• Glossary
  • Support
  • Downloads
  • DataStax Home
Get Live Help
Expand All
Collapse All

DataStax Astra DB Serverless Documentation

    • Overview
      • Release notes
      • Astra DB FAQs
      • Astra DB glossary
      • Get support
    • Getting Started
      • Grant a user access
      • Load and retrieve data
        • Use DSBulk to load data
        • Use Data Loader in Astra Portal
      • Connect a driver
      • Build sample apps
      • Use integrations
        • Connect with DataGrip
        • Connect with DBSchema
        • Connect with JanusGraph
        • Connect with Strapi
    • Planning
      • Plan options
      • Database regions
    • Securing
      • Security highlights
      • Security guidelines
      • Default user permissions
      • Change your password
      • Reset your password
      • Authentication and Authorization
      • Astra DB Plugin for HashiCorp Vault
    • Connecting
      • Connecting private endpoints
        • AWS Private Link
        • Azure Private Link
        • GCP Private Endpoints
        • Connecting custom DNS
      • Connecting Change Data Capture (CDC)
      • Connecting CQL console
      • Connect the Spark Cassandra Connector to Astra
      • Drivers for Astra DB
        • Connecting C++ driver
        • Connecting C# driver
        • Connecting Java driver
        • Connecting Node.js driver
        • Connecting Python driver
        • Drivers retry policies
      • Connecting Legacy drivers
      • Get Secure Connect Bundle
    • Migrating
      • FAQs
      • Preliminary steps
        • Feasibility checks
        • Deployment and infrastructure considerations
        • Create target environment for migration
        • Understand rollback options
      • Phase 1: Deploy ZDM Proxy and connect client applications
        • Set up the ZDM Automation with ZDM Utility
        • Deploy the ZDM Proxy and monitoring
          • Configure Transport Layer Security
        • Connect client applications to ZDM Proxy
        • Manage your ZDM Proxy instances
      • Phase 2: Migrate and validate data
      • Phase 3: Enable asynchronous dual reads
      • Phase 4: Change read routing to Target
      • Phase 5: Connect client applications directly to Target
      • Troubleshooting
        • Troubleshooting tips
        • Troubleshooting scenarios
      • Additional resources
        • Glossary
        • Contribution guidelines
        • Release Notes
    • Managing
      • Managing your organization
        • User permissions
        • Pricing and billing
        • Audit Logs
        • Bring Your Own Key
          • BYOK AWS Astra DB console
          • BYOK GCP Astra DB console
          • BYOK AWS DevOps API
          • BYOK GCP DevOps API
        • Configuring SSO
          • Configure SSO for Microsoft Azure AD
          • Configure SSO for Okta
          • Configure SSO for OneLogin
      • Managing your database
        • Create your database
        • View your databases
        • Database statuses
        • Use DSBulk to load data
        • Use Data Loader in Astra Portal
        • Monitor your databases
        • Export metrics to third party
          • Export metrics via Astra Portal
          • Export metrics via DevOps API
        • Manage access lists
        • Manage multiple keyspaces
        • Using multiple regions
        • Terminate your database
      • Managing with DevOps API
        • Managing database lifecycle
        • Managing roles
        • Managing users
        • Managing tokens
        • Managing BYOK AWS
        • Managing BYOK GCP
        • Managing access list
        • Managing multiple regions
        • Get private endpoints
        • AWS PrivateLink
        • Azure PrivateLink
        • GCP Private Service
    • Astra CLI
    • Astra Block
      • Quickstart
      • FAQ
      • Data model
      • About NFTs
    • Developing with Stargate APIs
      • Develop with REST
      • Develop with Document
      • Develop with GraphQL
        • Develop with GraphQL (CQL-first)
        • Develop with GraphQL (Schema-first)
      • Develop with gRPC
        • gRPC Rust client
        • gRPC Go client
        • gRPC Node.js client
        • gRPC Java client
      • Develop with CQL
      • Tooling Resources
      • Node.js Document API client
      • Node.js REST API client
    • Stargate QuickStarts
      • Document API QuickStart
      • REST API QuickStart
      • GraphQL API CQL-first QuickStart
    • API References
      • DevOps REST API v2
      • Stargate Document API v2
      • Stargate REST API v2
  • DataStax Astra DB Serverless Documentation
  • Managing
  • Managing with DevOps API
  • Managing access list

Managing access list

Use the DevOps API to add and remove addresses for your database access list. You can also enable and disable your access list.

You can use the DevOps API to perform the actions your role permissions allow.

The following roles use the application token to execute DevOps API queries:

  • Organization Administrator

  • Database Administrator

Prerequisites

  1. Create an application token to authenticate your service account in the DevOps API.

  2. Once you have authenticated your service account, you can add and remove IP addresses and CIDRs for your access list in the DevOps API.

  3. You must have your access list on to be able to manage your access list via the DevOps API.

Adding addresses to your database access list

  1. Check existing access lists within your organization or database to see which addresses are already on your access list(s):

    Access lists are configured for each database within an organization. You must add each address to every database access list for which you want the address to have access.

    • cURL command (/v2): Get all access lists in organization

    • cURL command (/v2): Get access list in database

    • Result

    curl --request GET \
  --url 'https://api.astra.datastax.com/v2/access-lists' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <application_token>'
    curl --request GET \
  --url 'https://api.astra.datastax.com/v2/databases/<databaseId>/access-list' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <application_token>'
    [
  {
    "organizationId": "303a3598-0905-4b5d-9db2-4bf2f9790973",
    "databaseId": "8fbcfe1d-56fa-4ed0-9aff-f57029feef1b",
    "addresses": [
      {
        "address": "137.187.23.0/24",
        "enabled": true,
        "description": "This address allows the database connections from the production environment.",
        "lastUpdateDateTime": "2021-01-21T17:32:28Z"
      }
    ],
    "configurations": {
      "accessListEnabled": true
    }
  }
]

    For more, see Get all access lists for an organization and Get access list for a database in the DevOps API.

  2. Get a template for your access list:

    • cURL command (/v2)

    • Result

    curl --request GET \
  --url 'https://api.astra.datastax.com/v2/access-list/template' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <application_token>'
    [
  {
    "organizationId": "303a3598-0905-4b5d-9db2-4bf2f9790973",
    "databaseId": "8fbcfe1d-56fa-4ed0-9aff-f57029feef1b",
    "addresses": [
      {
        "address": "137.187.23.0/24",
        "enabled": true,
        "description": "This address allows the database connections from the production environment.",
        "lastUpdateDateTime": "2021-01-21T17:32:28Z"
      }
    ],
    "configurations": {
      "accessListEnabled": true
    }
  }
]

    For more, see Get template of access list in the DevOps API.

  3. Complete your access list to submit.

  4. Add your access list addresses:

    curl --request POST \
  --url 'https://api.astra.datastax.com/v2/databases/<databaseId>/access-list' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <application_token>' \
  --data '{
      [
        "address": "125.187.17.0/24",
        "enabled": true,
        "description": "Development"
      ]
    }'

    For more, see Add addresses to access list for a database in the DevOps API.

  5. Confirm the new addresses have been added to your access list:

    • cURL command (/v2)

    • Result

    curl --request GET \
  --url 'https://api.astra.datastax.com/v2/databases/<databaseId>/access-list' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <application_token>'
    [
  {
    "organizationId": "303a3598-0905-4b5d-9db2-4bf2f9790973",
    "databaseId": "8fbcfe1d-56fa-4ed0-9aff-f57029feef1b",
    "addresses": [
      {
        "address": "137.187.23.0/24",
        "enabled": true,
        "description": "This address allows the database connections from the production environment.",
        "lastUpdateDateTime": "2021-01-21T17:32:28Z"
      },
      {
        "address": "125.187.17.0/24",
        "enabled": true,
        "description": "Development"
      },
    ],
    "configurations": {
      "accessListEnabled": true
    }
  }
]

Replacing your existing access list

  1. Check existing access lists within your organization or database to see which addresses are already on your access list:

    • cURL command (/v2): Get all access lists in organization

    • cURL command (/v2): Get access list in database

    • Result

    curl --request GET \
  --url 'https://api.astra.datastax.com/v2/access-lists' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <application_token>'
    curl --request GET \
  --url 'https://api.astra.datastax.com/v2/databases/<databaseId>/access-list' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <application_token>'
    [
  {
    "organizationId": "303a3598-0905-4b5d-9db2-4bf2f9790973",
    "databaseId": "8fbcfe1d-56fa-4ed0-9aff-f57029feef1b",
    "addresses": [
      {
        "address": "137.187.23.0/24",
        "enabled": true,
        "description": "This address allows the database connections from the production environment.",
        "lastUpdateDateTime": "2021-01-21T17:32:28Z"
      }
    ],
    "configurations": {
      "accessListEnabled": true
    }
  }
]

    For more, see Get all access lists for an organization and Get access list for a database in the DevOps API.

  2. Submit your revised access list:

    • cURL command (/v2): Replace access list

    • cURL command (/v2): Update access list

    curl --request PUT \
  --url 'https://api.astra.datastax.com/v2/databases/<databaseId>/access-list' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <application_token>' \
  --data '{
      "addresses": [
          {
            "address": "125.187.17.0/24",
            "enabled": true,
            "description": "Development"
            "lastUpdateDateTime": "2021-01-21T17:32:28Z"
          }
        ],
        "configurations": {
          "accessListEnabled": true
        }
    }'
    curl --request PATCH \
  --url 'https://api.astra.datastax.com/v2/databases/<databaseId>/access-list' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <application_token>' \
  --data '{
      "addresses": [
          {
            "address": "125.187.17.0/24",
            "enabled": true,
            "description": "Development"
          }
        ],
        "configurations": {
          "accessListEnabled": true
        }
    }'

    For more, see Replace access list for your database and Update existing fields in access list for database in the DevOps API.

  3. Confirm the new addresses have been added to your access list:

    • cURL command (/v2)

    • Result

    curl --request GET \
  --url 'https://api.astra.datastax.com/v2/databases/<databaseId>/access-list' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <application_token>'
    [
  {
    "organizationId": "303a3598-0905-4b5d-9db2-4bf2f9790973",
    "databaseId": "8fbcfe1d-56fa-4ed0-9aff-f57029feef1b",
    "addresses": [
      {
        "address": "137.187.23.0/24",
        "enabled": true,
        "description": "This address allows the database connections from the production environment.",
        "lastUpdateDateTime": "2021-01-21T17:32:28Z"
      },
      {
        "address": "125.187.17.0/24",
        "enabled": true,
        "description": "Development"
      },
    ],
    "configurations": {
      "accessListEnabled": true
    }
  }
]

Deleting address or access lists

If you do not specify which addresses to delete, the entire access list is deleted.

When the entire access list is deleted, public access is no longer restricted.

  1. Check existing access lists within your organization or database to see which addresses are already on your access list:

    • cURL command (/v2): Get all access lists in organization

    • cURL command (/v2): Get access list in database

    • Result

    curl --request GET \
  --url 'https://api.astra.datastax.com/v2/access-lists' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <application_token>'
    curl --request GET \
  --url 'https://api.astra.datastax.com/v2/databases/<databaseId>/access-list' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <application_token>'
    [
  {
    "organizationId": "303a3598-0905-4b5d-9db2-4bf2f9790973",
    "databaseId": "8fbcfe1d-56fa-4ed0-9aff-f57029feef1b",
    "addresses": [
      {
        "address": "137.187.23.0/24",
        "enabled": true,
        "description": "This address allows the database connections from the production environment.",
        "lastUpdateDateTime": "2021-01-21T17:32:28Z"
      },
      {
        "address": "125.187.17.0/24",
        "enabled": true,
        "description": "Development"
      },
    ],
    "configurations": {
      "accessListEnabled": true
    }
  }
]

  2. Delete an address from your access list:

    • cURL command (/v2): Delete addresses from access list

    • cURL command (/v2): Delete entire access list

    curl --request DELETE \
  --url 'https://api.astra.datastax.com/v2/databases/<databaseId>/access-list' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <application_token>' \
  --data '{
      "addresses": [
          {
            "address": "125.187.17.0/24"
          }
        ]
    }'
    curl --request DELETE \
  --url 'https://api.astra.datastax.com/v2/databases/<databaseId>/access-list' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <application_token>'

  3. Confirm the address no longer exists:

    • cURL command (/v2): Get all access lists in organization

    • cURL command (/v2): Get access list in database

    • Result

    curl --request GET \
  --url 'https://api.astra.datastax.com/v2/access-lists' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <application_token>'
    curl --request GET \
  --url 'https://api.astra.datastax.com/v2/databases/<databaseId>/access-list' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <application_token>'
    [
  {
    "organizationId": "303a3598-0905-4b5d-9db2-4bf2f9790973",
    "databaseId": "8fbcfe1d-56fa-4ed0-9aff-f57029feef1b",
    "addresses": [
      {
        "address": "137.187.23.0/24",
        "enabled": true,
        "description": "This address allows the database connections from the production environment.",
        "lastUpdateDateTime": "2021-01-21T17:32:28Z"
      }
    ],
    "configurations": {
      "accessListEnabled": true
    }
  }
]

For more, see Delete addresses or access list for database in the DevOps API.

What’s next?

Explore the DevOps API.

Managing BYOK GCP Managing multiple regions

General Inquiries: +1 (650) 389-6000 info@datastax.com

© DataStax | Privacy policy | Terms of use

DataStax, Titan, and TitanDB are registered trademarks of DataStax, Inc. and its subsidiaries in the United States and/or other countries.

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.

Kubernetes is the registered trademark of the Linux Foundation.

landing_page landingpage