Before you start to use ApsaraDB for RDS, you must create a database and an account for an ApsaraDB for RDS instance. This topic describes how to create a database and an account for an ApsaraDB RDS for PostgreSQL instance.

Account types

ApsaraDB RDS for PostgreSQL instances support two types of database accounts: privileged accounts and standard accounts. The following table describes these account types.

Account type Description
Privileged account
  • You can create and manage privileged accounts by using the ApsaraDB for RDS console or API operations.
  • For an ApsaraDB RDS for PostgreSQL instance with local SSDs, you can create only one privileged account. For an ApsaraDB RDS for PostgreSQL instance with cloud disks, you can create multiple privileged accounts. A privileged account allows you to manage all standard accounts and databases in an ApsaraDB RDS for PostgreSQL instance.
  • A privileged account has more permissions, which allows you to perform more fine-grained management operations. For example, you can grant query permissions on different tables to different users.
  • You can use a privileged account to disconnect any accounts from their authorized databases in your ApsaraDB RDS for PostgreSQL instance.
Standard account
  • You can create and manage standard accounts by using the ApsaraDB for RDS console, API operations, or SQL statements.
  • You can create multiple standard accounts for an ApsaraDB RDS for PostgreSQL instance.
  • You must grant permissions on specific databases to a standard account.
  • You cannot use a standard account to create or manage other accounts, nor disconnect other accounts from databases.

Precautions

  • Databases within the same instance share all of the resources that belong to the instance. You can create databases, privileged accounts, and standard accounts for an ApsaraDB RDS for PostgreSQL instance. You can create as many databases as you want. You can also manage standard accounts and databases by using SQL statements.
  • To migrate data from an on-premises database to an ApsaraDB for RDS instance, you must create a database and an account in the RDS instance. Ensure that the database has the same properties as the on-premises database, and the account of the database has the same permissions as the account of the on-premises database.
  • Use service roles to create accounts and follow the principle of least privilege to assign appropriate read-only and read/write permissions to the accounts. When necessary, you can create multiple database accounts and allow each of them to access only data relevant to their own business tasks. If an account does not need to write data to a database, assign the read-only permissions to the account.
  • To ensure database security, set strong account passwords and change the passwords on a regular basis.

Create an account for an ApsaraDB RDS for PostgreSQL instance with cloud disks

  1. Log on to the ApsaraDB for RDS console.
  2. In the top navigation bar, select the region where the target RDS instance resides.
    Select a region
  3. Find the target RDS instance and click its ID.
  4. In the left-side navigation pane, click Accounts.
  5. Click Create Account.
  6. Configure the following parameters.
    Create an account for an RDS instance with standard or enhanced SSDs
    Parameter Description
    Database Account
    • The name of the account must be 2 to 16 characters in length.
    • The name of the account can contain lowercase letters, digits, and underscores (_).
    • The name of the account must start with a lowercase letter and end with a lowercase letter or digit.
    • The name of the account cannot be the same as the name of an existing account.
    Account Type Specify the type of the account. Two types of database accounts are supported: privileged accounts and standard accounts.
    • Privileged accounts have all permissions on all databases.
    • Standard accounts have all permissions only on their authorized databases.
    Note The permissions include SELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES, and TRIGGER.
    Password
    • The password of the account must be 8 to 32 characters in length.
    • The password of the account must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.
    • Special characters include ! @ # $ % ^ & * ( ) _ + - =
    Re-enter Password Enter the same password again.
    Description Enter the description of the database.
  7. Click Create.

Create a database for an ApsaraDB RDS for PostgreSQL instance with cloud disks

  1. Log on to the ApsaraDB for RDS console.
  2. In the upper-left corner of the page, select the region where the instance is located.
    Select a region
  3. Find the target instance and click its ID.
  4. In the left-side navigation pane, click Databases.
  5. Click Create Database.
  6. Configure the following parameters.
    Create a database
    Parameter Description
    Database Name
    • The name can be up to 64 characters in length.
    • It can contain lowercase letters, digits, underscores (_), and hyphens (-).
    • It must start with a letter and end with a letter or digit.
    Supported Character Sets The character set that is supported by the database.
    Collate The sorting rules of strings.
    Ctype The type of characters.
    Authorized Account The database owner, who has all permissions on the database.
    Description The description of the database.
  7. Click Create.

Create an account for an ApsaraDB RDS for PostgreSQL instance with local SSDs

  1. Log on to the ApsaraDB for RDS console.
  2. In the top navigation bar, select the region where the target RDS instance resides.
    Select a region
  3. Find the target RDS instance and click its ID.
  4. In the left-side navigation pane, click Accounts.
  5. Click Create Account.
  6. Configure the following parameters.
    Create an account for an instance with local SSDs
    Parameter Description
    Database Account
    • The name of the account must be 2 to 16 characters in length.
    • The name of the account can contain lowercase letters, digits, and underscores (_).
    • The name of the account must start with a lowercase letter and end with a lowercase letter or digit.
    • The name of the account cannot be the same as the name of an existing account.
    Password
    • The password of the account must be 8 to 32 characters in length.
    • The password of the account must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.
    • Special characters include ! @ # $ % ^ & * ( ) + - =
    Re-enter Password Enter the same password again.
  7. Click Create.
    Note After you complete the preceding steps, a privileged account is created. For more information about how to create a standard account, see the following steps.
  8. In the upper-right corner of the page, click Log On to DB to go to the RDS Database Logon page.
  9. Configure the following parameters.
    Log on to DMS
    Parameter Description
    Network address:Port Enter the endpoint and port number that are used to connect to the RDS instance. For more information, see View and change the internal and public endpoints and ports.
    Database Username Enter the name of the account that is authorized to log on to the database.
    Password Enter the password of the account that is authorized to log on to the database.
  10. Click Log On.
    Note If the system prompts you to add the CIDR block of the DMS server to a whitelist of the RDS instance, click Configure Whitelist.
  11. After you log on to the RDS instance, choose SQL Operations > SQL Window in the top navigation bar.
  12. In the SQL window, execute the following statement to create a standard account:
    CREATE USER name [ [ WITH ] option [ ... ] ]
    where option can be:
       SUPERUSER | NOSUPERUSER
     | CREATEDB | NOCREATEDB
     | CREATEROLE | NOCREATEROLE
     | CREATEUSER | NOCREATEUSER
     | INHERIT | NOINHERIT
     | LOGIN | NOLOGIN
     | REPLICATION | NOREPLICATION
     | CONNECTION LIMIT connlimit
     | [ ENCRYPTED | UNENCRYPTED ] PASSWORD 'password'
     | VALID UNTIL 'timestamp'
     | IN ROLE role_name [, ...]
     | IN GROUP role_name [, ...]
     | ROLE role_name [, ...]
     | ADMIN role_name [, ...]
     | USER role_name [, ...]
     | SYSID uid

    For example, if you want to create an account named test2 whose password is 123456, execute the following statement:

    create user test2 password '123456';

Create a database for an ApsaraDB RDS for PostgreSQL instance with local SSDs

  1. Log on to the ApsaraDB for RDS console.
  2. In the upper-left corner of the page, select the region where the instance is located.
    Select a region
  3. Find the target instance and click its ID.
  4. In the upper corner of the page, click Log On to DB to go to the RDS Database Logon page.
  5. Configure the following parameters.
    Log on to DMS
    Parameter Description
    Network address:Port The endpoint and port information to connect to the RDS instance. For more information, see View and change the internal and public endpoints and ports.
    Database Username The username of the account used to access the database.
    Password The password of the account used to access the database.
  6. Click Log On.
    Note If the system prompts you to add the CIDR block of the DMS server to the RDS whitelist, click Configure Whitelist.
  7. After you have logged on to the RDS instance, choose SQL Operations > SQL Window in the top navigation bar.
  8. In the SQL window, execute the following statement to create a database:
    CREATE DATABASE name
     [ [ WITH ] [ OWNER [=] user_name ]
            [ TEMPLATE [=] template ]
            [ ENCODING [=] encoding ]
            [ LC_COLLATE [=] lc_collate ]
            [ LC_CTYPE [=] lc_ctype ]
            [ TABLESPACE [=] tablespace_name ]
            [ CONNECTION LIMIT [=] connlimit ] ]

    For example, if you want to create a database named test, execute the following statement.

    CREATE DATABASE test;

FAQ

Q: Can I manage accounts in read-only instances?

A: No. Although accounts created in the primary instance are replicated to its read-only instances, you cannot manage the accounts in the read-only instances. Read-only instances only allow accounts to read data.

Related API operations

API operation Description
Create database account Creates an account.