Documentation

Create a database token

Use the influxctl CLI or the Management HTTP API to create a database token with permissions for reading and writing data in your InfluxDB Cloud Dedicated cluster.

Use the influxctl token create command to create a token that grants access to databases in your InfluxDB Cloud Dedicated cluster.

  1. If you haven’t already, download and install the influxctl CLI, and then configure an influxctl connection profile for your cluster.

  2. In your terminal, run the influxctl token create command and provide the following:

    • Token permissions (read and write)

      • --read-database: Grants read permissions to the specified database. Repeatable.
      • --write-database: Grants write permissions to the specified database. Repeatable.

      Both of these flags support the * wildcard which grants read or write permissions to all databases. Enclose wildcards in single or double quotes–for example: '*' or "*".

    • Token description

influxctl token create \
  --read-database 
DATABASE_NAME
\
--write-database
DATABASE_NAME
\
"Read/write token for
DATABASE_NAME
"

Replace the following:

  • DATABASE_NAME: your InfluxDB Cloud Dedicated database

The output is the token ID and the token string. This is the only time the token string is available in plain text.

This example uses cURL to send a Management HTTP API request, but you can use any HTTP client.

  1. If you haven’t already, follow the instructions to install cURL for your system.

  2. In your terminal, use cURL to send a request to the following InfluxDB Cloud Dedicated endpoint:

    POST https://console.influxdata.com/api/v0/accounts/ACCOUNT_ID/clusters/CLUSTER_ID/tokens

    In the URL, provide the following credentials:

    Provide the following request headers:

    • Accept: application/json to ensure the response body is JSON content
    • Content-Type: application/json to indicate the request body is JSON content
    • Authorization: Bearer and a Management API token for your cluster (see how to create a management token for Management API requests).

    In the request body, provide the following parameters:

    • permissions: an array of token permissions (read or write) objects:
      • "action": Specify read or write permission to the database.
      • "resource": Specify the database name.
    • description: Provide a description of the token.

The following example shows how to use the Management API to create a database token:

curl \
   --location "https://console.influxdata.com/api/v0/accounts/
ACCOUNT_ID
/clusters/
CLUSTER_ID
/tokens"
\
--header "Accept: application/json" \ --header 'Content-Type: application/json' \ --header "Authorization: Bearer
MANAGEMENT_TOKEN
"
\
--data '{ "description": "Read/write token for
DATABASE_NAME
",
"permissions": [ { "action": "write", "resource": "
DATABASE_NAME
"
}, { "action": "read", "resource": "
DATABASE_NAME
"
} ] }'

Replace the following in your request:

  • ACCOUNT_ID: the ID of the InfluxDB Cloud Dedicated account to create the database token for
  • CLUSTER_ID: the ID of the InfluxDB Cloud Dedicated cluster to create the database token for
  • MANAGEMENT TOKEN: a management token for your InfluxDB Cloud Dedicated cluster
  • DATABASE_NAME: a InfluxDB Cloud Dedicated database that the token will have read or write permission to

The response body contains the token ID and the token string. This is the only time the token string is available in plain text.

Notable behaviors

  • InfluxDB might take some time–from a few seconds to a few minutes–to activate and synchronize new tokens. If a new database token doesn’t immediately work (you receive a 401 Unauthorized error) for querying or writing, wait and then try again.
  • Token strings are viewable only on token creation.

Store secure tokens in a secret store

Token strings are viewable only on token creation and aren’t stored by InfluxDB. We recommend storing database tokens in a secure secret store. For example, see how to authenticate Telegraf using tokens in your OS secret store.

If you lose a token, delete the token from InfluxDB and create a new one.

Output format

The influxctl token create command supports the --format json option. By default, the command outputs the token string. For token details and easier programmatic access to the command output, include --format json with your command to format the output as JSON.

The Management API outputs JSON format in the response body.

Examples

In the examples below, replace the following:

  • DATABASE_NAME: your InfluxDB Cloud Dedicated database
  • DATABASE2_NAME: your InfluxDB Cloud Dedicated database
  • ACCOUNT_ID: the ID of the InfluxDB Cloud Dedicated account to create the database token for
  • CLUSTER_ID: the ID of the InfluxDB Cloud Dedicated cluster to create the database token for
  • MANAGEMENT TOKEN: a management token for your InfluxDB Cloud Dedicated cluster

Create a token with read and write access to a database

influxctl token create \
  --read-database 
DATABASE_NAME
\
--write-database
DATABASE_NAME
\
"Read/write token for
DATABASE_NAME
"
curl \
   --location "https://console.influxdata.com/api/v0/accounts/
ACCOUNT_ID
/clusters/
CLUSTER_ID
/tokens"
\
--header "Accept: application/json" \ --header 'Content-Type: application/json' \ --header "Authorization: Bearer
MANAGEMENT_TOKEN
"
\
--data '{ "description": "Read/write token for
DATABASE_NAME
",
"permissions": [ { "action": "write", "resource": "
DATABASE_NAME
"
}, { "action": "read", "resource": "
DATABASE_NAME
"
} ] }'

Create a token with read and write access to all databases

influxctl token create \
  --read-database "*" \
  --write-database "*" \
  "Read/write token for all databases"
curl \
   --location "https://console.influxdata.com/api/v0/accounts/
ACCOUNT_ID
/clusters/
CLUSTER_ID
/tokens"
\
--header "Accept: application/json" \ --header 'Content-Type: application/json' \ --header "Authorization: Bearer
MANAGEMENT_TOKEN
"
\
--data '{ "description": "Read/write token for all databases", "permissions": [ { "action": "write", "resource": "*" }, { "action": "read", "resource": "*" } ] }'

Create a token with read-only access to a database

influxctl token create \
  --read-database 
DATABASE_NAME
\
"Read-only token for
DATABASE_NAME
"
curl \
   --location "https://console.influxdata.com/api/v0/accounts/
ACCOUNT_ID
/clusters/
CLUSTER_ID
/tokens"
\
--header "Accept: application/json" \ --header 'Content-Type: application/json' \ --header "Authorization: Bearer
MANAGEMENT_TOKEN
"
\
--data '{ "description": "Read-only token for
DATABASE_NAME
",
"permissions": [ { "action": "read", "resource": "
DATABASE_NAME
"
} ] }'

Create a token with read-only access to multiple databases

influxctl token create \
  --read-database 
DATABASE_NAME
\
--read-database
DATABASE2_NAME
\
"Read-only token for
DATABASE_NAME
and
DATABASE2_NAME
"
curl \
   --location "https://console.influxdata.com/api/v0/accounts/
ACCOUNT_ID
/clusters/
CLUSTER_ID
/tokens"
\
--header "Accept: application/json" \ --header 'Content-Type: application/json' \ --header "Authorization: Bearer
MANAGEMENT_TOKEN
"
\
--data '{ "description": "Read-only token for
DATABASE_NAME
and
DATABASE2_NAME
",
"permissions": [ { "action": "read", "resource": "
DATABASE_NAME
"
}, { "action": "read", "resource": "
DATABASE2_NAME
"
} ] }'

Create a token with mixed permissions to multiple databases

influxctl token create \
  --read-database 
DATABASE_NAME
\
--read-database
DATABASE2_NAME
\
--write-database
DATABASE2_NAME
\
"Read-only on
DATABASE_NAME
, read/write on
DATABASE2_NAME
"
curl \
   --location "https://console.influxdata.com/api/v0/accounts/
ACCOUNT_ID
/clusters/
CLUSTER_ID
/tokens"
\
--header "Accept: application/json" \ --header 'Content-Type: application/json' \ --header "Authorization: Bearer
MANAGEMENT_TOKEN
"
\
--data '{ "description": "Read-only on
DATABASE_NAME
, read/write on
DATABASE2_NAME
",
"permissions": [ { "action": "read", "resource": "
DATABASE_NAME
"
}, { "action": "read", "resource": "
DATABASE2_NAME
"
}, { "action": "write", "resource": "
DATABASE2_NAME
"
}, ] }'

Was this page helpful?

Thank you for your feedback!


The future of Flux

Flux is going into maintenance mode. You can continue using it as you currently are without any changes to your code.

Read more

InfluxDB 3 Open Source Now in Public Alpha

InfluxDB 3 Open Source is now available for alpha testing, licensed under MIT or Apache 2 licensing.

We are releasing two products as part of the alpha.

InfluxDB 3 Core, is our new open source product. It is a recent-data engine for time series and event data. InfluxDB 3 Enterprise is a commercial version that builds on Core’s foundation, adding historical query capability, read replicas, high availability, scalability, and fine-grained security.

For more information on how to get started, check out: