Access Control
VeloDB Cloud has three independent access control layers. Each covers a different entry point into the system.
| Layer | Who it's for | Where to manage |
|---|---|---|
| Members | Teammates who need access to the VeloDB Cloud console | Members, Multi-Factor Authentication, and SAML Single Sign-On |
| Cloud API | Programmatic access to the VeloDB Cloud management API | API Keys and Terraform Provider |
| Warehouse Users and Roles | Applications, BI tools, and SQL clients that connect to a warehouse over MySQL or JDBC | Warehouse Users and Roles |
Which one do you need?
Members manages console-level identities: the people you invite to your organization. A member's organization role (Organization Admin, Warehouse Admin, Warehouse Viewer) controls what they can see and do in the console, not what SQL they can run. Premium organizations can use SAML Single Sign-On to authenticate members through a corporate identity provider.
Cloud API is for scripts and automation that call the VeloDB Cloud management API, for example to create warehouses, pause clusters, or pull metrics programmatically. You can call it directly with an API key or manage resources through the Terraform provider. These credentials are separate from both warehouse credentials and console accounts.
Warehouse Users and Roles manages warehouse-level identities: the SQL accounts your data pipelines and BI dashboards use to run queries. These credentials appear in your connection string. The roles here are SQL roles scoped to the warehouse, which are separate from the organization roles assigned to Members.
A person who needs both console access and SQL access needs to be added as a Member and have a warehouse user created for them. The two systems do not share credentials.