When you create a user, the Treasure Data platform automatically creates two API keys: a Master key and a Write-only API key. A user can create additional API keys. Because of the association between users and API keys, there can be some unexpected results depending on how you delete a user from the platform.
To adhere to security best practices, Treasure Data recommends that you select Delete API Keys. If you choose to reassign the API keys, be sure to test all the security implications.
The following user types can delete users:
Account owners (owners) can delete administrators and restricted users.
Administrators can delete restricted users only.
Each user is created with two API keys: a Master and a Write-only API key type. See Getting Your API Keys for information about the two API types.
Each user can create additional API keys of either type. There is no limit on the number of API keys per user. Each API key carries the same permissions as the user.
When you delete a user, there can be consequences associated with the deletion. For more information, review Deleted Users and the Impact on Existing Resources.
API key deletion. Any automation or script associated with the deleted API key immediately fails. Streaming ingest may continue to work for up to one minute until the cache expires.
API key reassignment to another user. If an API key of a deleted user is reassigned to a user with different permissions, the API key will gain the permissions of the new user.
For example: if a restricted user is deleted and its API keys are reassigned to an administrator user, the reassignment grants the API keys administrator privileges, which might be far greater permissions than initially intended.
The following section describes how API keys are deleted from the platform. For security best practices, Treasure Data recommends that you delete the deleted user API keys.
To delete a user in the TD Console
Navigate to the Control Panel. You must be either an administrator or an owner to access this page.
Find the user in the list or search for it by selecting one of the column headers in the table.
Select the user in the list and the user's profile displays.
- To start the deletion, select the trash bin icon (in the blue header) on the right-hand side of the user's name/email address. The following pop up modal displays:
From this modal, the administrator/owner can cancel the deletion or choose one of the following options:
Keep the default ‘Reassign API Keys’ option and default user selection; this option transfers the API keys to the owner.
Keep the default ‘Reassign API Keys’ option but switch to a different user. This action transfers the API keys to an existing user.
Select the ‘Delete API Keys’ option. This action deletes the API keys.
Use the following API request.
POST /v3/user/remove/<email>
Where <email> is the email address of the user to be deleted. Owners and administrators can run this request. When the user is deleted, all of their API keys are deleted as well.
$ curl --location --request POST 'https://api.treasuredata.com/v3/user/remove/first.last@company.com' --header 'Accept: application/json' --header 'Authorization: TD1 123/abcdef•••••••••••••••••••••••0123456789' | jq- Response
{
"user": "first.last@company.com"
}