" %}} {{% code-placeholders "AUTH0_(HOST|USER_ID)" %}}
admin:
# The identity provider to be used e.g. "keycloak", "auth0", "azure", etc
# Note, use "azure" for Azure Active Directory.
identityProvider: auth0
# The JWKS endpoint provided by the Identity Provider
jwksEndpoint: |-
https://AUTH0_HOST/.well-known/openid-configuration
# The list of users to grant access to Clustered via influxctl
users:
# All fields are required but `firstName`, `lastName`, and `email` can be
# arbitrary values. However, `id` must match the user ID provided by Auth0.
- id: AUTH0_USER_ID
firstName: Marty
lastName: McFly
email: [email protected]
{{% /code-placeholders %}} {{% /code-callout %}}
Replace the following:
AUTH0_HOST{{% /code-placeholder-key %}}:
Host and port of your Auth0 serverAUTH0_USER_ID{{% /code-placeholder-key %}}:
Auth0 user ID to grant InfluxDB administrative access to{{% /code-tab-content %}} {{% code-tab-content %}}
{{% code-callout "azure" "green" %}} {{% code-placeholders "AZURE_(USER|TENANT)_ID" %}}
admin:
# The identity provider to be used e.g. "keycloak", "auth0", "azure", etc
# Note, use "azure" for Azure Active Directory.
identityProvider: azure
# The JWKS endpoint provided by the Identity Provider
jwksEndpoint: |-
https://login.microsoftonline.com/AZURE_TENANT_ID/discovery/v2.0/keys
# The list of users to grant access to Clustered via influxctl
users:
# All fields are required but `firstName`, `lastName`, and `email` can be
# arbitrary values. However, `id` must match the user ID provided by Azure.
- id: AZURE_USER_ID
firstName: Marty
lastName: McFly
email: [email protected]
{{% /code-placeholders %}} {{% /code-callout %}}
Replace the following:
AZURE_TENANT_ID{{% /code-placeholder-key %}}:
Microsoft Entra tenant IDAZURE_USER_ID{{% /code-placeholder-key %}}:
Microsoft Entra user ID to grant InfluxDB administrative access to
(See Find user IDs with Microsoft Entra ID){{% /code-tab-content %}} {{< /code-tabs-wrapper >}}
<!---------------------------------- END Helm --------------------------------->{{% /tab-content %}} {{< /tabs-wrapper >}}
Apply the change to your InfluxDB cluster.
AppInstance resource directly, use kubectl to apply
the change.helm to apply the change.{{< code-tabs-wrapper >}} {{% code-tabs %}} kubectl Helm {{% /code-tabs %}} {{% code-tab-content %}}
<!--pytest.mark.skip-->kubectl apply \
--filename myinfluxdb.yml \
--namespace influxdb
{{% /code-tab-content %}} {{% code-tab-content %}}
<!--pytest.mark.skip-->helm upgrade \
influxdb \
influxdata/influxdb3-clustered \
-f ./values.yaml \
--namespace influxdb
{{% /code-tab-content %}} {{< /code-tabs-wrapper >}}
Once applied, the added user is granted administrative access to your InfluxDB
cluster and can use influxctl to perform administrative actions.
See Set up Authorization--Configure influxctl
for information about configuring the new user's influxctl client to communicate
and authenticate with your InfluxDB cluster's identity provider.