Skip to main content
CockroachDB Cloud supports authentication at two levels: organization-level access for administrative tasks and cluster-level access for SQL operations.

Authentication Overview

Authentication in CockroachDB Cloud works at different levels:
  1. Organization Level: Access to Cloud Console, API, and ccloud CLI
  2. Cluster Level: SQL user authentication for database operations

Organization Authentication

Authenticate to manage your CockroachDB Cloud organization through three interfaces.

Cloud Console Authentication

Access the Cloud Console at cockroachlabs.cloud. Authentication Methods:
Standard Login:
1

Navigate to Login

Go to cockroachlabs.cloud
2

Enter Credentials

  1. Enter your email address
  2. Enter your password
  3. Click Sign In
3

Multi-Factor Authentication

If MFA is enabled, enter your verification code

ccloud CLI Authentication

Authenticate the ccloud command-line tool to your organization.
1

Install ccloud

Download and install the ccloud CLI:
# macOS
brew install cockroachdb/tap/ccloud

# Linux
curl -L https://binaries.cockroachlabs.com/ccloud-latest.linux-amd64.tar.gz | tar -xz
2

Authenticate

Run the login command:
ccloud auth login --org <organization-name>
This opens your browser for authentication.
3

Complete Login

  1. Authenticate in your browser
  2. Return to the terminal
  3. ccloud is now authenticated
Headless Authentication: For servers without a browser: 
ccloud auth login --no-redirect --org <organization-name>
Copy the provided URL, authenticate on another machine, and enter the authorization code.

Cloud API Authentication

Service accounts authenticate to the Cloud API using API keys.
1

Create Service Account

  1. Go to Access Management in Cloud Console
  2. Click Service Accounts tab
  3. Click Create Service Account
  4. Name the account and assign roles
2

Generate API Key

  1. Select the service account
  2. Click Create API Key
  3. Copy the API key (shown only once)
  4. Store securely
3

Use API Key

Include the API key in API requests:
curl -X GET \
  https://cockroachlabs.cloud/api/v1/clusters \
  -H "Authorization: Bearer {api-key}"

SQL User Authentication

Authenticate to CockroachDB clusters to execute SQL statements.

Create SQL Users

1

Navigate to SQL Users

  1. Select your cluster
  2. Click SQL Users in the navigation
2

Add User

  1. Click Add User
  2. Enter username (lowercase, alphanumeric, hyphens)
  3. Generate or enter a strong password
  4. Click Create
3

Save Credentials

Save the password securely - it won’t be shown again
Password Requirements:
  • Minimum 12 characters
  • Include uppercase and lowercase letters
  • Include numbers and special characters
  • Avoid common passwords or patterns

SQL Authentication Methods

Standard SQL Authentication:Connect using username and password in the connection string:
cockroach sql --url "postgresql://myuser:[email protected]:26257/defaultdb?sslmode=verify-full"
Or provide credentials interactively:
cockroach sql --url "postgresql://cluster-name.cloud.cockroachlabs.cloud:26257/defaultdb?sslmode=verify-full" --user myuser
Password: [enter password]

Connection Security

CockroachDB Cloud enforces secure connections: SSL/TLS Requirements:
  • Connections must use TLS encryption
  • sslmode=verify-full required for production
  • CA certificate validates server identity
SSL Mode Settings:
ModeEncryptionVerificationUse Case
requireYesNoTesting only (not recommended)
verify-fullYesYesProduction (required)
Download CA Certificate: Get the cluster’s CA certificate from the Connect dialog: 
mkdir -p ~/.postgresql
curl --create-dirs -o ~/.postgresql/root.crt \
  'https://cockroachlabs.cloud/clusters/{cluster-id}/cert'

Manage SQL Users

Perform common SQL user management tasks.

Reset Password

Only Organization Admins and Cluster Admins can reset passwords:
1

Access SQL Users

Navigate to cluster’s SQL Users page
2

Reset Password

  1. Click the user’s action menu (•••)
  2. Select Reset password
  3. Generate or enter new password
  4. Click Update
3

Distribute New Credentials

Securely share the new password with the user

Grant SQL Privileges

Control what SQL users can do: 
-- Grant database access
GRANT ALL ON DATABASE mydb TO myuser;

-- Grant table access
GRANT SELECT, INSERT ON TABLE mytable TO myuser;

-- Grant admin privileges
GRANT admin TO myuser;

-- Create read-only user
CREATE USER readonly;
GRANT SELECT ON DATABASE mydb TO readonly;

Delete SQL User

1

Revoke Privileges

Remove the user’s privileges:
REVOKE ALL ON DATABASE mydb FROM myuser;
2

Drop User

Delete the user:
DROP USER myuser;
Or use the Cloud Console:
  1. Go to SQL Users page
  2. Click action menu for user
  3. Select Delete user

Multi-Factor Authentication

Enable MFA for enhanced organization account security.
1

Access Account Settings

Click your profile icon > Account Settings
2

Enable MFA

  1. Go to Security tab
  2. Click Enable MFA
  3. Scan QR code with authenticator app
  4. Enter verification code
  5. Save recovery codes
3

Login with MFA

Future logins require:
  1. Username and password
  2. MFA verification code
Supported Authenticator Apps:
  • Google Authenticator
  • Microsoft Authenticator
  • Authy
  • 1Password
  • Other TOTP-compatible apps

Configure Organization SSO

Organization Admins can configure SSO for all users.
1

Access SSO Settings

  1. Go to Organization Settings
  2. Click SSO tab
2

Configure Identity Provider

  1. Select your IdP type (SAML 2.0)
  2. Enter IdP metadata URL or upload metadata XML
  3. Configure attribute mappings
3

Test SSO

  1. Click Test SSO
  2. Verify authentication flow
  3. Check user attributes
4

Enable SSO

  1. Toggle SSO Enabled
  2. Optionally enforce SSO (disable password login)
SSO Benefits:
  • Centralized user management
  • Automated provisioning/deprovisioning
  • Enhanced security with IdP policies
  • Simplified user experience

Security Best Practices

Organization Authentication

Recommendations

  • Enable SSO: Centralize authentication
  • Require MFA: Add extra security layer
  • Use Service Accounts: For API access, not personal accounts
  • Rotate API Keys: Regularly update service account keys
  • Review Access: Audit user access quarterly

SQL User Security

Best Practices

  • Strong Passwords: Minimum 12 characters, complex
  • Least Privilege: Grant only necessary permissions
  • Separate Users: Different users for different applications
  • Regular Audits: Review user list and privileges
  • Use Certificates: For Advanced clusters when possible

Connection Security

Secure Connections

  • Always use TLS: Never disable SSL/TLS
  • Verify Server: Use sslmode=verify-full
  • Secure Credentials: Use environment variables, not hard-coded
  • Rotate Passwords: Change passwords regularly
  • Monitor Connections: Track unusual access patterns

Troubleshooting Authentication

Cannot Log into Cloud Console

Issue: Login fails or times out Solutions:
  1. Verify email and password are correct
  2. Check if SSO is enforced for your organization
  3. Clear browser cache and cookies
  4. Try different browser
  5. Reset password if forgotten
  6. Contact Organization Admin

SQL Connection Refused

Issue: Cannot connect to cluster Solutions:
  1. Check IP allowlist includes your IP
  2. Verify SQL username and password
  3. Confirm sslmode=verify-full is set
  4. Download CA certificate
  5. Check network connectivity
  6. Verify cluster is running

Certificate Verification Failed

Issue: SSL/TLS verification fails Solutions:
  1. Download latest CA certificate
  2. Verify certificate path in connection string
  3. Check certificate hasn’t expired
  4. Ensure sslmode=verify-full is used
  5. Verify hostname matches certificate

API Authentication Failed

Issue: API key not working Solutions:
  1. Verify API key is correct (no extra spaces)
  2. Check service account hasn’t been deleted
  3. Confirm service account has necessary roles
  4. Regenerate API key if compromised
  5. Check API key hasn’t been revoked

Next Steps

Authorization

Learn about roles and permissions

Connect to Cluster

Connect your applications

Network Security

Configure network authorization

Compliance

Security compliance and certifications

Build docs developers (and LLMs) love

Get started for freeTalk to us