playbooks

home / skills / terrylica / cc-skills / clickhouse-cloud-management

clickhouse-cloud-management skill

/plugins/devops-tools/skills/clickhouse-cloud-management

This skill helps you manage ClickHouse Cloud users and permissions via SQL over HTTP, including creation, grants, and credential handling.

npx playbooks add skill terrylica/cc-skills --skill clickhouse-cloud-management

Review the files below or copy the command above to add this skill to your agents.

Files (2)
SKILL.md
5.7 KB
---
name: clickhouse-cloud-management
description: ClickHouse Cloud user and permission management. TRIGGERS - create ClickHouse user, ClickHouse permissions, ClickHouse Cloud credentials.
allowed-tools: Read, Bash
---

# ClickHouse Cloud Management

ADR: 2025-12-08-clickhouse-cloud-management-skill

## Overview

ClickHouse Cloud user and permission management via SQL commands over HTTP interface. This skill covers database user creation, permission grants, and credential management for ClickHouse Cloud instances.

## When to Use This Skill

Invoke this skill when:

- Creating database users for ClickHouse Cloud
- Managing user permissions (GRANT/REVOKE)
- Testing ClickHouse Cloud connectivity
- Troubleshooting authentication issues
- Understanding API key vs database user distinction

## Key Concepts

### Management Options

ClickHouse Cloud provides two management interfaces with different capabilities:

| Task                 | Via SQL (CLI/HTTP) | Via Cloud Console |
| -------------------- | ------------------ | ----------------- |
| Create database user | CREATE USER        | Supported         |
| Grant permissions    | GRANT              | Supported         |
| Delete user          | DROP USER          | Supported         |
| Create API key       | Not possible       | Only here         |

**Key distinction**: Database users (created via SQL) authenticate to ClickHouse itself. API keys (created via console) authenticate to the ClickHouse Cloud management API.

### Connection Details

ClickHouse Cloud exposes only HTTP interface publicly:

- **Port**: 443 (HTTPS)
- **Protocol**: HTTP (not native ClickHouse protocol)
- **Native protocol**: Requires AWS PrivateLink (not available without enterprise setup)

### Password Requirements

ClickHouse Cloud enforces strong password policy:

- Minimum 12 characters
- At least 1 uppercase letter
- At least 1 special character

Example compliant password: `StrongPass@2025!`

## Quick Reference

### Create Read-Only User

```bash
curl -s "https://default:PASSWORD@HOST:443/" --data-binary \
  "CREATE USER my_reader IDENTIFIED BY 'StrongPass@2025!' SETTINGS readonly = 1"
```

### Grant Database Access

```bash
curl -s "https://default:PASSWORD@HOST:443/" --data-binary \
  "GRANT SELECT ON deribit.* TO my_reader"
```

### Delete User

```bash
curl -s "https://default:PASSWORD@HOST:443/" --data-binary \
  "DROP USER my_reader"
```

For comprehensive SQL patterns and advanced permission scenarios, see [SQL Patterns Reference](./references/sql-patterns.md).

## Credential Sources

### 1Password Items (Engineering Vault)

| Item                                             | Purpose                                   |
| ------------------------------------------------ | ----------------------------------------- |
| ClickHouse Cloud - API Key (Admin)               | Cloud management API (console operations) |
| ClickHouse Cloud - API Key (Developer Read-only) | Cloud management API (read-only)          |
| gapless-deribit-clickhouse                       | Database `default` user credentials       |

### Retrieving Credentials

```bash
# Database credentials (for SQL commands)
op item get "gapless-deribit-clickhouse" --vault Engineering --reveal

# API key (for cloud management API)
op item get "ClickHouse Cloud - API Key (Admin)" --vault Engineering --reveal
```

## Common Workflows

### Workflow 1: Create Application User

1. Retrieve `default` user credentials from 1Password
2. Create new user with appropriate permissions:

```bash
HOST="your-instance.clickhouse.cloud"
PASSWORD="default-user-password"

# Create user
curl -s "https://default:$PASSWORD@$HOST:443/" --data-binary \
  "CREATE USER app_user IDENTIFIED BY 'AppPass@2025!'"

# Grant specific database access
curl -s "https://default:$PASSWORD@$HOST:443/" --data-binary \
  "GRANT SELECT, INSERT ON mydb.* TO app_user"
```

### Workflow 2: Verify User Exists

```bash
curl -s "https://default:$PASSWORD@$HOST:443/" --data-binary "SHOW USERS"
```

### Workflow 3: Test Connection

```bash
curl -s "https://user:password@HOST:443/" --data-binary "SELECT 1"
```

Expected output: `1` (single row with value 1)

## Troubleshooting

### Authentication Failed

- Verify password meets complexity requirements
- Check host URL includes port 443
- Ensure using HTTPS (not HTTP)

### Permission Denied

- Verify user has required GRANT statements
- Check database and table names are correct
- Confirm user was created with correct settings

### Connection Timeout

- ClickHouse Cloud only exposes port 443 publicly
- Native protocol (port 9440) requires PrivateLink
- Use HTTP interface with curl or clickhouse-client HTTP mode

## Next Steps After User Creation

<!-- ADR: 2025-12-10-clickhouse-skill-delegation -->

After creating a ClickHouse user, invoke **`devops-tools:clickhouse-pydantic-config`** to generate DBeaver configuration with the new credentials.

## Additional Resources

### Reference Files

For detailed patterns and advanced techniques, consult:

- **[references/sql-patterns.md](./references/sql-patterns.md)** - Complete SQL syntax reference with examples

## Python Driver Policy

For Python application code connecting to ClickHouse Cloud, use `clickhouse-connect` (official HTTP driver). See [`clickhouse-architect`](../../../quality-tools/skills/clickhouse-architect/SKILL.md#python-driver-policy) for recommended code patterns and why to avoid `clickhouse-driver` (community).

## Related Skills

- `quality-tools:clickhouse-architect` - Schema design, compression codecs, Python driver policy
- `devops-tools:clickhouse-pydantic-config` - DBeaver configuration generation
- `devops-tools:doppler-secret-validation` - For storing credentials in Doppler
- `devops-tools:doppler-workflows` - For credential rotation workflows

Overview

This skill manages ClickHouse Cloud users, permissions, and credentials via the HTTP SQL interface. It automates common tasks like creating users, granting/revoking privileges, and verifying connectivity while clarifying the difference between database users and cloud API keys.

How this skill works

The skill issues SQL statements over HTTPS (port 443) to ClickHouse Cloud to create/drop users, alter settings, and run GRANT/REVOKE commands. It also explains how to retrieve stored credentials (e.g., 1Password) for the default admin user and when to use cloud API keys vs database users. Example curl patterns and connection tests are provided for quick validation.

When to use it

  • Create application or read-only database users for ClickHouse Cloud
  • Grant or revoke SELECT/INSERT/other privileges on databases or tables
  • Test and verify user connectivity with simple SQL checks (SELECT 1)
  • Troubleshoot authentication, permission, or connection issues
  • Decide whether to use a database user or a ClickHouse Cloud API key

Best practices

  • Use HTTPS (port 443) and the HTTP SQL interface for public ClickHouse Cloud access
  • Store and retrieve credentials from a secrets manager (e.g., 1Password, Doppler)
  • Enforce strong passwords (>=12 chars, uppercase, special character)
  • Create least-privilege users and grant only required privileges per DB or table
  • Verify user creation with SHOW USERS and test with SELECT 1

Example use cases

  • Provision an app_user and grant SELECT, INSERT on a specific database
  • Create a read-only my_reader for analytics teams using readonly setting
  • Rotate default user credentials and update service configs via secrets store
  • Validate that a recently created user can connect by running SELECT 1
  • Remove obsolete users (DROP USER) as part of access cleanup

FAQ

Can I create API keys with SQL?

No. API keys are created in the ClickHouse Cloud console and authenticate to the management API; SQL-created database users authenticate to ClickHouse itself.

Which ports and protocols are available publicly?

ClickHouse Cloud exposes the HTTP(S) interface on port 443 publicly. The native ClickHouse protocol requires PrivateLink or an enterprise setup.

What password rules should I follow?

Use at least 12 characters including an uppercase letter and a special character (for example: StrongPass@2025!).