This topic describes how to create an account that is used to manage databases on an ApsaraDB RDS for MySQL instance.

You can create RAM users under your Alibaba Cloud account and grant them permissions on specific RDS instances. For more information, see Create a RAM user.

Prerequisites

An ApsaraDB RDS for MySQL instance is created. For more information, see Create an ApsaraDB RDS for MySQL instance.

Account types

ApsaraDB RDS for MySQL supports two types of database accounts: privileged and standard. You can manage all your accounts and databases in the ApsaraDB for RDS console. For more information about the permissions that can be granted to each type of account, see Account permissions.
Note The type of an account cannot be changed. You can delete an account and then create a new one with the same account name. For more information, see Delete an account for an RDS MySQL instance.
Account type Description
Privileged account
  • You can create and manage privileged accounts by using the ApsaraDB for RDS console or API operations.
  • You can create only one privileged account per instance and then use the privileged account to manage all standard accounts and databases on that instance.
  • A privileged account enables you to manage permissions at a finer level. For example, you can grant query permissions on specific tables to standard accounts.
  • A privileged account has all permissions on all the databases of the instance on which it is created.
  • A privileged account has permissions to disconnect all standard accounts on the instance on which it is created.
Standard account
  • You can create and manage standard accounts by using the ApsaraDB for RDS console, API operations, or SQL statements.
  • You can create more than one standard account per instance. The maximum number of standard accounts allowed varies based on the database engine kernel you use.
  • You must manually grant permissions on specific databases to standard accounts.
  • A standard account does not have permissions to create, manage, or disconnect other accounts on the instance on which it is created.
Account type Number of databases Number of tables Number of accounts
Privileged account Unlimited < 200,000 Varies based on the kernel parameter settings of the instance
Standard account 500 < 200,000 Varies based on the kernel parameter settings of the instance

Create a privileged account

  1. Log on to the ApsaraDB for RDS console.
  2. In the top navigation bar, select the region where the target RDS instance resides.Select a region
  3. Find the target RDS instance and click its ID.
  4. In the left-side navigation pane, click Accounts.
  5. Click Create Account.
  6. Configure the following parameters.
    Parameter Description
    Database Account

    Enter the username of the account. The username must meet the following requirements:

    • The username must be 2 to 16 characters in length.
    • The username must start with a letter and end with a letter or digit.
    • The username can contain lowercase letters, digits, and underscores (_).
    • The username cannot be the same as the username of an existing account.
    Account Type Select Privileged Account.
    Password

    Enter the password of the account. The password must meet the following requirements:

    • The password must be 8 to 32 characters in length.
    • The password must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.
    • Special characters include ! @ # $ % ^ & * ( ) _ + - =
    Confirm Password Enter the password of the account again.
    Description Enter a description that helps identify the account. The description can be up to 256 characters in length.
  7. Click OK.

Reset the permissions of a privileged account

If the privileged account of your RDS instance encounters an exception, such as its permissions are accidentally revoked, follow these steps to restore the permissions:

  1. Log on to the ApsaraDB for RDS console.
  2. In the top navigation bar, select the region where the target RDS instance resides.Select a region
  3. Find the target RDS instance and click its ID.
  4. In the left-side navigation pane, click Accounts.
  5. Find the privileged account, and click Reset Permissions in the Actions column.
  6. Enter the password of the privileged account to reset the account permissions.

Create a standard account

  1. Log on to the ApsaraDB for RDS console.
  2. In the top navigation bar, select the region where the target RDS instance resides.Select a region
  3. Find the target RDS instance and click its ID.
  4. In the left-side navigation pane, click Accounts.
  5. Click Create Account.
  6. Configure the following parameters.
    Parameter Description
    Database Account

    Enter the username of the account. The username must meet the following requirements:

    • The username must be 2 to 16 characters in length.
    • The username must start with a letter and end with a letter or digit.
    • The username can contain lowercase letters, digits, and underscores (_).
    Account Type Select Standard Account.
    Authorized Databases Select one or more databases on which you want to grant permissions to the account. You can leave this parameter empty, because you have the option to grant the account the permissions on specific databases after you create the account.
    1. Select one or more databases from the Unauthorized Databases box and click Add to add them to the Authorized Databases box.
    2. In the Authorized Databases box, select the Read/Write, Read-only, DDL Only, or DML Only permissions on each authorized database.

      If you want to grant the same permissions on more than one authorized database simultaneously, select the authorized databases and click the button in the upper-right corner. For example, click Set All to Read/Write.

      Note The button in the upper-right corner changes as you click it. For example, after you click Set All to Read/Write, the button changes to Set All to Read-only.
    Password

    Enter the password of the account. The password must meet the following requirements:

    • The password must be 8 to 32 characters in length.
    • The password must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.
    • Special characters include ! @ # $ % ^ & * ( ) _ + - =
    Confirm Password Enter the password of the account again.
    Description Optional. Enter a description that helps identify the account. The description can be up to 256 characters in length.
  7. Click OK.

FAQ

  • Can I configure an account so it is only accessible from an internal network?

    This configuration is not supported in the ApsaraDB for RDS console. You must use SQL statements to specify the IP addresses from which an account can log on. For more information, see Limit permissions of a specific IP address on a database.

  • Can I manage accounts at finer levels such as the table level?

    This configuration is not supported in the ApsaraDB for RDS console. You must use SQL statements to manage accounts at finer levels. For more information, see Authorize accounts to manage tables, views, and fields.

Related operations

Operation Description
CreateAccount Creates an account to manage databases on an ApsaraDB for RDS instance.