This topic describes how to create an account on an ApsaraDB RDS for PostgreSQL instance.

Account types

ApsaraDB RDS for PostgreSQL instances support two types of accounts: privileged accounts and standard accounts. The following table describes these types of accounts.

Account types Description
Privileged account
  • You can create and manage privileged accounts in the ApsaraDB RDS console or by using the ApsaraDB RDS API.
  • If your RDS instance is equipped with local SSDs, you can create one privileged account. If your RDS instance is equipped with standard SSDs or enhanced SSDs (ESSDs), you can create multiple privileged accounts. A privileged account allows you to manage all standard accounts and databases that are created on your RDS instance.
  • A privileged account has more permissions. You can use these permissions to manage your RDS instance at more fine-grained levels. For example, you can grant the query permissions on different tables to different users.
  • A privileged account has the permissions to disconnect any accounts that are created on your RDS instance.
Note
  • The first privileged account that you create is the owner of the default public schema of a standard system database named template1.
  • By default, the CREATE DATABASE statement creates a database by replicating the template1 system database. The owners of all databases that are created by this statement from the template1 system database are the first privileged account.
  • The comment of the first privileged account starts with "template1 public schema owner."
Standard account
  • You can create and manage standard accounts in the ApsaraDB RDS console, by using the ApsaraDB RDS API, or by executing SQL statements.
  • You can create more than one standard account on your RDS instance.
  • You must grant the permissions on specific databases to each standard account.
  • A standard account does not have the permissions to create, manage, or disconnect other accounts on your RDS instance.

Precautions:

  • If your RDS instance is equipped with local SSDs, you can create one privileged account in the ApsaraDB RDS console. After the privileged account is created, it cannot be deleted. You can also create and manage multiple standard accounts by executing SQL statements.
  • If your RDS instance is equipped with standard SSDs or ESSDs, you can create multiple privileged accounts and multiple standard accounts in the ApsaraDB RDS console. You can also create and manage multiple standard accounts by executing SQL statements.
  • To migrate data from an on-premises database to your RDS instance, you must create a database and an account on your RDS instance. Make sure that the created database has the same properties as the on-premises database. Also, make sure that the created account has the same permissions on the created database as the account that is authorized to manage the on-premises database.
  • Follow the least privilege principle to create accounts and grant them read-only permissions or read/write permissions on specific databases based on your business requirements. If necessary, you can create multiple accounts and grant each account only the permissions to access the data of specific databases within its authorized workloads. If an account does not need to write data to a database, you must grant only the read-only permissions on the database to the account.
  • For security purposes, we recommend that you specify strong passwords for the accounts on your RDS instance and change the passwords on a regular basis.

Create an account for an RDS instance that uses standard SSDs or enhanced SSDs

  1. Visit the RDS instance list, select a region above, and click the target instance ID.
  2. In the left-side navigation pane, click Accounts.
  3. Click Create Account.
  4. Configure the following parameters.
    Parameter Description
    Database Account:
    • The username of the account must be 2 to 63 characters in length.
    • The username of the account can contain lowercase letters, digits, and underscores (_).
    • The username of the account must start with a lowercase letter and end with a lowercase letter or digit.
    • The username of the account cannot be the same as the username of an existing account.
    Account Type: Specify the type of the account. Two types of accounts are supported: privileged accounts and standard accounts.
    • A privileged account has all operation permissions on all databases.
    • A standard account has all operation permissions only on its authorized databases.
    Note The operation permissions include SELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES, and TRIGGER.
    Password:
    • The password of the account must be 8 to 32 characters in length.
    • The password of the account must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.
    • The password can contain any of the following special characters: !@ # $ % ^ & * ( ) _ + - =
    Confirm Password: Enter the password of the account again.
    Description The description of the database.
  5. Click OK.

Create an account for an RDS instance that uses local SSDs

Note If your RDS instance is equipped with local SSDs, you can create only one privileged account and the privileged account cannot be deleted. If you want to delete the existing privileged account and recreate a privileged account, you must submit a ticket to recreate the privileged account. We recommend that you upgrade the major engine version of your RDS instance. After the major engine version is upgraded, you can manage the accounts of your RDS instance in a more flexible manner. For more information, see Upgrade the major engine version of an ApsaraDB RDS for PostgreSQL instance.
  1. Visit the RDS instance list, select a region above, and click the target instance ID.
  2. In the left-side navigation pane, click Accounts.
  3. Click Create Privileged Account.
  4. Configure the following parameters.
    Parameter Description
    Database Account:
    • The username of the account must be 2 to 16 characters in length.
    • The username of the account can contain lowercase letters, digits, and underscores (_).
    • The username of the account must start with a lowercase letter and end with a lowercase letter or digit.
    • The username of the account cannot be the same as the username of an existing account.
    Password:
    • The password of the account must be 8 to 32 characters in length.
    • The password of the account must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.
    • The password can contain any of the following special characters: !@ # $ % ^ & * ( ) _ + - =
    Confirm Password: Enter the password of the account again.
  5. Click OK.
    Note After you complete the preceding steps, a privileged account is created. For more information about how to create a standard account, see the following steps.
  6. In the upper-right corner of the page, click Log On to Database to go to the RDS Database Logon page.
  7. Configure the following parameters.
    Parameter Description
    Databases Account Enter the username of the account that is authorized to log on to the RDS instance.
    Database Password The password of the account that is used to access the database.
  8. Click Login.
    Note If the system prompts you to add the CIDR block of the Alibaba Cloud Data Management (DMS) server to an IP address whitelist of the RDS instance, click Configure Whitelist.
  9. After you log on to the RDS instance, choose SQL Console in the top navigation bar.
  10. In the SQL window, execute the following statement to create a standard account:
    CREATE USER name [ [ WITH ] option [ ... ] ]
    where option can be:
       SUPERUSER | NOSUPERUSER
     | CREATEDB | NOCREATEDB
     | CREATEROLE | NOCREATEROLE
     | CREATEUSER | NOCREATEUSER
     | INHERIT | NOINHERIT
     | LOGIN | NOLOGIN
     | REPLICATION | NOREPLICATION
     | CONNECTION LIMIT connlimit
     | [ ENCRYPTED | UNENCRYPTED ] PASSWORD 'password'
     | VALID UNTIL 'timestamp'
     | IN ROLE role_name [, ...]
     | IN GROUP role_name [, ...]
     | ROLE role_name [, ...]
     | ADMIN role_name [, ...]
     | USER role_name [, ...]
     | SYSID uid

    For example, if you want to create an account named test2 with the password 123456, execute the following statement:

    create user test2 password '123456';

Related operations

Operation Description
CreateAccount Creates an account that is used to manage the databases of an ApsaraDB RDS instance.