Gen 2

Managing users and roles

Gen 2

As part of provisioning a new deployment in IBM Cloud®, you can use the service credential console page to create a user with different roles (Manager and Writer).

Databases for MongoDB deployments no longer include a default admin user. Instead, you create a user with the Manager or Writer role using the IBM Cloud® Service Credentials interface — via UI or CLI. These users come with necessary credentials to connect to and manage the deployment.

The manager user

The Manager user functions as an admin-like user and is automatically granted the below privileges:

  "dbAdminAnyDatabase",
	"readWriteAnyDatabase",
	"readAnyDatabase",
	"clusterMonitor",
	"clusterManager",
	"backup",
	"restore"

Changing the user password is not supported via the IBM Cloud console on Gen 2.

Create the manager user in the CLI

Use one of the following commands from the IBM Cloud CLI Cloud Databases plug-in to create the Manager user.

ibmcloud resource service-key-create <service_key_name> Manager --instance-name <instance_name>

ibmcloud resource service-key-create <service_key_name> Manager --instance-id <guid>

Creating users in the console

  1. Go to the service dashboard for your service.
  2. Click Service credentials.
  3. Click New credential.
  4. Choose a descriptive name for your new credential.
  5. Optional Specify if the new credentials should use a public or private endpoint. Use { "service-endpoints": "private" } in the Add inline configuration parameters field to generate connection strings using the specified endpoint. Use of the endpoint is not enforced, it just controls which hostnames are in the connection strings. Private endpoints are generated by default. On Gen 2, only private endpoints are supported.
  6. Click Add to provision the new credential. A username and password, and an associated database user in the Databases for MongoDB are generated.

Setting the admin password in the CLI

Use the cdb user-password command from the IBM Cloud CLI Cloud Databases plug-in to set the admin password.

For example, to set the admin password for your deployment, use the following command:

ibmcloud cdb user-password <INSTANCE_NAME_OR_CRN> admin <NEWPASSWORD>

Creating a user from the CLI or API doesn't automatically populate that user's connection strings into Service Credentials. If you want to add them there, you can create a new credential with the existing user information. Enter the username and password in the JSON field under Add Inline Configuration Parameters. For example, {"existing_credentials":{"username":"Robert","password":"supersecure"}}. So, you provide the username and password, and Service Credentials generates the connection strings with the credentials filled in.

Generating credentials from an existing user does not check for or create that user.