Skip to content

For help, click the link below to get free database assistance or contact our experts for personalized support.

Manage users in Percona Everest

Percona Everest provides user management capabilities, enabling you to securely log in through either the Percona Everest UI or the API.

Local user management involves administering Percona Everest users to ensure secure access to database resources. This encompasses tasks such as creating and deleting users, updating their passwords, etc.

When you install Percona Everest, an admin user is automatically created, granting full access to the system.


We strongly recommend using Single Sign-On (SSO) integration for the production environment.


All user accounts are stored in the YAML format within the everest-accounts Secret in the everest-system namespace:

User accounts: YAML format
apiVersion: v1
kind: Secret
    name: everest-accounts
    namespace: everest-system
  users.yaml: YWRtaW46CiAgcGFzc3dvcmRIYXNoOiBhZG1pbgogIGVuYWJsZWQ6IHRydWUKICBjYXBhYmlsaXRpZXM6CiAgICAtIGxvZ2lu

Decoding the base64 encoded value will yield a YAML that appears as follows:

YAML after decoding
    passwordHash: <password>
enabled: true
    - login

User management commands

This section provides a list of CLI commands for managing users in Percona Everest.

Retrieve password

You can retrieve the password for the admin user by running the following command:

everestctl accounts initial-admin-password


The passwords in this Secret are stored as hashes. However, the initial admin user has the password stored as plain text for convenient retrieval later on. We strongly recommend that you update the admin password after installation.

Update the password

To update the password for an existing user:

everestctl accounts set-password -u <username>

You will be prompted to update the password.

? Enter new password **********
? Re-enter new password **********

Create a new user

To create a new user:

everestctl accounts create -u <username>
You will be prompted to enter the password for this user.

? Enter new password **********
P2024-06-27T08:11:34Z   info    cli/accounts.go:141 User 'rasika' has been created  {"component": "accounts"}


For Percona Everest versions 1.0.0 and later, new users have full access to the system. However, once RBAC support is in place, an admin user will be able to manage permissions for users, granting them fine-grained control over database resources.

For detailed information on granting permissions to new users, see assign permissions to a new user section.

List the users

To list all the users in Percona Everest:

everestctl accounts list

Delete a user

To delete an existing user:

everestctl accounts delete -u <username>

JSON Web Token (JWT) and keys

When you log in from the UI, Percona Everest issues a JSON Web Token to authenticate the requests. By default, this token is valid for 24 hours, after which you are expected to log in again.


Since JWT authentication is stateless, it is currently impossible to explicitly revoke specific tokens. Therefore, even a deleted user may continue to request the API as long as they have a valid token.

The Everest API uses the RSA algorithm to sign and verify the JWT. The RSA key pair used for this is automatically generated upon installation and stored in the everest-jwt Secret in the everest-system namespace.

    apiVersion: v1
        id_rsa: <PRIVATE KEY> <PUBLIC KEY>
    kind: Secret
        name: everest-jwt
        namespace: everest-system
    type: Opaque

To reset the key pair:

everestctl accounts reset-jwt-keys