Configuring the Veza integration for ClickHouse.
Last updated
Was this helpful?
ClickHouse is a high-performance columnar database management system (DBMS) optimized for Online Analytical Processing (OLAP). The Veza integration for ClickHouse Cloud enables discovery of users, roles, and services configured for your organization, providing visibility into what human and non-human identities have permissions on ClickHouse data and settings.
A ClickHouse Cloud account
Administrator access to create API keys in ClickHouse
A Developer API key with permissions to read organization metadata
Note: The integration currently supports connecting to a single organization only
In the ClickHouse Cloud Console, select API Keys from the left menu.
Click New API Key in the top-right corner. For new accounts, you'll see a prompt to create your first key.
Configure the API key:
Enter a descriptive Key Name
For Organization Permissions, select Developer
Set an appropriate expiration time
Click Generate API Key
Copy and securely store both the Key ID and Key Secret. These values cannot be retrieved after leaving this page.
Browse to your Veza instance
In the left navigation, choose Integrations
Click Add Integration and select ClickHouse
Enter the following values:
Client ID: The Key ID from your ClickHouse API key
Client Secret: The Key Secret from your ClickHouse API key
Click Create Integration to save your changes
The integration captures organization-level metadata for a ClickHouse Cloud deployment. Note that the integration currently supports connecting to a single organization only.
organization_id
Unique identifier for your ClickHouse organization
Application Custom Property
organization_name
Display name of your ClickHouse organization
Application Custom Property
created_at
Organization creation timestamp in ISO-8601 format
Application Custom Property
Users represent members of your ClickHouse organization who can access and manage services. Each user is assigned either an Admin or Developer role, which determines their access to services and organization settings.
id
The user's unique identifier
LocalUser Property
name
User's display name
LocalUser Property
email
User's email address
LocalUser Property
created_at
When the user joined the organization (ISO-8601 format)
LocalUser Property
Role Assignment:
Users with role "admin" are assigned the Admin role with full access to all services
All other users are automatically assigned the Developer role with selective service access
Services represent individual ClickHouse database instances within your organization. Each service represents a deployable database with specific configuration options across cloud providers and regions.
id
Unique identifier for the service
Resource ID
name
Display name of the service
Resource Name
provider
Cloud provider where service is deployed (aws, gcp, azure)
CustomResource Property
region
Cloud region where service is deployed
CustomResource Property
state
Current operational state of the service
CustomResource Property
tier
Service tier determining scaling capabilities
CustomResource Property
is_primary
Whether this is the primary service
CustomResource Property
created_at
Service creation timestamp (ISO-8601 format)
CustomResource Property
Service Tiers:
development: Fixed-size instances with limited scaling (not available on Azure)
production: Fully scalable instances
dedicated_high_mem: Memory-optimized instances
dedicated_high_cpu: Compute-optimized instances
ClickHouse uses a role-based access control (RBAC) system with two predefined roles:
Admin: Full administrative access to all services and organization settings
Developer: Limited access focused on service usage and monitoring
The integration maps ClickHouse system permissions to standardized Veza permission types. These mappings include:
Service Management:
View service: DataRead, MetadataRead
Create service: DataCreate, MetadataCreate
Delete service: DataDelete, MetadataDelete
Stop service: DataWrite, MetadataWrite
Restart service: DataWrite, MetadataWrite
Reset service password: DataWrite, MetadataWrite
View service metrics: DataRead, MetadataRead
Access Management:
View API key records: DataRead, MetadataRead
Create API key: DataCreate, MetadataCreate
Delete API key: DataDelete, MetadataDelete
View users: DataRead, MetadataRead
Invite users: DataCreate, MetadataCreate
Change user role: DataWrite, MetadataWrite
Delete users: DataDelete, MetadataDelete
Organization Management:
View billing: DataRead, MetadataRead
Manage billing: DataRead, DataWrite, DataCreate, DataDelete, MetadataRead, MetadataWrite, MetadataCreate, MetadataDelete
View organization activity: DataRead, MetadataRead
Submit support requests: DataCreate, MetadataCreate
View integrations: DataRead, MetadataRead
