This topic describes how to create accounts and databases for an ApsaraDB RDS for MySQL instance.

For more information about how to create accounts and databases for RDS instances that run other database engines, see the following topics:

Account types

ApsaraDB RDS for MySQL supports two types of accounts: privileged accounts and standard accounts. You can manage all accounts and databases of your RDS instance in the ApsaraDB for RDS console. For more information about the permissions that can be granted to each type of account, see Account permissions.
Note After you create an account, you cannot change the account type. However, you can delete the account and then create an account with the same username. For more information, see Delete a standard account from an ApsaraDB RDS for MySQL instance.
Account type Description
Privileged account
  • You can create and manage privileged accounts by using the ApsaraDB for RDS console or the API.
  • Only one privileged account is allowed per RDS instance. A privileged account has the permissions to manage all databases and standard accounts of the RDS instance where the privileged account is created.
  • A privileged account allows you to manage permissions at fine-grained levels. For example, you can grant each standard account the permissions to query specific tables of the RDS instance where the privileged account is created.
  • A privileged account has all the permissions on the databases of the RDS instance where the privileged account is created.
  • A privileged account has permissions to disconnect all the standard accounts of the RDS instance where the privileged account is created.
Standard account
  • You can create and manage standard accounts by using the ApsaraDB for RDS console, API, or SQL statements.
  • More than one standard account is allowed per RDS instance. The maximum number of standard accounts that are allowed varies based on the used database engine.
  • You must manually grant the permissions on specific databases to each standard account.
  • A standard account does not have the permissions to create, manage, or disconnect other accounts of the RDS instance where the standard account is created.
Account type Maximum number of databases Maximum number of tables Maximum number of accounts
Privileged account Unlimited < 200,000 Varies based on the database engine parameter settings.
Standard account 500 < 200,000 Varies based on the database engine parameter settings.

Comparison between privileged and superuser accounts

To reduce unintentional operations that may interrupt your workloads, ApsaraDB RDS for MySQL does not provide a superuser account. Only a privileged account is provided for you to manage all of the databases and standard accounts that are created on your RDS instance.

Privileged account

  • The privileged account is granted the highest permissions. For more information, see Permissions of various accounts.
  • The privileged account has the permissions to disconnect all standard accounts.

Superuser account

  • The superuser account has the permissions to close the connections for all queries.
  • The superuser account has the permissions to modify global variables by executing the SET statement.
  • The superuser account has the permissions to execute the CHANGE MASTER and PURGE MASTER LOGS statements.
  • The superuser account has the permissions to edit the files on the physical server that hosts your RDS instance.

Create a privileged account

  1. Log on to the ApsaraDB for RDS console.
  2. In the left-side navigation pane, click Instances. In the top navigation bar, select the region where your RDS instance resides.
    Select a region
  3. Find your RDS instance and click its ID.
  4. In the left-side navigation pane, click Accounts.
  5. Click Create Account.
    Create Account
  6. Configure the following parameters.
    Parameter Description
    Database Account:

    Enter the username of the account. The username must meet the following requirements:

    • The username must be 2 to 16 characters in length.
    • The username must start with a lowercase letter and end with a lowercase letter or digit.
    • The username can contain lowercase letters, digits, and underscores (_).
    Account Type: Select the type of the account. You must select Privileged Account.
    Password:

    Enter the password of the account. The password must meet the following requirements:

    • The password must be 8 to 32 characters in length.
    • The password must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.
    • Special characters include ! @ # $ % ^ & * ( ) _ + - =
    Confirm Password: Enter the password of the account again.
    Description: Enter a description that helps identify the account. The description can be up to 256 characters in length.
  7. Click OK.

Create a standard account

  1. Log on to the ApsaraDB for RDS console.
  2. In the left-side navigation pane, click Instances. In the top navigation bar, select the region where your RDS instance resides.
    Select a region
  3. Find your RDS instance and click its ID.
  4. In the left-side navigation pane, click Accounts.
  5. Click Create Account.
    Create Account
  6. Configure the following parameters.
    Parameter Description
    Database Account:

    Enter the username of the account. The username must meet the following requirements:

    • The username must be 2 to 16 characters in length.
    • The username must start with a lowercase letter and end with a lowercase letter or digit.
    • The username can contain lowercase letters, digits, and underscores (_).
    Account Type: Select the type of the account. You must select Standard Account.
    Authorized Databases: Select the authorized databases of the account. You can leave this parameter empty. This is because you can grant the permissions on a database to the account when you create the database.
    1. In the left-side section, select one or more databases. Then, click the > icon to move the selected databases to the right-side section.
    2. In the right-side section, specify the Read/Write (DDL + DML), Read-only, DDL Only, or DML Only permissions on each selected database.
    Password:

    Enter the password of the account. The password must meet the following requirements:

    • The password must be 8 to 32 characters in length.
    • The password must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.
    • Special characters include ! @ # $ % ^ & * ( ) _ + - =
    Confirm Password: Enter the password of the account again.
    Description: Enter a description that helps identify the account. The description can be up to 256 characters in length.
  7. Click OK.

Create a database

  1. Log on to the ApsaraDB for RDS console.
  2. In the left-side navigation pane, click Instances. In the top navigation bar, select the region where your RDS instance resides.
    Select a region
  3. Find your RDS instance and click its ID.
  4. In the left-side navigation pane, click Databases.
  5. Click Create Database.
    Create a database
  6. Configure the following parameters.
    Parameter Description
    Database Name:
    • The name of the database must be 2 to 64 characters in length.
    • The name of the database must start with a lowercase letter and end with a lowercase letter or digit.
    • The name of the database can contain lowercase letters, digits, underscores (_), and hyphens (-).
    • The name of the database must be unique within the RDS instance.
    Supported Character Sets: Select the character set that is supported by the RDS instance.
    Authorized Account: Select the authorized account of the database. You can leave this parameter empty. This is because you can grant the permissions on a database to an account after you create the database.
    Note Only standard accounts (Standard Account) are displayed. The privileged account has all permissions on all of the databases created on the RDS instance and does not require authorization.
    Account Type: Select the permissions that you want to grant on the database to the specified account. The supported permissions are Read/Write, Read-only, DDL Only, and DML Only.
    Description: Enter a description that helps identify the account. The description can be up to 256 characters in length.
  7. Click Create.

Permissions of various accounts

Account type Permission Operation
Privileged account N/A SELECT INSERT UPDATE DELETE CREATE
DROP RELOAD PROCESS REFERENCES INDEX
ALTER CREATE TEMPORARY TABLES LOCK TABLES EXECUTE REPLICATION SLAVE
REPLICATION CLIENT CREATE VIEW SHOW VIEW CREATE ROUTINE ALTER ROUTINE
CREATE USER EVENT TRIGGER
Standard account Read-only SELECT LOCK TABLES SHOW VIEW PROCESS REPLICATION SLAVE
REPLICATION CLIENT
Read/Write SELECT INSERT UPDATE DELETE CREATE
DROP REFERENCES INDEX ALTER CREATE TEMPORARY TABLES
LOCK TABLES EXECUTE CREATE VIEW SHOW VIEW CREATE ROUTINE
ALTER ROUTINE EVENT TRIGGER PROCESS REPLICATION SLAVE
REPLICATION CLIENT
DDL Only CREATE DROP INDEX ALTER CREATE TEMPORARY TABLES
LOCK TABLES CREATE VIEW SHOW VIEW CREATE ROUTINE ALTER ROUTINE
PROCESS REPLICATION SLAVE REPLICATION CLIENT
DML only SELECT INSERT UPDATE DELETE CREATE TEMPORARY TABLES
LOCK TABLES EXECUTE SHOW VIEW EVENT TRIGGER
PROCESS REPLICATION SLAVE REPLICATION CLIENT

FAQ

  • Can I manage the accounts created on my primary RDS instance from its read-only RDS instances?

    No, although the accounts created on your primary RDS instance are synchronized to its read-only RDS instances, you cannot manage the accounts on the read-only RDS instances. The accounts only have the read permissions on the read-only RDS instances.

  • Can I manage accounts at fine-grained levels, such as the source IP address and table levels?

    Yes, after you connect to your RDS instance, you can use commands to manage accounts at fine-grained levels, such as the source IP address and table levels.

  • Does ApsaraDB for RDS provide a superuser account such as the root user?

    No, ApsaraDB for RDS does not provide a superuser account such as the root user. This allows you to protect your RDS instance from damages such as data loss and leakage that are caused by unintentional operations.

Related operations

Operation Description
Create account Creates an account for an ApsaraDB for RDS instance.
Create database Creates a database for an ApsaraDB for RDS instance.