This skill should be used when the user asks to "create ClickHouse user", "manage ClickHouse permissions", "test ClickHouse connection", "troubleshoot ClickHouse Cloud", or mentions ClickHouse Cloud credentials, API keys, or SQL user management.
Limited to specific tools
Additional assets for this skill
This skill is limited to using the following tools:
references/sql-patterns.mdADR: 2025-12-08-clickhouse-cloud-management-skill
ClickHouse Cloud user and permission management via SQL commands over HTTP interface. This skill covers database user creation, permission grants, and credential management for ClickHouse Cloud instances.
Invoke this skill when:
ClickHouse Cloud provides two management interfaces with different capabilities:
| Task | Via SQL (CLI/HTTP) | Via Cloud Console |
|---|---|---|
| Create database user | CREATE USER | Supported |
| Grant permissions | GRANT | Supported |
| Delete user | DROP USER | Supported |
| Create API key | Not possible | Only here |
Key distinction: Database users (created via SQL) authenticate to ClickHouse itself. API keys (created via console) authenticate to the ClickHouse Cloud management API.
ClickHouse Cloud exposes only HTTP interface publicly:
ClickHouse Cloud enforces strong password policy:
Example compliant password: StrongPass@2025!
curl -s "https://default:PASSWORD@HOST:443/" --data-binary \
"CREATE USER my_reader IDENTIFIED BY 'StrongPass@2025!' SETTINGS readonly = 1"
curl -s "https://default:PASSWORD@HOST:443/" --data-binary \
"GRANT SELECT ON deribit.* TO my_reader"
curl -s "https://default:PASSWORD@HOST:443/" --data-binary \
"DROP USER my_reader"
For comprehensive SQL patterns and advanced permission scenarios, see SQL Patterns Reference.
| Item | Purpose |
|---|---|
| ClickHouse Cloud - API Key (Admin) | Cloud management API (console operations) |
| ClickHouse Cloud - API Key (Developer Read-only) | Cloud management API (read-only) |
| gapless-deribit-clickhouse | Database default user credentials |
# Database credentials (for SQL commands)
op item get "gapless-deribit-clickhouse" --vault Engineering --reveal
# API key (for cloud management API)
op item get "ClickHouse Cloud - API Key (Admin)" --vault Engineering --reveal
default user credentials from 1PasswordHOST="your-instance.clickhouse.cloud"
PASSWORD="default-user-password"
# Create user
curl -s "https://default:$PASSWORD@$HOST:443/" --data-binary \
"CREATE USER app_user IDENTIFIED BY 'AppPass@2025!'"
# Grant specific database access
curl -s "https://default:$PASSWORD@$HOST:443/" --data-binary \
"GRANT SELECT, INSERT ON mydb.* TO app_user"
curl -s "https://default:$PASSWORD@$HOST:443/" --data-binary "SHOW USERS"
curl -s "https://user:password@HOST:443/" --data-binary "SELECT 1"
Expected output: 1 (single row with value 1)
After creating a ClickHouse user, invoke devops-tools:clickhouse-pydantic-config to generate DBeaver configuration with the new credentials.
For detailed patterns and advanced techniques, consult:
For Python application code connecting to ClickHouse Cloud, use clickhouse-connect (official HTTP driver). See clickhouse-architect for recommended code patterns and why to avoid clickhouse-driver (community).
quality-tools:clickhouse-architect - Schema design, compression codecs, Python driver policydevops-tools:clickhouse-pydantic-config - DBeaver configuration generationdevops-tools:doppler-secret-validation - For storing credentials in Dopplerdevops-tools:doppler-workflows - For credential rotation workflows