doctl-databases-user

Run a doctl databases user command with an access token

$ doctl [[d|databases]] [[u|user]] [command] [[-t|--access-token]] [access_token]

$ doctl [[d|databases]] [[u|user]] [[g|get]] [database_id] [user_name]

$ doctl [[d|databases]] [[u|user]] [[ls|list]] [database_id]

$ doctl [[d|databases]] [[u|user]] [[rs|reset]] [database id] [user_name]

$ doctl [[d|databases]] [[u|user]] [[rs|reset]] [database_id] [user_name] [caching_sha2_password|mysql_native_password]

$ doctl [[d|databases]] [[u|user]] [[c|create]] [database_id] [user_name]

$ doctl [[d|databases]] [[u|user]] [[rm|delete]] [database_id] [user_name]

doctl databases user <command> [<arguments...>] [<flags...>]

Common commands include:
    create <cluster-id> <username> [<flags>]
    delete <cluster-id> <username> [<flags>]
    get <cluster-id> <username> [<flags>]
    list <cluster-id> [<flags>]
    reset-password <cluster-id> <username> [<flags>]

<cluster-id>
    The unique identifier (UUID) of the DigitalOcean Managed Database cluster. This is a required positional argument for most doctl databases user subcommands.

<username>
    The desired name of the database user to create, get, delete, or reset password for. This is a required positional argument for create, delete, get, and reset-password subcommands.

--output, -o <format>
    Specifies the output format for the command's results (e.g., json, yaml, text, csv). This is a global doctl flag.

--format <columns>
    A comma-separated list of columns to include in text or csv output. This is a global doctl flag.

--no-header
    Prevents printing of the header row in table output. This is a global doctl flag.

--force, -f
    Bypasses confirmation prompts for destructive actions (e.g., deleting a user). Use with caution. This is a global doctl flag.

--api-token <token>
    The DigitalOcean API access token to use for authentication. Can also be set via environment variable or doctl auth init. This is a global doctl flag.

--mysql-auth-plugin <plugin>
    (For MySQL create) Specifies the authentication plugin for new MySQL users (e.g., caching_sha2_password, mysql_native_password). Recommended for enhanced security.

--skip-create-database
    (For PostgreSQL create) Prevents the automatic creation of a database with the same name as the new user.

--with-access <database-name>
    (For PostgreSQL create) Grants the new user access to a specific database. This flag can be used multiple times to grant access to multiple databases.

--access <permission-level>
    (For PostgreSQL create) Sets the permission level for the user on databases they have access to (e.g., read, write, full).

doctl databases user is a subcommand of the DigitalOcean command-line client (doctl) used for comprehensive management of users within a DigitalOcean Managed Database cluster. It provides a robust interface to perform various essential operations, including creating new database users with specific authentication plugins and access levels, listing all existing users for a given cluster, retrieving detailed information about a particular user, securely deleting users, and resetting user passwords. This command is indispensable for controlling access and permissions to your database clusters programmatically, enabling seamless integration into automation scripts, continuous integration/continuous deployment (CI/CD) pipelines, and Infrastructure as Code (IaC) workflows. It ensures that database user management can be handled efficiently and consistently across your DigitalOcean infrastructure.

Requires a pre-existing DigitalOcean Managed Database cluster. The <cluster-id> argument is mandatory for most operations.
The doadmin user, created by default with every cluster, cannot be deleted or have its password reset via doctl databases user.
Resetting a password will output the new password to the console; ensure this sensitive information is secured immediately.
Deleting a database user is an irreversible action that removes their access to the database cluster. Confirm no critical applications rely solely on that user before deletion.
Some database-specific permissions (e.g., granular table permissions or role management) are managed directly within the database client, not via doctl.

To successfully execute doctl databases user commands, you must be authenticated with your DigitalOcean account. This is typically done by running doctl auth init and providing your API token, or by setting the DIGITALOCEAN_ACCESS_TOKEN environment variable.

Always create dedicated users for your applications and services instead of using the administrative doadmin user.
Grant database users only the necessary permissions (principle of least privilege).
For MySQL, utilize strong authentication plugins like caching_sha2_password for enhanced security.
Regularly rotate database user passwords, especially for critical applications.
Securely store API tokens and generated database user passwords, avoiding hardcoding them in scripts or public repositories.

The doctl command-line client, including its extensive support for DigitalOcean's Managed Databases, has evolved significantly since the service's inception. Initially, database management was primarily performed through the DigitalOcean Control Panel. As the demand for automation and programmatic control grew, doctl gained comprehensive capabilities for managing database clusters and their users. This development has been crucial for enabling developers and operations teams to integrate database infrastructure management into CI/CD pipelines and leverage Infrastructure as Code (IaC) principles for their DigitalOcean deployments, making database user management a seamless and automatable process.

doctl(1), doctl databases(1), doctl auth(1), doctl compute(1)