• Glossary
  • Support
  • Downloads
  • DataStax Home
Get Live Help
Expand All
Collapse All

DataStax Astra DB Serverless Documentation

    • Overview
      • Release notes
      • Astra DB FAQs
      • Astra DB Architecture FAQ
      • Astra DB glossary
      • Get support
    • Getting Started
      • Astra Vector Search Quickstart
      • Create your database
      • Grant a user access
      • Load and retrieve data
        • Use DSBulk to load data
        • Use Data Loader in Astra Portal
      • Connect a driver
      • Build sample apps
    • Planning
      • Plan options
      • Database regions
    • Securing
      • Security highlights
      • Security guidelines
      • Default user permissions
      • Change your password
      • Reset your password
      • Authentication and Authorization
      • Astra DB Plugin for HashiCorp Vault
    • Connecting
      • Connecting private endpoints
        • AWS Private Link
        • Azure Private Link
        • GCP Private Endpoints
        • Connecting custom DNS
      • Connecting Change Data Capture (CDC)
      • Connecting CQL console
      • Connect the Spark Cassandra Connector to Astra
      • Drivers for Astra DB
        • Connecting C++ driver
        • Connecting C# driver
        • Connecting Java driver
        • Connecting Node.js driver
        • Connecting Python driver
        • Connecting Legacy drivers
        • Drivers retry policies
      • Get Secure Connect Bundle
    • Migrating
      • Components
      • FAQs
      • Preliminary steps
        • Feasibility checks
        • Deployment and infrastructure considerations
        • Create target environment for migration
        • Understand rollback options
      • Phase 1: Deploy ZDM Proxy and connect client applications
        • Set up the ZDM Proxy Automation with ZDM Utility
        • Deploy the ZDM Proxy and monitoring
        • Configure Transport Layer Security
        • Connect client applications to ZDM Proxy
        • Leverage metrics provided by ZDM Proxy
        • Manage your ZDM Proxy instances
      • Phase 2: Migrate and validate data
        • Cassandra Data Migrator
        • DSBulk Migrator
      • Phase 3: Enable asynchronous dual reads
      • Phase 4: Change read routing to Target
      • Phase 5: Connect client applications directly to Target
      • Troubleshooting
        • Troubleshooting tips
        • Troubleshooting scenarios
      • Glossary
      • Contribution guidelines
      • Release Notes
    • Managing
      • Managing your organization
        • User permissions
        • Pricing and billing
        • Audit Logs
        • Bring Your Own Key
          • BYOK AWS Astra Portal
          • BYOK GCP Astra Portal
          • BYOK AWS DevOps API
          • BYOK GCP DevOps API
        • Configuring SSO
          • Configure SSO for Microsoft Azure AD
          • Configure SSO for Okta
          • Configure SSO for OneLogin
      • Managing your database
        • Create your database
        • View your databases
        • Database statuses
        • Use DSBulk to load data
        • Use Data Loader in Astra Portal
        • Monitor your databases
        • Export metrics to third party
          • Export metrics via Astra Portal
          • Export metrics via DevOps API
        • Manage access lists
        • Manage multiple keyspaces
        • Using multiple regions
        • Terminate your database
      • Managing with DevOps API
        • Managing database lifecycle
        • Managing roles
        • Managing users
        • Managing tokens
        • Managing BYOK AWS
        • Managing BYOK GCP
        • Managing access list
        • Managing multiple regions
        • Get private endpoints
        • AWS PrivateLink
        • Azure PrivateLink
        • GCP Private Service
    • Integrations
    • Astra CLI
    • Astra Vector Search
      • Quickstarts
      • Examples
      • Create a serverless database with Vector Search
      • Query Vector Data with CQL
        • Using analyzers
      • Data modeling
      • Working with embeddings
    • Astra Block
      • Quickstart
      • FAQ
      • Data model
      • About NFTs
    • API QuickStarts
      • JSON API QuickStart
      • Document API QuickStart
      • REST API QuickStart
      • GraphQL CQL-first API QuickStart
    • Developing with APIs
      • Developing with JSON API
      • Developing with Document API
      • Developing with REST API
      • Developing with GraphQL API
        • Developing with GraphQL API (CQL-first)
        • Developing with GraphQL API (Schema-first)
      • Developing with gRPC API
        • gRPC Rust Client
        • gRPC Go Client
        • gRPC Node.js Client
        • gRPC Java Client
      • Developing with CQL API
      • Tooling Resources
      • Node.js Document Collection Client
      • Node.js REST Client
    • API References
      • Astra DB JSON API v1
      • Astra DB REST API v2
      • Astra DB Document API v2
      • Astra DB DevOps API v2
  • DataStax Astra DB Serverless Documentation
  • Managing
  • Managing your organization

Managing your Astra DB organization

As an administrator, you can manage your database and organization. This includes the following tasks:

Add organizations in Astra DB

Creating multiple organizations in DataStax Astra DB is useful for segmenting groups of users and creating various environments.

  1. From any page in Astra DB, select the Organizations dropdown.

    Organization Selection
  2. In the main dropdown, select Manage Organizations.

  3. Select Add Organization. The Add Organization window opens.

    • Enter the name and email address for your new organization.

    • Select Add to add the new organization.

The organization is added to the list. An email is sent to the email address entered for the organization owner.

Invite users to an organization

Invite users to join your organization and provide them with access based on the selected role.

  1. From any page in Astra DB, select the Organizations dropdown.

    Organization Selection
  2. In the main dropdown, select Organization Settings.

  3. From the Users tab, select Invite User.

  4. Enter the email address for the user you want to invite for the specific user role. If adding multiple users, separate the email addresses with commas, spaces, or line breaks.

  5. Select the user role(s) for the user(s) you are inviting. Multiple roles are available within each group of roles for Organization Access, Database, Keyspace, or Table Access, and API Access.

  6. Select Invite Users to send email invitations to the users at their email address.

Invited users are listed as pending until they accept the invitation to join your organization.

Manage user permissions

Default and custom roles allow admins to manage unique permissions for users based on your organization and database requirements.

You can manage roles using the DataStax Astra DB user interface or the DevOps API.

Which default roles are available?

Default Operational Roles

The default roles address four types of operational users and three levels of access.

This matrix show how the four types of operational users with each of the three levels of access:

User API User User Service Account API Service Account

Admin

Administrator User

API Administrator User

Administrator Svc Acct

API Administrator Svc Acct

Read Only

RO User

API RO User

RO Svc Acct

API RO Svc Acct

Read/Write

R/W User

API R/W User

R/W Svc Acct

API R/W Svc Acct

Service Account Roles are limited from listing users and databases. API Roles limit CQL access.

Default Special Roles

In addition to the operational roles, four special default roles exist:

  • Organization Administrator: Super User

  • Database Administrator: Full access to CRUD organizations and databases

  • UI View Only: Read only access to view organizations and databases

  • Billing Admin: Billing only access

Operational Roles Detail

User Roles

Role name Console name DevOps API Parameters

Admin User

Create All Keyspaces,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Alter Keyspace,
Authorize Keyspace,
Create Keyspace,
Describe Keyspace,
Drop Keyspace,
Grant Keyspace,
Modify Keyspace,
Manage Private Endpoint,
Manage Region,
Access REST,
Alter Table,
Authorize Table,
Create Table,
Describe Table,
Drop Table,
Grant Table,
Modify Table,
Select Table,
Read Billing,
Write Billing,
Add Peering,
Create DB,
Expand DB,
Manage Migrator Proxy,
Reset Password,
Suspend DB,
Terminate DB,
View DB,
Read Organization,
Read User,
Write User

db-all-keyspace-create,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-alter,
db-keyspace-authorize,
db-keyspace-create,
db-keyspace-describe,
db-keyspace-drop,
db-keyspace-grant,
db-keyspace-modify,
db-manage-privateendpoint,
db-manage-region,
db-rest,
db-table-alter,
db-table-authorize,
db-table-create,
db-table-describe,
db-table-drop,
db-table-grant,
db-table-modify,
db-table-select,
org-billing-read,
org-billing-write,
org-db-addpeering,
org-db-create,
org-db-expand,
org-db-managemigratorproxy,
org-db-passwordreset,
org-db-suspend,
org-db-terminate,
org-db-view,
org-read,
org-user-read,
org-user-write

RO User

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Describe Keyspace,
Access REST,
Describe Table,
Select Table,
View DB,
Read User

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-select,
org-db-view,
org-user-read

R/W User

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Describe Keyspace,
Access REST,
Describe Table,
Modify Table,
Select Table,
View DB,
Read User

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-modify,
db-table-select,
org-db-view,
org-user-read

API User Roles

Role name Console name DevOps API Parameters

API Admin User

Read IP Access List,
Create All Keyspaces,
Describe All Keyspaces,
Access GraphQL API,
Alter Keyspace,
Authorize Keyspace,
Create Keyspace,
Describe Keyspace,
Drop Keyspace,
Grant Keyspace,
Modify Keyspace,
Manage Private Endpoint,
Manage Region,
Access REST,
Alter Table,
Authorize Table,
Create Table,
Describe Table,
Drop Table,
Grant Table,
Modify Table,
Select Table,
Read Billing,
Write Billing,
Add Peering,
Create DB,
Expand DB,
Manage Migrator Proxy,
Reset Password,
Suspend DB,
Terminate DB,
View DB,
Read User,
Write User

accesslist-read,
db-all-keyspace-create,
db-all-keyspace-describe,
db-graphql,
db-keyspace-alter,
db-keyspace-authorize,
db-keyspace-create,
db-keyspace-describe,
db-keyspace-drop,
db-keyspace-grant,
db-keyspace-modify,
db-manage-privateendpoint,
db-manage-region,
db-rest,
db-table-alter,
db-table-authorize,
db-table-create,
db-table-describe,
db-table-drop,
db-table-grant,
db-table-modify,
db-table-select,
org-billing-read,
org-billing-write,
org-db-addpeering,
org-db-create,
org-db-expand,
org-db-managemigratorproxy,
org-db-passwordreset,
org-db-suspend,
org-db-terminate,
org-db-view,
org-user-read,
org-user-write

API RO User

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Describe Keyspace,
Access REST,
Describe Table,
Select Table,
View DB,
Read User

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-select,
org-db-view,
org-user-read

API R/W User

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Describe Keyspace,
Access REST,
Describe Table,
Modify Table,
Select Table,
View DB,
Read User

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-modify,
db-table-select,
org-db-view,
org-user-read

User Service Account Roles

Role name Console name DevOps API Parameters

Admin Svc Acct

Create All Keyspaces,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Alter Keyspace,
Authorize Keyspace,
Create Keyspace,
Describe Keyspace,
Drop Keyspace,
Grant Keyspace,
Modify Keyspace,
Manage Private Endpoint,
Manage Region,
Access REST,
Alter Table,
Authorize Table,
Create Table,
Describe Table,
Drop Table,
Grant Table,
Modify Table,
Select Table,
Read Billing,
Write Billing,
Add Peering,
Create DB,
Expand DB,
Manage Migrator Proxy,
Reset Password,
Suspend DB,
Terminate DB,
View DB,
Read User,
Write User

db-all-keyspace-create,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-alter,
db-keyspace-authorize,
db-keyspace-create,
db-keyspace-describe,
db-keyspace-drop,
db-keyspace-grant,
db-keyspace-modify,
db-manage-privateendpoint,
db-manage-region,
db-rest,
db-table-alter,
db-table-authorize,
db-table-create,
db-table-describe,
db-table-drop,
db-table-grant,
db-table-modify,
db-table-select,
org-billing-read,
org-billing-write,
org-db-addpeering,
org-db-create,
org-db-expand,
org-db-managemigratorproxy,
org-db-passwordreset,
org-db-suspend,
org-db-terminate,
org-db-view,
org-user-read,
org-user-write

RO Svc Acct

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Describe Keyspace,
Access REST,
Describe Table,
Select Table

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-select

R/W Svc Acct

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Describe Keyspace,
Access REST,
Describe Table,
Modify Table,
Select Table

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-modify,
db-table-select

API Service Account Roles

Role name Console name DevOps API Parameters

API Admin Svc Acct

Create All Keyspaces,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Alter Keyspace,
Authorize Keyspace,
Create Keyspace,
Describe Keyspace,
Drop Keyspace,
Grant Keyspace,
Modify Keyspace,
Manage Private Endpoint,
Manage Region,
Access REST,
Alter Table,
Authorize Table,
Create Table,
Describe Table,
Drop Table,
Grant Table,
Modify Table,
Select Table,
Read Billing,
Write Billing,
Add Peering,
Create DB,
Expand DB,
Manage Migrator Proxy,
Reset Password,
Suspend DB,
Terminate DB,
View DB,
Read User,
Write User

db-all-keyspace-create,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-alter,
db-keyspace-authorize,
db-keyspace-create,
db-keyspace-describe,
db-keyspace-drop,
db-keyspace-grant,
db-keyspace-modify,
db-manage-privateendpoint,
db-manage-region,
db-rest,
db-table-alter,
db-table-authorize,
db-table-create,
db-table-describe,
db-table-drop,
db-table-grant,
db-table-modify,
db-table-select,
org-billing-read,
org-billing-write,
org-db-addpeering,
org-db-create,
org-db-expand,
org-db-managemigratorproxy,
org-db-passwordreset,
org-db-suspend,
org-db-terminate,
org-db-view,
org-user-read,
org-user-write

API RO Svc Acct

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Describe Keyspace,
Access REST,
Describe Table,
Select Table

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-select

API R/W Svc Acct

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Describe Keyspace,
Access REST,
Describe Table,
Modify Table,
Select Table

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-modify,
db-table-select

Special Roles Detail

Billing Admin

The Billing Admin role provides only access to view the billing information for Astra DB services. This role has no management capabilities nor access to data.

Console name DevOps API Parameters

Read Billing,
Write Billing,
View DB,
Read User

org-billing-read,
org-billing-write,
org-db-view,
org-user-read

Database Administrator

The Database Administrator role is designed to effectively manage organizations and the databases using CRUD. This role does not have the ability to view billing, mange role-based access control (RBAC), or manage users.

Console name DevOps API Parameters

Read IP Access List,
Write IP Access List,
Create All Keyspaces,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Alter Keyspace,
Authorize Keyspace,
Create Keyspace,
Describe Keyspace,
Drop Keyspace,
Grant Keyspace,
Modify Keyspace,
Manage Private Endpoint,
Manage Region,
Access REST,
Alter Table,
Authorize Table,
Create Table,
Describe Table,
Drop Table,
Grant Table,
Modify Table,
Select Table,
Add Peering,
Create DB,
Expand DB,
Manage Migrator Proxy,
Reset Password,
Suspend DB,
Terminate DB,
View DB,
Read Token,
Write Token,
Read User

accesslist-read,
accesslist-write,
db-all-keyspace-create,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-alter,
db-keyspace-authorize,
db-keyspace-create,
db-keyspace-describe,
db-keyspace-drop,
db-keyspace-grant,
db-keyspace-modify,
db-manage-privateendpoint,
db-manage-region,
db-rest,
db-table-alter,
db-table-authorize,
db-table-create,
db-table-describe,
db-table-drop,
db-table-grant,
db-table-modify,
db-table-select,
org-db-addpeering,
org-db-create,
org-db-expand,
org-db-managemigratorproxy,
org-db-passwordreset,
org-db-suspend,
org-db-terminate,
org-db-view,
org-token-read,
org-token-write,
org-user-read

Organization Administrator

The Organization Administrator role is the most permissive default role.

Console name DevOps API Parameters

Read IP Access List,
Write IP Access List,
Create All Keyspaces,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Alter Keyspace,
Authorize Keyspace,
Create Keyspace,
Describe Keyspace,
Drop Keyspace,
Grant Keyspace,
Modify Keyspace,
Manage Private Endpoint,
Manage Region,
Access REST,
Alter Table,
Authorize Table,
Create Table,
Describe Table,
Drop Table,
Grant Table,
Modify Table,
Select Table,
Read Audits,
Read Billing,
Write Billing,
Add Peering,
Create DB,
Expand DB,
Manage Migrator Proxy,
Reset Password,
Suspend DB,
Terminate DB,
View DB,
Read External Auth,
Write External Auth,
Notification Write,
Read Organization,
Delete Custom Role,
Read Custom Role,
Write Custom Role,
Read Token,
Write Token,
Read User,
Write User,
Write Organization

accesslist-read,
accesslist-write,
db-all-keyspace-create,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-alter,
db-keyspace-authorize,
db-keyspace-create,
db-keyspace-describe,
db-keyspace-drop,
db-keyspace-grant,
db-keyspace-modify,
db-manage-privateendpoint,
db-manage-region,
db-rest,
db-table-alter,
db-table-authorize,
db-table-create,
db-table-describe,
db-table-drop,
db-table-grant,
db-table-modify,
db-table-select,
org-audits-read,
org-billing-read,
org-billing-write,
org-db-addpeering,
org-db-create,
org-db-expand,
org-db-managemigratorproxy,
org-db-passwordreset,
org-db-suspend,
org-db-terminate,
org-db-view,
org-external-auth-read,
org-external-auth-write,
org-notification-write,
org-read,
org-role-delete,
org-role-read,
org-role-write,
org-token-read,
org-token-write,
org-user-read,
org-user-write,
org-write

UI View Only

The UI View Only role is a highly limited role that is only able to list users, databases, and access lists.

Console name DevOps API Parameters

Read IP Access List,
View DB,
Read User

accesslist-read,
org-db-view,
org-user-read

Custom permissions

The tables below contain detailed descriptions of each of the permissions available in Astra DB and can be used to get more detail on the permissions assigned to the roles above.

Organization permissions

Console name Description DevOps API parameter

View DB

See a database in a list of databases or Astra Portal.

org-db-view

Create DB

Create a database using the DevOps API or Astra Portal.

org-db-create

Terminate DB

Permanently delete a database and all of of its data using the DevOps API or Astra Portal.

org-db-terminate

Reset Password

Reset the password for a classic database.

org-db-passwordreset

Manage Migrator Proxy

Add and remove the migrator proxy from a db.

org-db-managemigratorproxy

Read Audits

Enables read and download audits.

org-audits-read

Write Billing

Enables links and ability to add or edit billing payment info.

org-billing-write

Write IP Access List

Create or modify an access list using the DevOps API or Astra Portal.

accesslist-write

Manage Region

Add, create, or remove a region using the DevOps API or Astra Portal.

db-manage-region

Write User

Add, create, or remove a user using the DevOps API or Astra Portal.

org-user-write

Write Organization

Create new organizations or delete an existing organization. Hides manage org and org settings.

org-write

Write Custom Role

Create custom role.

org-role-write

Write External Auth

Update security settings related to external auth providers.

org-external-auth-write

Write Token

Create application token.

org-token-write

Read Billing

Enables links and access to billing details page.

org-billing-read

Read IP Access List

Enables links and access to acess list page.

accesslist-read

Read User

Access to viewing users of an organization.

org-user-read

Read Organization

View organization in Astra Portal.

org-read

Read Custom Role

See a custom role and its associated permissions.

org-role-read

Read External Auth

See security settings related to external authentication providers.

org-external-auth-read

Read Token

Read token details.

org-token-read

Delete Custom Role

Delete of custom role.

org-role-delete

Add Peering

Create of VPC peering connection.

org-db-addpeering

Notification Write

Enable or disable notifications in organization notification settings.

org-notification-write

Suspend DB

Park/unpark classic databases and suspend/unsuspend serverless databases.

org-db-suspend

Keyspace permissions

Console name Description DevOps API parameter

Alter Keyspace

Make changes to a specified keyspace.

db-keyspace-alter

Describe Keyspace

Get a list of tables within a specified keyspace.

db-keyspace-describe

Modify Keyspace

Access or modify a keyspace.

db-keyspace-modify

Authorize Keyspace

Give access to specified keyspace.

db-keyspace-authorize

Drop Keyspace

Remove keyspace. Available in only Astra Portal.

db-keyspace-drop

Create Keyspace

Create keyspace. Available in only Astra Portal.

db-keyspace-create

Grant Keyspace

Grant specific permissions for specified keyspace.

db-keyspace-grant

API access permissions

Console name Description DevOps API parameter

Access GraphQL API

Connect to database via GraphQL API.

db-graphql

Access REST

Connect to database via REST API.

db-rest

Access CQL

Connect to database via CQL.

db-cql

Which role should I assign a user?

Database Access Method Roles

Astra User Interface access

  • Organization Administrator

  • Database Administrator

  • Billing Administrator

  • UI View Only

  • Developer Administrator

  • Developer Read/Write

  • Developer Read Only

  • Administrator Service Account

  • Read/Write Service Account

  • Read Only Service Account

GraphQL, REST, and Document API access based on database access permissions

  • Organization Administrator

  • Database Administrator

  • Billing Administrator

  • UI View Only

  • Administrator User

  • Read/Write User

  • Read Only User

  • Administrator Service Account

  • Read/Write Service Account

  • Read Only Service Account

  • API Administrator User

  • API Read/Write User

  • API Read Only User

  • API Administrator Service Account

  • API Read/Write Service Account

  • API Read Only Service Account

Data Loader access based on database access permissions

  • Administrator User

  • Read/Write User

  • Read Only User

  • Administrator Service Account

  • Read/Write Service Account

  • Read Only Service Account

dsbulk access based on database access permissions

  • Read/Write Service Account

  • Read Only Service Account

DevOps API access based on database access permissions

  • Organization Administrator

  • Database Administrator

Drivers based on database access permissions

  • Administrator User

  • Read/Write User

  • Read Only User

  • Administrator Service Account

  • Read/Write Service Account

  • Read Only Service Account

Manage access list for IP addresses and CIDR

  • Organization Administrator

  • Database Administrator

Manage application tokens

Application tokens allow you to connect to your database from your application using the Document, REST, and GraphQL APIs for DataStax Astra DB.

As of 4 March 2021, your Astra DB username and password will not work for your database. You will need to use an application token to connect to your database.

Create application token

You can also create an application token using the DevOps API.

  1. From any page in Astra DB, select the Organizations dropdown.

    Organization Selection
  2. In the main dropdown, select Organization Settings.

  3. From your Organization page, select the Tokens tab.

  4. Select the role you want to attach to your token. The permissions for your selected role will be displayed.

  5. Select Generate Token. Astra DB will generate your token and display the Client ID, Client Secret, and Token.

  6. Download your Client ID, Client Secret, and Token.

After you navigate away from the page, you won’t be able to download your Client ID, Client Secret, and Token again. These tokens do not automatically expire, but can be destroyed in case they are compromised or no longer needed.

You can now use your token to connect to the Astra DB APIs. See more about the available APIs:

  • Document API

  • REST API

  • GraphQL CQL first API

  • GraphQL Schema first API

You can use your Client ID and Client Secret to connect to your database. See more about the available connection options:

  • Standalone CQL shell

  • Connecting C++ driver

  • Connecting C# driver

  • Connecting Java driver

  • Connecting Node.js driver

  • Connecting Python driver

  • Connecting Legacy drivers

Set environment variables

In your command-line interface associated with your environment, paste the following environment variables copied for your Astra DB database:

export ASTRA_DB_ID=<database_id>
export ASTRA_DB_REGION=<database_region>
export ASTRA_DB_KEYSPACE=<keyspace_name>
export ASTRA_DB_APPLICATION_TOKEN=<app_token>

Delete application token

If you need to limit access to your database, you can delete an application token.

  1. Select the overflow menu for the application token you want to delete.

  2. Select Delete to delete that application token.

  3. If necessary, generate a new application token for the same user role.

Manage custom roles

Within Role Management, you can see the permissions for a specific role by hovering over the number in the Permissions column of the table. This will show the permissions granted to the role.

Roles

If the default roles don’t meet your requirements, you can use custom roles that meet your organizational needs.

Create custom role

You can also create custom roles using the DevOps API.

  1. In Astra Portal, select the organization in the left navigation to add a custom role.

  2. Select Settings.

  3. Select Role Management and then Add Custom Role.

  4. Enter the name you want to use for your custom role. This name should help you easily identify when you want to assign this role to users.

  5. Select the Organization, Keyspace, Table, and API permissions you want to assign to your custom role.

    If you want users with this role to be able to see the Astra DB user interface, make sure you select Read User and View DB permissions.

  6. To apply your selected permissions to specific databases or keyspaces, toggle the switch to not apply the permissions to all databases in an organization. Then select the specific databases or keyspaces to which you want to apply the permissions.

  7. Once you have selected your permissions, select Create Role.

To see your custom roles, select Role Management within your Organization. You can now invite users using your new custom role.

Edit user roles

  1. From your Organization page, select Role Management.

  2. Select Edit Role from the overflow menu for the custom role you want to update.

  3. When editing the role, you can edit the name, permissions, database, and keyspace.

  4. Once you have updated your permissions, select Edit Role.

Your updated custom role will show up in Role Management within your Organization.

Bring Your Own Key

Encryption is a widely accepted mechanism to secure data against breaches. By default, DataStax Astra DB encrypts data, and cloud providers such as AWS and Google Cloud offer encryption solutions. However, you may want to further limit data access, because cloud providers have access to the keys and ultimately to the data.

To address this security concern, Astra DB allows you to associate a Customer Managed Key (one per region) that you defined in the cloud provider’s Key Management Service with a Customer Key that you create in Astra DB.

We call this organization-scoped Astra DB feature Bring Your Own Key (BYOK).

This BYOK feature:

  • Is available for Astra DB Serverless users with these cloud providers:

    • AWS - supported via Astra DB BYOK AWS with DevOps API (Serverless) and BYOK AWS with Astra Portal (Serverless).

    • Google Cloud - supported via Astra DB BYOK GCP with DevOps API (Serverless) and BYOK GCP with Astra Portal (Serverless).

  • Is not available with the Astra DB Free Plan. Using the Chat icon in Astra Portal, ask the DataStax representative about upgrading your organization to a paid plan so you can use BYOK and additional features.

For related details, see the Customer Keys API reference.

Pricing and billing

Learn about the pricing model and billing structure for DataStax Astra DB serverless and databases.

Serverless pricing

There are three primary factors that affect the pricing:

  • plan selection

  • units of measure

  • cloud provider and region

Plan selection

DataStax allows you to choose your commitment, and thus your savings. To get an accurate cost for your database, select a cloud provider/region and create your first database. To get started for free without entering credit card details, select the Free plan and receive a $25 credit. This credit is good for up to 80GB storage and 20 million Read/Write operations.

Units of measure

The following units of measure affect the pricing of your database:

  • Read requests (per 1M): the unit of measure for billing database reads. This unit is based on the amount of data retrieved to satisfy the query. A read request that returns up to 4KB of data is considered one Read Request Unit (RRU). If the request returns more than 4KB of data, additional read requests are required. If a read request involves server-side filtering or aggregation of data, the data is measured before the filtering or aggregation takes place. Some examples of queries where this can happen are:

    • Queries that use the ALLOW FILTERING clause.

    • Queries that use the COUNT function.

    • Queries that use the GROUP BY clause.

    • Queries that do not request all columns from a row be returned.

  • Write requests (per 1M): the unit of measure for billing database writes. This unit is based on the payload size of each write request. A write request with up to 1KB of data is considered one Write Request Unit (WRU). If the request has more than 1KB of data, additional writes are required.

    • Insert/Update/Upsert: each option is treated as a write operation and is calculated as part of the Write Request Unit (WRU).

    • Logged and Unlogged are the two types of batched writes. Logged batched writes have an additional WRU consumed.

      For example, a single-partition unlogged batch write operation with 10 rows, each row containing 1.2KB of data has 12 WRUs (Total size of the single-partition rows divided by 1KB. That is, [(10 rows * 1.2KB)/1KB = 12 WRUs]). A 2-partition logged batch with 2 rows (one row for each partition), each row containing 1.2KB of data has 5 WRUs ([ (2 * 1.2KB) /1KB + 2 = 5 WRU]). This calculation depends on the size per table in the batch. In this case, the size of the table (2 * 1.2KB) results in 3 WRUs and 2 additional WRUs for logged batch operation.

    • The write index SAI is treated the same as a write, but has an additional cost.

      • The write index SAI size is based on the size of each indexed column (not the size of the index), regardless of the column type. For example, the SAI index for a column with a value of 2KB in size results in 2 WRUs.

    • One delete operation is considered one write request regardless of the size. This is calculated as part of the WRU.

      • There is no charge for the TTL delete operation, DROP statements or TRUNCATE statements.

    • Lightweight Transactions (LWT) are treated as a combination of a read and write event. LWTs do a read, evaluate a condition, and a write if the condition is true. For LWT, there are both WRU and additional RRU costs. The number of RRUs is always one regardless of the size.

    • User-defined Types UDT: there are no additional charges for UDTs. The column data size is counted regardless of the type.

  • Data storage (GB/month): all data stored in the database (including the actual data, indexes, and metadata). You are not billed extra for standard backups of your data. It is included in the base storage costs.

  • Data Transfer (GB): the transfer of customer data out of the database, including data transferred between the replicas to meet the replication factor for the data. Billable units and pricing vary depending on whether the Data Transfer occurs within the same region of a cloud provider network ("Data Transfer - Same Region"), across regions within the same cloud provider network ("Data Transfer - Cross Region within Cloud Provider Network"), or leaves the cloud provider network over the internet ("Data Transfer - Internet").

  • Premium charges are applied for:

    • Dimensions used in Query: based on database dimensions and average dimensions per query.

      • Aggregated count of the number of dimensions searched with vector search ANN queries. Separate from Counter in case we decide to add a scaling factor in the future.

      • Aggregated count of the number of dimensions searched with vector search ANN queries.

      • Aggregated count of the number of dimensions written to.

    • Index Storage Size: estimate storage size per month, methods of procedure (MOP) per month, and either 3 or 1 Avaliability Zones (AZ).

Private endpoints

Private endpoints are charged per endpoint per region at $0.01/hour.

Additionally, you are billed for ingress and egress data at $0.01/GB for all data that uses the private endpoint. If you exceed your monthly credit and you do not have a payment method in Astra DB, your database is not available for use until you add a payment method.

Data transfer charges for private endpoints is in addition to your regular data transfer charges.

REST and JSON API

These are the additional points to consider for REST and JSON APIs:

  • For the REST API, there is a one-to-one mapping between REST operations and CQL requests.

  • For the JSON API, each write operation creates just one row in the collection.

  • For each non-null value column, there is also an index. The DataStax Storage-Attached Indexing (SAI) cost is computed as the size of each indexed column, regardless of the column type.

JSON API is available as a public preview release. See Developing with JSON API.

Cloud providers and regions

You can select AWS, Google Cloud, or Azure as your cloud provider. Each cloud provider offers different database regions. See each offering by region. The cloud provider and region you select affects the price of each unit of measure for your database.

Multiple regions

Multiple regions is available on only pay as you go and annual plans.

If you are using multiple regions for your serverless database:

  • Write requests are replicated in all regions and charged at the respective rates for each region.

  • Read requests are performed at the region level and charged at the region-specific rate.

Data Storage is calculated based on actual disk consumption per region at the region-specific rate.

CDC for Astra Streaming

Enabling CDC for Astra Streaming results in increased usage costs based on your Astra Streaming usage.

Free plans

For free plans, your remaining credits are displayed. These credits include the $25 credit that is renewed every month.

Pay as you go plans

For pay as you go plans, you must have a billing method for your account. Any remaining credits are displayed. Any usage amount appears in the Estimated Bill, which is auto-drafted monthly based on Greenwich Mean Time (GMT), also known as Coordinated Universal Time (UTC).

Annual plans

For the annual plan, you are committing to the minimum monthly spend for 12 months. Your remaining credits display the balance of any unused credits you have, along with the committed monthly minimum that is billed in arrears at the end of the month. If you exceed your credit and committed monthly minimum, the overages are charged at your discounted rate. This amount shows up in the Estimated Bill, which is auto-drafted monthly based on Greenwich Mean Time (GMT), also known as Coordinated Universal Time (UTC).

Cloud providers and regions

You can select AWS, Google Cloud, or Azure as your cloud provider. Each cloud provider offers Standard, Premium and Premium+ regions. The cloud provider and region you select affects the price of each unit of measure for your database.

Effective July 1, 2022, there is no separate premium pricing for Astra Classic Multi-region. All Astra Classic customers are charged additional data transfer cost. Data Transfer pricing is the same as Astra Serverless pricing. For more details on the definitions of "Multi-Region" and "Data Transfer" as well as respective pricing, please visit the Astra Serverless pricing page.

Billing

Astra DB handles billing through an integration with Stripe, and displays all related billing information in the Billing & Payments section of your Organization.
In Billing & Payments, you can see your plan and payment method, along with when the plan was created. You can also select Manage to change your plan.

You can also update your payment method in the Billing & Payments section. Your Billing & Payments also displays each database included in your server, allowing you to see what your total cost is per database.

Managing payment methods

Optionally, update your payment method in the Billing & Payments section. Your Billing & Payments also displays each database included in your server, allowing you to see your total cost per database.

Update the payment method you entered when creating your DataStax Astra DB database. Before your monthly credit runs out, you must enter your credit card number and associated billing information to ensure your database remains accessible.

Enter updated credit card information and associated billing details, or delete the existing payment method.

Astra DB supports one payment method for each organization.

Updating your payment information

  1. From any page in Astra DB, select the Organizations dropdown.

Organization Selection
  1. In the main dropdown, select Organization Settings.

  2. From Billing & Payment, select Invite User.

    • From your Astra Dashboard, select Add Payment Method or Update beside the existing payment method.

    • In the Update Payment Method menu, confirm that you want to Update your payment method.

    • Enter the new billing information and Save.

Your payment method is updated. All future billing will use the new payment entered.

Removing a Payment Method

Use this section to remove any payment method associated with Astra DB serverless and Astra Streaming.

There are two selections to consider before removing your payment method: any outstanding balance for your organization and any premium features added to this plan. A premium feature, such as multi-region or private endpoints, is optionally applied to a resource.

To remove your payment method, open your Astra DB account and go to Billing. Your organization’s dashboard of billing services and payments made is available for viewing. Click Remove.

Prerequisites

Ensure your organization meets the following requirements to remove your payment method:

  • With no outstanding balance and no premium features, you can remove your payment method at any time. A dialog box appears to confirm you want to remove the payment method; select Remove Payment Method.

    want to remove payment

    A message appears that you have successfully removed the payment method. An email is also sent for your records.

  • If you have no outstanding balance and premium features, you must remove all of these features before you can proceed. Click the link for each premium feature (as shown below) to remove them.

    payment removal
  • If you have an outstanding balance and no premium features, you must wait until the next billing cycle to settle this account.

    ob features
  • If you have an outstanding balance and premium features, you must remove your premium features before you can remove your payment method. You must wait until the next billing cycle to settle this account.

    balance and features

Removing premium features

Each premium feature is unique and has specific instructions for removal. The following links offer instructions on removing the following premium features:

  • Private endpoints

    • AWS private endpoints

    • Azure private enddpoints

    • Google Cloud private endpoints

  • Managing multiple regions

Managing User permissions

General Inquiries: +1 (650) 389-6000 info@datastax.com

© DataStax | Privacy policy | Terms of use

DataStax, Titan, and TitanDB are registered trademarks of DataStax, Inc. and its subsidiaries in the United States and/or other countries.

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.

Kubernetes is the registered trademark of the Linux Foundation.

landing_page landingpage