This topic describes how to create an account that is used to manage the databases of an ApsaraDB RDS for MySQL instance.

Prerequisites

An RDS instance is created. For more information, see Create an ApsaraDB RDS for MySQL instance.

Note You can create RAM users under your Alibaba Cloud account and grant the permissions on specific RDS instances to the RAM users. For more information, see Create a RAM user.

Account types

ApsaraDB RDS for MySQL supports two types of accounts: privileged accounts and standard accounts. You can manage all accounts and databases of your RDS instance in the ApsaraDB for RDS console. For more information about the permissions that can be granted to each type of account, see Account permissions.
Note After you create an account, you cannot change the account type. However, you can delete the account and then create an account with the same username. For more information, see Delete an account for an RDS MySQL instance.
Account type Description
Privileged account
  • You can create and manage privileged accounts by using the ApsaraDB for RDS console or the API.
  • Only one privileged account is allowed per RDS instance. A privileged account has the permissions to manage all databases and standard accounts of the RDS instance where the privileged account is created.
  • A privileged account allows you to manage permissions at fine-grained levels. For example, you can grant each standard account the permissions to query specific tables of the RDS instance where the privileged account is created.
  • A privileged account has all the permissions on the databases of the RDS instance where the privileged account is created.
  • A privileged account has permissions to disconnect all the standard accounts of the RDS instance where the privileged account is created.
Standard account
  • You can create and manage standard accounts by using the ApsaraDB for RDS console, API, or SQL statements.
  • More than one standard account is allowed per RDS instance. The maximum number of standard accounts that are allowed varies based on the used database engine.
  • You must manually grant the permissions on specific databases to each standard account.
  • A standard account does not have the permissions to create, manage, or disconnect other accounts of the RDS instance where the standard account is created.
Account type Maximum number of databases Maximum number of tables Maximum number of accounts
Privileged account Unlimited < 200,000 Varies based on the database engine parameter settings.
Standard account 500 < 200,000 Varies based on the database engine parameter settings.

Create a privileged account

  1. Log on to the ApsaraDB for RDS console.
  2. In the left-side navigation pane, click Instances. In the top navigation bar, select the region where the target RDS instance resides.
    Select a region
  3. Find the target instance and click the instance ID.
  4. In the left-side navigation pane, click Accounts.
  5. Click Create Account.
  6. Configure the following parameters.
    Parameter Description
    Database Account

    Enter the username of the account. The username of the account must meet the following requirements:

    • If the RDS instance runs MySQL 5.6, the username of the account must be 2 to 16 characters in length. If the RDS instance runs MySQL 5.7 or 8.0, the username of the account must be 2 to 32 characters in length.
    • The username of the account must start with a letter and end with a letter or digit.
    • The username of the account can contain lowercase letters, digits, and underscores (_).
    • The username of the account cannot be the same as the username of an existing account.
    Account Type Specify the type of the account. Select Privileged Account.
    Password

    Enter the password of the account. The password of the account must meet the following requirements:

    • The password of the account must be 8 to 32 characters in length.
    • The password of the account must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.
    • Special characters include: ! @ # $ % ^ & * ( ) _ + - =
    Confirm Password Enter the password of the account again.
    Description Enter a description that helps identify the account. The description can be up to 256 characters in length.
  7. Click OK.

Reset the permissions of a privileged account

If the permissions of a privileged account are accidentally revoked or encounter other exceptions, perform the following steps to reset the permissions:

  1. Log on to the ApsaraDB for RDS console.
  2. In the left-side navigation pane, click Instances. In the top navigation bar, select the region where the target RDS instance resides.
    Select a region
  3. Find the target instance and click the instance ID.
  4. In the left-side navigation pane, click Accounts.
  5. Find the Privileged Account and in the Actions column click Reset Permissions.
  6. In the dialog box that appears, specify a new password and click OK.

Create a standard account

  1. Log on to the ApsaraDB for RDS console.
  2. In the left-side navigation pane, click Instances. In the top navigation bar, select the region where the target RDS instance resides.
    Select a region
  3. Find the target instance and click the instance ID.
  4. In the left-side navigation pane, click Accounts.
  5. Click Create Account.
  6. Configure the following parameters.
    Parameter Description
    Database Account

    Enter the username of the account. The username of the account must meet the following requirements:

    • If the RDS instance runs MySQL 5.6, the username of the account must be 2 to 16 characters in length. If the RDS instance runs MySQL 5.7 or 8.0, the username of the account must be 2 to 32 characters in length.
    • The username of the account must start with a letter and end with a letter or digit.
    • The username of the account can contain lowercase letters, digits, and underscores (_).
    • The username of the account cannot be the same as the username of an existing account.
    Account Type Specify the type of the account. Select Standard Account.
    Authorized Databases Specify the authorized databases of the account. You can specify one or more authorized databases. You can leave this parameter empty. This is because you can grant the permissions on specific databases to the account after the account is created.
    1. Select one or more databases from the Unauthorized Databases section and click the right arrow to add the selected databases to the Authorized Databases section.
    2. In the Authorized Databases section, select the Read/Write (DDL + DML), Read-only, DDL Only, or DML Only permissions for each authorized database.

      If you want to grant the same permissions on more than one authorized database at a time, select the authorized databases and click the button in the upper-right corner. For example, click Set All to Read/Write (DDL + DML).

      Note For more information, see Account permissions.
    Password

    Enter the password of the account. The password of the account must meet the following requirements:

    • The password of the account must be 8 to 32 characters in length.
    • The password of the account must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.
    • Special characters include: ! @ # $ % ^ & * ( ) _ + - =
    Confirm Password Enter the password of the account again.
    Description Enter a description that helps identify the account. The description can be up to 256 characters in length.
  7. Click OK.

FAQ

  • Can I configure an account to grant it only the permissions to access my RDS instance over an internal network?

    This configuration is not supported in the ApsaraDB for RDS console. You can use SQL statements to specify the source IP address from which an account can access your RDS instance. For more information, see Limit permissions of a specific IP address on a database.

  • Can I configure the permissions of an account at fine-grained levels, such as the table level?

    This configuration is not supported in the ApsaraDB for RDS console. You can use SQL statements to manage the permissions of an account at fine-grained levels. For more information, see Authorize accounts to manage tables, views, and fields.

Related operations

Operation Description
CreateAccount Creates an account on an ApsaraDB for RDS instance.