This topic describes how to create accounts and databases for an ApsaraDB RDS for MySQL instance.

Create database

  1. Visit the RDS instance list, select a region above, and click the target instance ID.
  2. In the left-side navigation pane, click Databases.
  3. Click Create Database.
    Create Database
  4. Configure the following parameters.
    Parameter Description
    Database Name
    • The name of the database must be 2 to 64 characters in length.
    • The name of the database must start with a lowercase letter and end with a lowercase letter or digit.
    • The name of the database can contain lowercase letters, digits, underscores (_), and hyphens (-).
    • The name of the database must be unique within the RDS instance.
    Supported Character Set Select the character set that is supported by the RDS instance.
    Authorized Account: Select the authorized account of the database. You can leave this parameter empty. This is because you can grant the permissions on the database to an account after the database is created.
    Note Only a Standard Account is displayed. The privileged account has all permissions on all the created databases. You do not need to grant permissions to the privileged account.
    Account Type: Select the permissions that you want to grant on the database to the specified account. The supported permissions are Read/Write, Read-only, DDL Only, and DML Only. For more information about the permissions of various accounts, see the "Account permissions" section of this topic.
    Note This parameter is available only when the Authorized Account parameter is specified.
  5. Click Create.

Create an account

  1. Visit the RDS instance list, select a region above, and click the target instance ID.
  2. In the left-side navigation pane, click Accounts.
  3. Click Create Account.
    Create a screenshot
  4. Enter the username and password of the account.
    • Database Account:
      • The username must start with a letter and end with a letter or a digit.
      • The username can contain lowercase letters, digits, and underscores (_).
    • Password:
      • The password must be 8 to 32 characters in length.
      • The password must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters. The password can contain the following special characters: !@ # $ % ^ & * ( ) _ + - =
  5. Select the account type.
    • Standard Account: Select a database from the Unauthorized Databases list, click the right arrow to move the selected database to the Authorized Databases list, and grant the Read /Write (DDL + DML), Read-only, DDL Only, or DML Only permissions to the account.
    • Privileged Account: The privileged account has permissions on all databases in the RDS instance. You do not grant permissions on specific databases to the privileged account.
    Note If you cannot select Privileged Account, a privileged account has been created in the RDS instance.
  6. Click OK.

Account types

ApsaraDB RDS for MySQL supports two types of accounts: privileged accounts and standard accounts. You can manage all the accounts and databases of your RDS instance by using the ApsaraDB RDS console. For more information about the permissions that can be granted to each type of account, see Account permissions.
Note After an account is created, you cannot change the type of the account. However, you can delete the account. Then, you can create an account that has the same username as the deleted account. For more information, see Delete a standard account from an ApsaraDB RDS for MySQL instance.
Account type Description
Privileged account
  • You can create and manage privileged accounts by using the ApsaraDB RDS console or the ApsaraDB RDS API.
  • Only one privileged account is allowed per RDS instance. A privileged account has the permissions to manage all the databases and standard accounts of the RDS instance on which the privileged account is created.
  • A privileged account allows you to manage more permissions at fine-grained levels based on your business requirements. For example, you can grant each standard account the permissions to query specific tables from the RDS instance on which the privileged account is created.
  • A privileged account has the permissions on all the databases of the RDS instance on which the privileged account is created.
  • A privileged account has the permissions to disconnect all the standard accounts of the RDS instance on which the privileged account is created.
Standard account
  • You can create and manage standard accounts by using the ApsaraDB RDS console, ApsaraDB RDS API, or SQL statements.
  • More than one standard account is allowed per RDS instance. The maximum number of standard accounts that are allowed varies based on the minor engine version that is used.
  • You must manually grant the permissions on specific databases to each standard account.
  • A standard account does not have the permissions to create, manage, or disconnect other accounts of the RDS instance on which the standard account is created.
Account type Maximum number of databases Maximum number of tables Maximum number of accounts
Privileged account Unlimited < 200,000 Varies based on the minor engine version.
Standard account 500 < 200,000 Varies based on the minor engine version.
Note After a privileged account is created, the maximum number of databases that can be created by using standard accounts is unlimited.

FAQ

  • After I create accounts on my primary RDS instance, can I manage the accounts from the read-only RDS instances?

    No, although the accounts created on your primary RDS instance are synchronized to the read-only RDS instances, you cannot manage the accounts from the read-only RDS instances. The accounts only have the permissions to read data from the read-only instances.

  • Can I manage accounts at fine-grained levels, such as the source IP address and table levels?

    For more information, see Limit permissions of a specific IP address on a database and Authorize accounts to manage tables, views, and fields.

  • Does ApsaraDB RDS provide accounts that are equivalent to root or superuser accounts?

    No, ApsaraDB RDS does not provide accounts that are equivalent to root or superuser accounts. This allows you to protect your RDS instance from data loss and leaks that are caused by unintentional operations.

References