Cluster single sign-on for the DB Console is supported on CockroachDB and Advanced clusters. CockroachDB Standard and Basic clusters do not support cluster single sign-on and do not have access to the DB Console. However, both CockroachDB Standard and CockroachDB Basic clusters can use .
- You must have your cluster pre-configured for OIDC/SSO authentication for DB Console. Use the guide to set this up.
- SQL users/credentials:
- You must have the ability to update your cluster settings, which can be achieved in several ways. Refer to .
- A SQL user that corresponds with your external identity must be pre-provisioned on the cluster. To provision such users, you must have access to the .
Configure your cluster for SSO
Cluster Settings
You must configure the in the following table to enable JWT authentication to your cluster. Refer to the Update your cluster settings section to configure your cluster settings.| Cluster Setting | Description |
|---|---|
server.jwt\_authentication.enabled | Defaults to false, must be set to true to enable embedded JWT generation. |
server.jwt\_authentication.jwks | A list of public signing keys for allowed IdPs; must include your IdP’s key. If server.jwt\_authentication.jwks\_auto\_fetch.enabled is true, there is no need to set server.jwt\_authentication.jwks. |
server.jwt\_authentication.jwks\_auto\_fetch.enabled | If true, public signing keys are automatically fetched from the issuer and there is no need to set server.jwt\_authentication.jwks. Defaults to false. |
server.jwt\_authentication.issuers | A list of accepted token issuers; must include your IdP. |
server.jwt\_authentication.audience | This must match server.oidc\_authentication.client\_id; refer to . |
server.jwt\_authentication.claim | Which JWT field will be used to determine the user identity in CockroachDB; normally set either to email, or sub (subject). |
server.oidc\_authentication.generate\_cluster\_sso\_token.enabled | Enables token generation; must be set to true. |
server.oidc\_authentication.generate\_cluster\_sso\_token.use\_token | Selects which part of the received OIDC credentials to display. |
server.identity\_map.configuration | Takes an Identity Map configuration. |
server.sql\_host | This display value informs users the host for their SQL connections. Default: localhost. |
server.sql\_port | This display value informs users the port for their SQL connections. Default: 26257. |
Update your cluster settings
You can update your cluster settings with the SQL statement.-
enableJWT SQL authentication to your cluster. -
Add your IdP’s formal
issuername (this must match theissfield in the JWT itself) to your cluster’s list of accepted token issuers. This must match your cluster’s configured value forserver.oidc_authentication.provider_url. Refer to . Issuers are expected to publish their configuration athttps://{ domain }/.well-known/openid-configuration. For example:-
CockroachDB Cloud’s IdP configuration can be viewed publicly at:
https://cockroachlabs.cloud/.well-known/openid-configuration. Theissuerishttps://cockroachlabs.cloud. -
For Google Cloud Platform, the
openid-configurationcan be found athttps://accounts.google.com/.well-known/openid-configuration. Theissuerishttps://accounts.google.com.
-
CockroachDB Cloud’s IdP configuration can be viewed publicly at:
-
server.jwt_authentication.audienceThe ID of your cluster as specified by the IdP, or a JSON array of such names. This must matchserver.oidc_authentication.client_id; refer to .
Many third-party token issuers, including GCP and Azure, will by default create tokens with a generic default audience. It is best practice to limit the scope of access tokens as much as possible, so if possible, we recommend issuing tokens with only the required audience value corresponding to the
audience configured on the cluster.By extension, if your provider allows you to specify scopes or permissions on the token, you should specify these as restrictively as possible, while still allowing for the functions intended for the service account or user.-
server.jwt_authentication.claimThis setting determines which field in the JWT your cluster will use to the identity to a SQL user. The value ofemailindicates the email field in the JWT. -
server.jwt_authentication.jwksAdd your IdP’s public signing key to your cluster’s list of accepted signing JSON web keys (JWKS), under thejwkssetting. This is a JWK formatted single key or key set, containing the public keys for SSO token issuers/IdPs that will be accepted by your cluster. This list must include a given IdP, or the cluster will reject JWTs issued by it. IdPs serve their public certificates and other required information athttps://{ domain }/.well-known/openid-configuration. IdPs such as Google rotate their signing keys periodically. You must update your cluster with a new signing key before the previous one expires, or your SQL clients will be unable to connect with cluster SSO. We recommend updating this cluster setting with the current key daily to avoid this scenario. Alternatively, you can enableserver.jwt_authentication.jwks_auto_fetch.enabledto automatically fetch signing keys from the issuer instead of maintaining a static list of signing keys. Ifserver.jwt_authentication.jwks_auto_fetch.enabledis enabled, thenserver.jwt_authentication.jwksis ignored. CockroachDB Advanced: By default, your cluster’s configuration will contain the CockroachDB Cloud’s own public key, allowing CockroachDB Cloud to serve as an IdP. This is required for . When modifying this cluster setting, you must include the CockroachDB Cloud public key in the key set, or SSO withccloudwill no longer work. The public key for can be found athttps://cockroachlabs.cloud/.well-known/openid-configuration. For example: -
Instead of setting
server.jwt_authentication.jwksto a list of static signing keys, you can setserver.server.jwt_authentication.jwks_auto_fetch.enabledtotrueto enable automatic fetching of signing keys for the issuers specified inserver.jwt_authentication.issuers. Signing keys are fetched from the issuer’shttps://{ domain }/.well-known/openid-configurationendpoint. -
Set your Identity Map. Refer to Identity Map configuration.
-
Enable token generation.
This will also cause the token generation button to appear in the UI.
-
Set
use_token, which determines how the user’s identity will be displayed. It can be set to eitherid_tokenoraccess_token, depending on the structure of the your JWT as determined in your IDP configuration.
How CockroachDB determines the SQL username from a JWT
server.jwt_authentication.claimdetermines which field to use to identify the external user. This must match a SQL user via the identity map.server.identity_map.configurationmaps that claim (along with the token’s issuer) to a SQL username.
Identity Map configuration
Th cluster settingserver.identity_map.configuration holds your cluster’s identity map configuration, which tells your cluster how to map external identities to SQL users. This is functionally similar to PostgreSQL’s User Name Map.
Each line potentially maps many external identities to one SQL user, and a configuration can contain multiple lines, so the mapping can be many-to-many. The cluster checks to see if the SQL username given in the connection request matches the identity in the token by any of the lines in the Identity Map.
<external issuer <external user ID> <SQL username>
Examples:
-
https://accounts.google.com /^(.*)@cockroachlabs\.com$ \1Maps everycockroachlabsemail to a SQL user with the same username. That is, the part of the email address to the left of the@). For example,docs@cockroachlabs.combecomesdocs. -
https://accounts.google.com 1232316645658094244789 roachMaps a single external identity with the hard-coded ID to theroach. -
https://accounts.google.com /^([9-0]*)$ gcp_\1Maps each GCP-provisioned service account to a SQL user namedgcp_{ GCP user ID }. For example,gcp_1234567for a service account with ID1234567.
Authenticate to your cluster
Once ConsoleDB SSO and Cluster SSO with JWTs are enabled and your cluster is properly configured (including mapping authorized external users to SQL roles), users can self-provision auth tokens through a sign-in flow embedded in the DB Console. These tokens (JWTs) are intended as short-lived credentials, and although their expiry depends on the IdP configuration, it is usually 1 hour.- Obtain a token. Go to your cluster’s DB Console and click the Generate JWT auth token for cluster SSO button
-
Use the token in place of a password in your database connection string.
What’s Next?
- Learn more about in CockroachDB.
- This Cockroach Labs blog post covers and provides further resources for a variety of auth token-issuing use cases, including using Okta and Google Cloud Platform to issue tokens.

