Add a user to your InfluxDB cluster
Add a user with administrative access to your InfluxDB cluster through your
identity provider and your InfluxDB
AppInstance
resource:
-
Use your identity provider to create an OAuth2 account for the user that needs administrative access to your InfluxDB cluster.
Refer to your identity provider’s documentation for information about adding users:
-
Add the user to your InfluxDB
AppInstance
resource. You can edit yourAppInstance
resource directly in yourmyinfluxdb.yml
, or, if you’re using the InfluxDB Clustered Helm chart, you can add users to yourvalues.yaml
to modify yourAppInstance
resource. Required credentials depend on your identity provider.If editing your
AppInstance
resource directly, provide values for the following fields in yourmyinfluxdb.yml
configuration file:spec.package.spec.admin
identityProvider
: Identity provider name. If using Microsoft Entra ID (formerly Azure Active Directory), set the name toazure
.jwksEndpoint
: JWKS endpoint provide by your identity provider.users
: List of OAuth2 users to grant administrative access to your InfluxDB cluster. IDs are provided by your identity provider.
Below are examples for Keycloak, Auth0, and Microsoft Entra ID, but other OAuth2 providers should work as well:
apiVersion: kubecfg.dev/v1alpha1 kind: AppInstance # ... spec: package: spec: admin: identityProvider: keycloak jwksEndpoint: |- https://
KEYCLOAK_HOST/auth/realms/KEYCLOAK_REALM/protocol/openid-connect/certs users: # All fields are required but `firstName`, `lastName`, and `email` can be # arbitrary values. However, `id` must match the user ID provided by Keycloak. - id:KEYCLOAK_USER_IDfirstName: Marty lastName: McFly email: mcfly@influxdata.comReplace the following:
KEYCLOAK_HOST
: Host and port of your Keycloak serverKEYCLOAK_REALM
: Keycloak realmKEYCLOAK_USER_ID
: Keycloak user ID to grant InfluxDB administrative access to (See Find user IDs with Keycloak)
apiVersion: kubecfg.dev/v1alpha1 kind: AppInstance # ... spec: package: spec: admin: identityProvider: auth0 jwksEndpoint: |- https://
AUTH0_HOST/.well-known/openid-configuration users: # All fields are required but `firstName`, `lastName`, and `email` can be # arbitrary values. However, `id` must match the user ID provided by Auth0. - id:AUTH0_USER_IDfirstName: Marty lastName: McFly email: mcfly@influxdata.comReplace the following:
AUTH0_HOST
: Host and port of your Auth0 serverAUTH0_USER_ID
: Auth0 user ID to grant InfluxDB administrative access to
apiVersion: kubecfg.dev/v1alpha1 kind: AppInstance # ... spec: package: spec: admin: identityProvider: azure jwksEndpoint: |- https://login.microsoftonline.com/
AZURE_TENANT_ID/discovery/v2.0/keys users: # All fields are required but `firstName`, `lastName`, and `email` can be # arbitrary values. However, `id` must match the user ID provided by Azure. - id:AZURE_USER_IDfirstName: Marty lastName: McFly email: mcfly@influxdata.comReplace the following:
AZURE_TENANT_ID
: Microsoft Entra tenant IDAZURE_USER_ID
: Microsoft Entra user ID to grant InfluxDB administrative access to (See Find user IDs with Microsoft Entra ID)
If using the InfluxDB Clustered Helm chart, provide values for the following fields in your
values.yaml
:admin
identityProvider
: Identity provider name. If using Microsoft Entra ID (formerly Azure Active Directory), set the name toazure
.jwksEndpoint
: JWKS endpoint provide by your identity provider.users
: List of OAuth2 users to grant administrative access to your InfluxDB cluster. IDs are provided by your identity provider.
Below are examples for Keycloak, Auth0, and Microsoft Entra ID, but other OAuth2 providers should work as well:
admin: # The identity provider to be used (such as "keycloak", "auth0", or "azure") # Note, use "azure" for Azure Active Directory identityProvider: keycloak # The JWKS endpoint provided by the Identity Provider jwksEndpoint: |- https://
KEYCLOAK_HOST/auth/realms/KEYCLOAK_REALM/protocol/openid-connect/certs # The list of users to grant access to Clustered via influxctl users: # All fields are required but `firstName`, `lastName`, and `email` can be # arbitrary values. However, `id` must match the user ID provided by Keycloak. - id:KEYCLOAK_USER_IDfirstName: Marty lastName: McFly email: mcfly@influxdata.comReplace the following:
KEYCLOAK_HOST
: Host and port of your Keycloak serverKEYCLOAK_REALM
: Keycloak realmKEYCLOAK_USER_ID
: Keycloak user ID to grant InfluxDB administrative access to
admin: # The identity provider to be used e.g. "keycloak", "auth0", "azure", etc # Note, use "azure" for Azure Active Directory. identityProvider: auth0 # The JWKS endpoint provided by the Identity Provider jwksEndpoint: |- https://
AUTH0_HOST/.well-known/openid-configuration # The list of users to grant access to Clustered via influxctl users: # All fields are required but `firstName`, `lastName`, and `email` can be # arbitrary values. However, `id` must match the user ID provided by Auth0. - id:AUTH0_USER_IDfirstName: Marty lastName: McFly email: mcfly@influxdata.comReplace the following:
AUTH0_HOST
: Host and port of your Auth0 serverAUTH0_USER_ID
: Auth0 user ID to grant InfluxDB administrative access to
admin: # The identity provider to be used e.g. "keycloak", "auth0", "azure", etc # Note, use "azure" for Azure Active Directory. identityProvider: azure # The JWKS endpoint provided by the Identity Provider jwksEndpoint: |- https://login.microsoftonline.com/
AZURE_TENANT_ID/discovery/v2.0/keys # The list of users to grant access to Clustered via influxctl users: # All fields are required but `firstName`, `lastName`, and `email` can be # arbitrary values. However, `id` must match the user ID provided by Azure. - id:AZURE_USER_IDfirstName: Marty lastName: McFly email: mcfly@influxdata.comReplace the following:
AZURE_TENANT_ID
: Microsoft Entra tenant IDAZURE_USER_ID
: Microsoft Entra user ID to grant InfluxDB administrative access to (See Find user IDs with Microsoft Entra ID)
-
Apply the change to your InfluxDB cluster.
- If updating the
AppInstance
resource directly, usekubectl
to apply the change. - If using the InfluxDB Clustered Helm chart, use
helm
to apply the change.
- If updating the
kubectl apply \
--filename myinfluxdb.yml \
--namespace influxdb
helm upgrade \
influxdb \
influxdata/influxdb3-clustered \
-f ./values.yaml \
--namespace influxdb
Once applied, the added user is granted administrative access to your InfluxDB
cluster and can use influxctl
to perform administrative actions.
See Set up Authorization–Configure influxctl
for information about configuring the new user’s influxctl
client to communicate
and authenticate with your InfluxDB cluster’s identity provider.
Was this page helpful?
Thank you for your feedback!
Support and feedback
Thank you for being part of our community! We welcome and encourage your feedback and bug reports for InfluxDB Clustered and this documentation. To find support, use the following resources:
Customers with an annual or support contract can contact InfluxData Support.