Skip to main content
The Infisical ClickHouse dynamic secret allows you to generate ClickHouse database credentials on demand based on a configured role.

Prerequisite

Create a user with the required permissions in your ClickHouse instance. This user will be used to create new accounts on-demand. 
CREATE USER 'infisical' IDENTIFIED WITH sha256_password BY '<strong-password>';
GRANT CREATE USER, DROP USER, GRANT OPTION ON *.* TO 'infisical';
The GRANT OPTION privilege is required so that the service user can grant permissions to the dynamically created users.

Set up Dynamic Secrets with ClickHouse

1

Open Secret Overview Dashboard

Open the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret.
2

Click on the 'Add Dynamic Secret' button

Add Dynamic Secret Button
3

Select 'ClickHouse'

Dynamic Secret Modal
4

Provide the inputs for dynamic secret parameters

Secret Name
string
required
Name by which you want the secret to be referenced
Default TTL
string
required
Default time-to-live for a generated secret (it is possible to modify this value after a secret is generated)
Max TTL
string
required
Maximum time-to-live for a generated secret
Metadata
list
List of key/value metadata pairs
Host
string
required
ClickHouse server hostname or IP address (e.g., https://your-host.clickhouse.cloud)
Port
number
required
ClickHouse HTTP interface port. Use 8123 for HTTP or 8443 for HTTPS / ClickHouse Cloud.
User
string
required
Username of the service account that will be used to create dynamic credentials
Password
string
required
Password of the service account that will be used to create dynamic credentials
Database Name
string
required
Name of the database for which you want to create dynamic secrets. Defaults to default.
Gateway
string
A gateway may be required if your ClickHouse instance is not publicly accessible (e.g. in a private VPC). Select a configured gateway to route traffic through it.
CA (SSL)
string
Only needed if your ClickHouse instance uses a self-signed or private CA certificate. ClickHouse Cloud uses publicly trusted certificates, so no CA is required — just include https:// in the host. Providing a CA also enables HTTPS automatically.
ClickHouse Dynamic Secret Setup Modal
5

(Optional) Modify ClickHouse Statements

Modify ClickHouse Statements Modal
Username Template
string
default:"{{randomUsername}}"
Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.Allowed template variables are:
  • {{randomUsername}}: Random username string.
  • {{unixTimestamp}}: Current Unix timestamp at the time of lease creation.
  • {{identity.name}}: Name of the identity that is generating the lease.
  • {{dynamicSecret.name}}: Name of the associated dynamic secret.
  • {{dynamicSecret.type}}: Type of the associated dynamic secret.
  • {{random N}}: Random string of N characters.
Allowed template functions are:
  • truncate: Truncates a string to a specified length.
  • replace: Replaces a substring with another value.
  • uppercase: Converts a string to uppercase.
  • lowercase: Converts a string to lowercase.
Examples:
{{ randomUsername }}                                            // 3POnzeFyK9gW2nioK0q2gMjr6CZqsRiX
{{ unixTimestamp }}                                             // 17490641580
{{ identity.name }}                                             // <identity-name>
{{ random 5 }}                                                  // x9K2m
{{ truncate identity.name 4 }}                                  // test
{{ replace identity.name '<identity-name>' 'new-value' }}       // new-value
Creation Statement
string
ClickHouse statement used to create the dynamic user. The default creates a user with SHA-256 password authentication and grants SELECT on all tables in the configured database.Available template variables: {{username}}, {{password}}, {{database}}, {{expiration}}.
CREATE USER '{{username}}' IDENTIFIED WITH sha256_password BY '{{password}}';
GRANT SELECT ON {{database}}.* TO '{{username}}';
Revocation Statement
string
ClickHouse statement used to revoke the dynamic user when a lease expires or is manually deleted.
DROP USER IF EXISTS '{{username}}';
Renew Statement
string
Optional ClickHouse statement executed when a lease is renewed. Leave blank if no action is required on renewal.
ClickHouse does not support DDL transactions, so statements are executed sequentially. Ensure that each statement is separated by a semicolon (;).
6

Click 'Submit'

After submitting the form, you will see a dynamic secret created in the dashboard.
If this step fails, verify that the service user has the CREATE USER, DROP USER, and GRANT OPTION privileges, and that the host and port are reachable from Infisical.
Dynamic Secret
7

Generate dynamic secrets

Once you’ve successfully configured the dynamic secret, you’re ready to generate on-demand credentials. To do this, simply click on the Generate button which appears when hovering over the dynamic secret item. Alternatively, you can initiate the creation of a new lease by selecting New Lease from the dynamic secret lease list section.Dynamic SecretDynamic SecretWhen generating these secrets, it’s important to specify a Time-to-Live (TTL) duration. This will dictate how long the credentials are valid for.Provision Lease
Ensure that the TTL for the lease falls within the maximum TTL defined when configuring the dynamic secret.
Once you click the Submit button, a new secret lease will be generated and the credentials from it will be shown to you.Provision Lease

Audit or Revoke Leases

Once you have created one or more leases, you will be able to access them by clicking on the respective dynamic secret item on the dashboard. This will allow you to see the expiration time of the lease or delete a lease before its set time to live. Provision Lease

Renew Leases

To extend the life of the generated dynamic secret leases past its initial time to live, simply click on the Renew button as illustrated below. Provision Lease
Lease renewals cannot exceed the maximum TTL set when configuring the dynamic secret