This topic describes how to create an account that is used to manage the databases of an ApsaraDB RDS for MySQL instance.

Prerequisites

An RDS instance that runs MySQL is created. For more information, see Create an ApsaraDB RDS for MySQL instance.

Note You can create Resource Access Management (RAM) users within your Alibaba Cloud account and grant the permissions on specific RDS instances to the RAM users. For more information, see Create a RAM user.

Account types

ApsaraDB RDS for MySQL supports two types of accounts: privileged accounts and standard accounts. You can manage all the accounts and databases of your RDS instance by using the ApsaraDB RDS console. For more information about the permissions that can be granted to each type of account, see Account permissions.
Note After an account is created, you cannot change the type of the account. However, you can delete the account. Then, you can create an account that has the same username as the deleted account. For more information, see Delete a standard account from an ApsaraDB RDS for MySQL instance.
Account type Description
Privileged account
  • You can create and manage privileged accounts by using the ApsaraDB RDS console or the ApsaraDB RDS API.
  • Only one privileged account is allowed per RDS instance. A privileged account has the permissions to manage all the databases and standard accounts of the RDS instance on which the privileged account is created.
  • A privileged account allows you to manage more permissions at fine-grained levels based on your business requirements. For example, you can grant each standard account the permissions to query specific tables from the RDS instance on which the privileged account is created.
  • A privileged account has all the permissions on all the databases of the RDS instance on which the privileged account is created.
  • A privileged account has the permissions to disconnect all the standard accounts of the RDS instance on which the privileged account is created.
Standard account
  • You can create and manage standard accounts by using the ApsaraDB RDS console, ApsaraDB RDS API, or SQL statements.
  • More than one standard account is allowed per RDS instance. The maximum number of standard accounts that are allowed varies based on the minor engine version that is used.
  • You must manually grant the permissions on specific databases to each standard account.
  • A standard account does not have the permissions to create, manage, or disconnect other accounts of the RDS instance on which the standard account is created.
Account type Maximum number of databases Maximum number of tables Maximum number of accounts
Privileged account Unlimited < 200,000 Varies based on the minor engine version.
Standard account 500 < 200,000 Varies based on the minor engine version.
Note After a privileged account is created, the maximum number of databases that can be created by using standard accounts is unlimited.

Create a privileged account

  1. Go to the Accounts page.
    1. Log on to the ApsaraDB for RDS console. In the left-side navigation pane, click Instances. In the top navigation bar, select the region where your RDS instance resides.
      选择地域
    2. Find your RDS instance and click its ID. In the left-side navigation pane, click Accounts.
  2. On the Accounts tab of the page that appears, click Create Account.
  3. Configure the following parameters.
    Parameter Description
    Database Account

    Enter the username of the account. The username must meet the following requirements:

    • If your RDS instance runs MySQL 5.6, the username must be 2 to 16 characters in length. If your RDS instance runs MySQL 5.7 or MySQL 8.0, the username must be 2 to 32 characters in length.
    • The username must start with a lowercase letter and end with a lowercase letter or digit.
    • The username can contain lowercase letters, digits, and underscores (_).
    • The username cannot be the same as the username of an existing account.
    Account Type Specify the type of the account. Select Privileged Account.
    Password

    Enter the password of the account. The username must meet the following requirements:

    • The password must be 8 to 32 characters in length.
    • The password must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.
    • The password can contain the following special characters:

      ! @ # $ % ^ & * ( ) _ + - =

    Note If your RDS instance runs MySQL 8.0, you can use the validate_password plug-in to configure the following password policies based on your business requirements:
    • validate_password_policy: specifies the strength of the password.
    • validate_password_dictionary_file: specifies the path of the dictionary file. After you specify this password policy, the password must meet the rules that are provided in the dictionary file.
    • validate_password_length: specifies the length of the password.
    • validate_password_number_count: specifies the number of digits that are required in the password.
    • validate_password_mixed_case_count: specifies the number of uppercase letters and lowercase letters that are required in the password.
    • validate_password_special_char_count: specifies the number of special characters that are required in the password.
    For more information, see Password Validation Options and Variables.
    Confirm Password Enter the password of the account again.
    Description Enter a description that is used to identify the account. The description can be up to 256 characters in length.
  4. Click Create.

Reset the permissions of a privileged account

If the privileged account of your RDS instance encounters exceptions, for example, the permissions are accidentally revoked, you can perform the following steps to reset the permissions:

  1. Go to the Accounts page.
    1. Log on to the ApsaraDB for RDS console. In the left-side navigation pane, click Instances. In the top navigation bar, select the region where your RDS instance resides.
      选择地域
    2. Find your RDS instance and click its ID. In the left-side navigation pane, click Accounts.
  2. Find the account whose Account Type is Privileged Account. Then, click Reset Permissions in the Actions column.
  3. In the dialog box that appears, enter the password of the privileged account and click OK.

Create a standard account

  1. Go to the Accounts page.
    1. Log on to the ApsaraDB for RDS console. In the left-side navigation pane, click Instances. In the top navigation bar, select the region where your RDS instance resides.
      选择地域
    2. Find your RDS instance and click its ID. In the left-side navigation pane, click Accounts.
  2. On the Accounts tab of the page that appears, click Create Account.
  3. Configure the following parameters.
    Parameter Description
    Database Account

    Enter the username of the account. The username must meet the following requirements:

    • If your RDS instance runs MySQL 5.6, the username must be 2 to 16 characters in length. If your RDS instance runs MySQL 5.7 or MySQL 8.0, the username must be 2 to 32 characters in length.
    • The username must start with a lowercase letter and end with a lowercase letter or digit.
    • The username can contain lowercase letters, digits, and underscores (_).
    • The username cannot be the same as the username of an existing account.
    Account Type Specify the type of the account. Select Standard Account.
    Authorized Databases Specify the authorized databases of the account. You can specify one or more authorized databases. You can leave this parameter unspecified. In this case, you can grant the permissions on specific databases to the account after the account is created.
    1. In the Unauthorized Databases section, select one or more databases. Then, click the > icon to move the selected databases to the Authorized Databases section.
    2. In the Authorized Databases section, select the Read/Write (DDL + DML), Read-only, DDL Only, or DML Only permissions for each authorized database.

      If you want to grant the same permissions on more than one authorized database at a time, select the authorized databases and click the Set All to button in the upper-right corner of the Authorized Database section. For example, you can click the button to grant the Read/Write (DDL + DML) permissions on the selected authorized databases.

      Note For more information, see Account permissions.
    Password

    Enter the password of the account. The username must meet the following requirements:

    • The password must be 8 to 32 characters in length.
    • The password must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.
    • The password can contain the following special characters:

      ! @ # $ % ^ & * ( ) _ + - =

    Note If your RDS instance runs MySQL 8.0, you can use the validate_password plug-in to configure the following password policies based on your business requirements:
    • validate_password_policy: specifies the strength of the password.
    • validate_password_dictionary_file: specifies the path of the dictionary file. After you specify this password policy, the password must meet the rules that are provided in the dictionary file.
    • validate_password_length: specifies the length of the password.
    • validate_password_number_count: specifies the number of digits that are required in the password.
    • validate_password_mixed_case_count: specifies the number of uppercase letters and lowercase letters that are required in the password.
    • validate_password_special_char_count: specifies the number of special characters that are required in the password.
    For more information, see Password Validation Options and Variables.
    Confirm Password Enter the password of the account again.
    Description Enter a description that is used to identify the account. The description can be up to 256 characters in length.
  4. Click Create.

FAQ

  • Can I configure an account to have only the permissions to access my RDS instance over an internal network?

    Yes, you can use SQL statements to specify the source IP address from which an account can access your RDS instance. For more information, see Limit permissions of a specific IP address on a database. However, this operation is not supported in the ApsaraDB RDS console.

  • Can I configure the permissions of an account at finer-grained levels, such as the table level?

    Yes, you can use SQL statements to manage the permissions of an account at finer-grained levels. For more information, see Authorize accounts to manage tables, views, and fields. However, this operation is not supported in the ApsaraDB RDS console.

Related operations

Operation Description
CreateAccount Creates an account that is used to manage the databases of an ApsaraDB RDS instance.