clickhouse-cloud-management
ClickHouse Cloud user and permission management. TRIGGERS - create ClickHouse user, ClickHouse permissions, ClickHouse Cloud credentials.
Best use case
clickhouse-cloud-management is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
ClickHouse Cloud user and permission management. TRIGGERS - create ClickHouse user, ClickHouse permissions, ClickHouse Cloud credentials.
Teams using clickhouse-cloud-management should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/clickhouse-cloud-management/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How clickhouse-cloud-management Compares
| Feature / Agent | clickhouse-cloud-management | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
ClickHouse Cloud user and permission management. TRIGGERS - create ClickHouse user, ClickHouse permissions, ClickHouse Cloud credentials.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# ClickHouse Cloud Management ADR: 2025-12-08-clickhouse-cloud-management-skill > **Self-Evolving Skill**: This skill improves through use. If instructions are wrong, parameters drifted, or a workaround was needed — fix this file immediately, don't defer. Only update for real, reproducible issues. ## Overview ClickHouse Cloud user and permission management via SQL commands over HTTP interface. This skill covers database user creation, permission grants, and credential management for ClickHouse Cloud instances. **Schema documentation principle**: All ClickHouse table/column COMMENTs are the single source of truth (SSoT). When creating tables or columns, always include COMMENT clauses. See `quality-tools:clickhouse-architect` for the full COMMENT SSoT policy. ## When to Use This Skill Invoke this skill when: - Creating database users for ClickHouse Cloud - Managing user permissions (GRANT/REVOKE) - Testing ClickHouse Cloud connectivity - Troubleshooting authentication issues - Understanding API key vs database user distinction ## Key Concepts ### Management Options ClickHouse Cloud provides two management interfaces with different capabilities: | Task | Via SQL (CLI/HTTP) | Via Cloud Console | | -------------------- | ------------------ | ----------------- | | Create database user | CREATE USER | Supported | | Grant permissions | GRANT | Supported | | Delete user | DROP USER | Supported | | Create API key | Not possible | Only here | **Key distinction**: Database users (created via SQL) authenticate to ClickHouse itself. API keys (created via console) authenticate to the ClickHouse Cloud management API. ### Connection Details ClickHouse Cloud exposes only HTTP interface publicly: - **Port**: 443 (HTTPS) - **Protocol**: HTTP (not native ClickHouse protocol) - **Native protocol**: Requires AWS PrivateLink (not available without enterprise setup) ### Password Requirements ClickHouse Cloud enforces strong password policy: - Minimum 12 characters - At least 1 uppercase letter - At least 1 special character Example compliant password: `StrongPass@2025!` ## Quick Reference ### Create Read-Only User ```bash curl -s "https://default:PASSWORD@HOST:443/" --data-binary \ "CREATE USER my_reader IDENTIFIED BY 'StrongPass@2025!' SETTINGS readonly = 1" ``` ### Grant Database Access ```bash curl -s "https://default:PASSWORD@HOST:443/" --data-binary \ "GRANT SELECT ON deribit.* TO my_reader" ``` ### Delete User ```bash curl -s "https://default:PASSWORD@HOST:443/" --data-binary \ "DROP USER my_reader" ``` For comprehensive SQL patterns and advanced permission scenarios, see [SQL Patterns Reference](./references/sql-patterns.md). ## Credential Sources ### 1Password Items (Engineering Vault) | Item | Purpose | | ------------------------------------------------ | ----------------------------------------- | | ClickHouse Cloud - API Key (Admin) | Cloud management API (console operations) | | ClickHouse Cloud - API Key (Developer Read-only) | Cloud management API (read-only) | | gapless-deribit-clickhouse | Database `default` user credentials | ### Retrieving Credentials ```bash # Database credentials (for SQL commands) op item get "gapless-deribit-clickhouse" --vault Engineering --reveal # API key (for cloud management API) op item get "ClickHouse Cloud - API Key (Admin)" --vault Engineering --reveal ``` ## Common Workflows ### Workflow 1: Create Application User 1. Retrieve `default` user credentials from 1Password 2. Create new user with appropriate permissions: ```bash HOST="your-instance.clickhouse.cloud" PASSWORD="default-user-password" # Create user curl -s "https://default:$PASSWORD@$HOST:443/" --data-binary \ "CREATE USER app_user IDENTIFIED BY 'AppPass@2025!'" # Grant specific database access curl -s "https://default:$PASSWORD@$HOST:443/" --data-binary \ "GRANT SELECT, INSERT ON mydb.* TO app_user" ``` ### Workflow 2: Verify User Exists ```bash curl -s "https://default:$PASSWORD@$HOST:443/" --data-binary "SHOW USERS" ``` ### Workflow 3: Test Connection ```bash curl -s "https://user:password@HOST:443/" --data-binary "SELECT 1" ``` Expected output: `1` (single row with value 1) ## Troubleshooting ### Authentication Failed - Verify password meets complexity requirements - Check host URL includes port 443 - Ensure using HTTPS (not HTTP) ### Permission Denied - Verify user has required GRANT statements - Check database and table names are correct - Confirm user was created with correct settings ### Connection Timeout - ClickHouse Cloud only exposes port 443 publicly - Native protocol (port 9440) requires PrivateLink - Use HTTP interface with curl or clickhouse-client HTTP mode ## Next Steps After User Creation <!-- ADR: 2025-12-10-clickhouse-skill-delegation --> After creating a ClickHouse user, invoke **`devops-tools:clickhouse-pydantic-config`** to generate DBeaver configuration with the new credentials. ## Additional Resources ### Reference Files For detailed patterns and advanced techniques, consult: - **[references/sql-patterns.md](./references/sql-patterns.md)** - Complete SQL syntax reference with examples ## Python Driver Policy For Python application code connecting to ClickHouse Cloud, use `clickhouse-connect` (official HTTP driver). See [`clickhouse-architect`](../../../quality-tools/skills/clickhouse-architect/SKILL.md#python-driver-policy) for recommended code patterns and why to avoid `clickhouse-driver` (community). ## Related Skills - `quality-tools:clickhouse-architect` - Schema design, compression codecs, Python driver policy - `devops-tools:clickhouse-pydantic-config` - DBeaver configuration generation - `devops-tools:doppler-secret-validation` - For storing credentials in Doppler - `devops-tools:doppler-workflows` - For credential rotation workflows ## Post-Execution Reflection After this skill completes, check before closing: 1. **Did the command succeed?** — If not, fix the instruction or error table that caused the failure. 2. **Did parameters or output change?** — If the underlying tool's interface drifted, update Usage examples and Parameters table to match. 3. **Was a workaround needed?** — If you had to improvise (different flags, extra steps), update this SKILL.md so the next invocation doesn't need the same workaround. Only update if the issue is real and reproducible — not speculative.
Related Skills
clickhouse-architect
ClickHouse schema design and optimization. TRIGGERS - ClickHouse schema, compression codecs, MergeTree, ORDER BY tuning, partition key.
glossary-management
Manage terminology glossary with Vale. TRIGGERS - sync terms, glossary validation, add terms, Vale vocabulary.
cloudflare-workers-publish
Deploy static HTML files to Cloudflare Workers with 1Password credential management. TRIGGERS - Cloudflare Workers deploy, publish static site, wrangler deploy, static hosting, cloudflare publish, CF Workers, HTML hosting, workers.dev, static assets deploy
clickhouse-pydantic-config
Generate DBeaver config from Pydantic ClickHouse models. TRIGGERS - DBeaver config, ClickHouse connection, database client config.
voice-quality-audition
Audition Kokoro TTS voices to compare quality and grade. TRIGGERS - audition voices, kokoro voices, voice comparison, tts voice, voice quality, compare voices.
settings-and-tuning
Configure TTS voices, speed, timeouts, queue depth, and bot settings. TRIGGERS - configure tts, change voice, tts speed, queue depth, tts timeout, bot config, tune settings, adjust parameters.
full-stack-bootstrap
One-time bootstrap for Kokoro TTS engine, Telegram bot, and BotFather setup. TRIGGERS - setup tts, install kokoro, botfather, bootstrap tts-tg-sync, configure telegram bot, full stack setup.
diagnostic-issue-resolver
Diagnose and resolve TTS and Telegram bot issues. TRIGGERS - tts not working, bot not responding, kokoro error, audio not playing, lock stuck, telegram bot troubleshoot, diagnose issue.
component-version-upgrade
Upgrade Kokoro model, bot dependencies, or TTS components. TRIGGERS - upgrade kokoro, update model, upgrade bot, update dependencies, version bump, component update.
clean-component-removal
Remove TTS and Telegram sync components cleanly. TRIGGERS - uninstall tts, remove telegram bot, uninstall kokoro, clean tts, teardown, component removal.
send-message
Use when user wants to send a text message on Telegram as their personal account via MTProto, text someone, or message a contact by username, phone, or chat ID.
send-media
Use when user wants to send or upload a file, photo, video, voice note, or document on Telegram via their personal account.