All Products
Search
Document Center

ApsaraDB RDS:Create accounts and databases

Last Updated:Feb 28, 2024

Before you can use an ApsaraDB RDS instance, you must create databases and accounts on the RDS instance. This topic describes how to create accounts and databases on an ApsaraDB RDS for SQL Server instance.

Note

For more information about the accounts that you can use in an RDS instance and the roles and permissions of the accounts, see Account permissions in an ApsaraDB RDS for SQL Server instance.

Prerequisites

Standard account and privileged account

An RDS instance is created. For more information, see Create an ApsaraDB RDS for SQL Server instance.

System admin account

  • The RDS instance meets the following requirements:

    • The RDS instance resides in a region other than the China (Zhangjiakou) region.

    • The RDS instance runs RDS Basic Edition, RDS High-availability Edition, or RDS Cluster Edition. If your RDS instance runs RDS High-availability Edition, make sure that the instance runs SQL Server 2012 or later.

    • The RDS instance belongs to a general-purpose or dedicated instance family. The shared instance family is not supported.

    • The RDS instance resides in a virtual private cloud (VPC). For more information about how to change the network type of an RDS instance, see Change the network type of an ApsaraDB RDS for SQL Server instance.

    • The creation time of the RDS instance meets the following requirements:

      • If the RDS instance runs RDS High-availability Edition or RDS Cluster Edition, the instance is created on or after January 01, 2021.

      • If the RDS instance runs RDS Basic Edition, the instance is created on or after September 02, 2022.

      Note

      You can view the Creation Time parameter of an RDS instance in the Status section of the Basic Information page in the ApsaraDB RDS console.

  • An Alibaba Cloud account is used to log on to the RDS instance.

  • The permissions to create a system admin account are granted to the Alibaba Cloud account. If the permissions have been granted, skip this step.

    By default, Alibaba Cloud accounts do not have the permissions to create a system admin account. If this is the first time you create a system admin account, you must perform the following operations to grant the permissions to your Alibaba Cloud account: Log on to the ApsaraDB RDS console and go to the details page of your RDS instance. In the left-side navigation pane of the page that appears, click Accounts. In the upper-right corner of the page that appears, click Enable System Admin Role, read the usage notes, and then click OK.

    Warning
    • After the permissions to create a system admin account are granted to your Alibaba Cloud account, you can create system admin accounts for all RDS instances that belong to your Alibaba Cloud account. The permissions to create the system admin account cannot be disabled or revoked.

    • The system admin account has permissions that are beyond the management scope of ApsaraDB RDS. If you create the system admin account for your RDS instance, the system does not provide the service availability that is specified in Alibaba Cloud service level agreement (SLA) for the RDS instance. RDS instances for which no system admin accounts are created are not affected.

Host account

  • The RDS instance meets the following requirements:

    • The RDS instance resides in a region other than the China (Zhangjiakou) region.

    • The RDS instance runs RDS Basic Edition, RDS High-availability Edition, or RDS Cluster Edition. If your RDS instance runs RDS High-availability Edition, make sure that the instance runs SQL Server 2012 or later.

    • The RDS instance belongs to a general-purpose or dedicated instance family. The shared instance family is not supported.

    • The RDS instance resides in a virtual private cloud (VPC). For more information about how to change the network type of an RDS instance, see Change the network type of an ApsaraDB RDS for SQL Server instance.

    • The creation time of the RDS instance meets the following requirements:

      • If the RDS instance runs RDS High-availability Edition or RDS Cluster Edition, the instance is created on or after January 01, 2021.

      • If the RDS instance runs RDS Basic Edition, the instance is created on or after September 02, 2022.

      Note

      You can view the Creation Time parameter of an RDS instance in the Status section of the Basic Information page in the ApsaraDB RDS console.

  • An Alibaba Cloud account is used to log on to the RDS instance.

  • If you want to create a system admin account, make sure that the required permissions are granted to your Alibaba Cloud account. This way, the System Admin Account option is displayed on the Create Host Account page.

    By default, Alibaba Cloud accounts do not have the permissions to create a system admin account. If this is the first time you create a system admin account, you must perform the following operations to grant the permissions to your Alibaba Cloud account: Log on to the ApsaraDB RDS console and go to the details page of your RDS instance. In the left-side navigation pane of the page that appears, click Accounts. In the upper-right corner of the page that appears, click Enable System Admin Role, read the usage notes, and then click OK.

    Warning
    • After the permissions to create a system admin account are granted to your Alibaba Cloud account, you can create system admin accounts for all RDS instances that belong to your Alibaba Cloud account. The permissions to create the system admin account cannot be disabled or revoked.

    • The system admin account has permissions that are beyond the management scope of ApsaraDB RDS. If you create the system admin account for your RDS instance, the system does not provide the service availability that is specified in Alibaba Cloud service level agreement (SLA) for the RDS instance. RDS instances for which no system admin accounts are created are not affected.

Database

An RDS instance is created. For more information, see Create an ApsaraDB RDS for SQL Server instance.

Usage notes

Standard account and privileged account

  • The first account that you create for your RDS instance must be a privileged account. You can create only one privileged account for each RDS instance. The privileged account cannot be deleted in the ApsaraDB RDS console or by calling an API operation.

  • We recommend that you do not use Terraform to create a privileged account. A privileged account cannot be deleted by using Terraform. If you create a privileged account by using Terraform, you cannot delete the account by using Terraform. As a result, you may fail to release or unsubscribe from the RDS instance.

  • Databases that are created on an RDS instance share all the resources that belong to the instance.

  • The account name and database name cannot contain forbidden keywords. For more information, see Forbidden keywords.

  • For security purposes, we recommend that you specify strong passwords for accounts and change the passwords on a regular basis.

  • We recommend that you follow the principle of least privilege (PoLP) and grant the read and write permissions to accounts based on your business requirements. You can create multiple accounts and grant each account only the permissions to access the data of specified databases. If an account does not need to write data to a database, we recommend that you grant only the read permissions on the database to the account.

System admin account

  • You can create only one system admin account for each RDS instance. The system admin account cannot be deleted in the ApsaraDB RDS console, by calling an API operation, or by using Terraform.

  • You cannot create system admin accounts for RDS instances in the CloudTmall system.

  • You cannot use the following usernames for system admin accounts:

    root|admin|eagleye|master|aurora|sysadmin|administrator|mssqld|public|securityadmin|serveradmin|setupadmin|processadmin|diskadmin|dbcreator|bulkadmin|tempdb|msdb|model|distribution|mssqlsystemresource|guest|add|except|percent|all|exec|plan|alter|execute|precision|and|exists|primary|any|exit|print|as|fetch|proc|asc|file|procedure|authorization|fillfactor|public|backup|for|raiserror|begin|foreign|read|between|freetext|readtext|break|freetexttable|reconfigure|browse|from|references|bulk|full|replication|by|function|restore|cascade|goto|restrict|case|grant|return|check|group|revoke|checkpoint|having|right|close|holdlock|rollback|clustered|identity|rowcount|coalesce|identity_insert|rowguidcol|collate|identitycol|rule|column|if|save|commit|in|schema|compute|index|select|constraint|inner|session_user|contains|insert|set|containstable|intersect|setuser|continue|into|shutdown|convert|is|some|create|join|statistics|cross|key|system_user|current|kill|table|current_date|left|textsize|current_time|like|then|current_timestamp|lineno|to|current_user|load|top|cursor|national|tran|database|nocheck|transaction|dbcc|nonclustered|trigger|deallocate|not|truncate|declare|null|tsequal|default|nullif|union|delete|of|unique|deny|off|update|desc|offsets|updatetext|disk|on|use|distinct|open|user|distributed|opendatasource|values|double|openquery|varying|drop|openrowset|view|dummy|openxml|waitfor|dump|option|when|else|or|where|end|order|while|errlvl|outer|with|escape|over|writetext||dbo|login|sys|drc_rds$

Host account

  • RDS instances in CloudTmall system do not support host accounts.

  • You can create only one host account that has the permissions of a system admin account for each RDS instance.

  • The following usernames cannot be used for host accounts:

    root|admin|eagleye|master|aurora|sysadmin|administrator|mssqld|public|securityadmin|serveradmin|setupadmin|processadmin|diskadmin|dbcreator|bulkadmin|tempdb|msdb|model|distribution|mssqlsystemresource|guest|add|except|percent|all|exec|plan|alter|execute|precision|and|exists|primary|any|exit|print|as|fetch|proc|asc|file|procedure|authorization|fillfactor|public|backup|for|raiserror|begin|foreign|read|between|freetext|readtext|break|freetexttable|reconfigure|browse|from|references|bulk|full|replication|by|function|restore|cascade|goto|restrict|case|grant|return|check|group|revoke|checkpoint|having|right|close|holdlock|rollback|clustered|identity|rowcount|coalesce|identity_insert|rowguidcol|collate|identitycol|rule|column|if|save|commit|in|schema|compute|index|select|constraint|inner|session_user|contains|insert|set|containstable|intersect|setuser|continue|into|shutdown|convert|is|some|create|join|statistics|cross|key|system_user|current|kill|table|current_date|left|textsize|current_time|like|then|current_timestamp|lineno|to|current_user|load|top|cursor|national|tran|database|nocheck|transaction|dbcc|nonclustered|trigger|deallocate|not|truncate|declare|null|tsequal|default|nullif|union|delete|of|unique|deny|off|update|desc|offsets|updatetext|disk|on|use|distinct|open|user|distributed|opendatasource|values|double|openquery|varying|drop|openrowset|view|dummy|openxml|waitfor|dump|option|when|else|or|where|end|order|while|errlvl|outer|with|escape|over|writetext||dbo|login|sys|drc_rds

Create an account

Standard account and privileged account

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. In the left-side navigation pane of the page that appears, click Accounts.

  3. On the page that appears, click Create Account and configure the following parameters.

    Parameter

    Description

    Database Account

    The name of the account. The name can be up to 50 characters in length and can contain lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a lowercase letter or a digit.

    Account Type

    Privileged Account: If this is the first time you create an account on the RDS instance, you must create a privileged account. You can create only one privileged account for each RDS instance. You cannot delete a privileged account.

    Standard Account: You can create multiple standard accounts for an RDS instance. You must manually grant the permissions on databases to each standard account.

    Note

    Authorize Database:

    You can grant different permissions on one or more databases to a Standard Account. If no databases are created, you can leave this parameter empty. After you create databases, you can grant permissions on your databases to a standard account. To grant permissions on a database to an account, perform the following steps:

    1. In the Unauthorized Databases section, select the databases on which you want to grant permissions to the account.

    2. Click the image.png icon to add the selected databases to the Authorized Databases: section.

    3. Grant the Read/Write (DML), Read-only, or Owner permissions on the databases to the account.

      Note

      The account is authorized to create tables, delete tables, and modify schemas in a database only when it has the Owner permissions on the database.

    New Password

    The password of the account. The password must meet the following requirements:

    • It is 8 to 32 characters in length.

    • It contains at least three types of the following characters: uppercase letters, lowercase letters, digits, and special characters.

    • It can contain the following special characters: ! @ # $ % ^ & * ( ) _ + - =

    Confirm Password

    The password of the account.

    Description

    The description of the account. The description can be up to 256 characters in length.

  4. Click OK.

    You can refresh the page to view the created account. You can also modify the account permissions or manage the account based on your business requirements. For more information, see Modify the permissions of an account, Reset the password of an account on an ApsaraDB RDS for SQL Server instance, or Delete a standard account from an ApsaraDB RDS for SQL Server instance.

System admin account

A system admin account is the most powerful role in SQL Server. This role can bypass all security checks and perform all operations in SQL Server. This topic describes how to create a system admin account on an ApsaraDB RDS for SQL Server instance. You can use the system admin account to migrate the data of an on-premises SQL Server instance to the RDS instance.

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. In the left-side navigation pane of the page that appears, click Accounts.

  3. On the page that appears, click Create Account, configure the following parameters, and then click OK.

    Parameter

    Description

    Database Account

    The username of the account. It must be 2 to 64 characters in length and can contain lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a lowercase letter or a digit.

    Account Type

    The type of the account. Select System Admin Account. Then, read the agreement and select I have read and agree to changes to the RDS Service Level Agreement caused by the creation of a system admin account.

    Note

    New Password

    The password of the account. The password must meet the following requirements:

    • It is 8 to 32 characters in length.

    • It contains at least three types of the following characters: uppercase letters, lowercase letters, digits, and special characters.

    • Special characters include ! @ # $ % ^ & * ( ) _ + - =

    Confirm Password

    The password of the account.

    Description

    The description of the account. The description can be up to 256 characters in length.

  4. Optional. Reset the password of the account or disable the account.

    You can click Reset Password or Deactivate Account in the Actions column to manage the account. For more information, see Reset the password of an account.

    image..png

Host account

ApsaraDB RDS for SQL Server allows you to create a host account for your ApsaraDB RDS for SQL Server instance. You can use the host account to log on to the host on which the RDS instance is deployed. This facilitates the management of the RDS instance.

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. In the left-side navigation pane, click Accounts.

  3. On the Host Account tab, click Create Account and configure the following parameters.

    Parameter

    Description

    Host Account Name

    Enter a name for the host account. The name must be 2 to 64 characters in length and can contain lowercase letters, digits, and underscores (_). The name must start with a lowercase letter and end with a lowercase letter or a digit.

    Account Type

    • Standard Account: Create a host account that has the permissions of a standard account.

    • System Admin Account: Create a host account that has the permissions of a system admin account. You can create only one host account that has the permissions of a system admin account for each RDS instance. For more information about system admin accounts, see Create a system admin account.

      Note

      The System Admin Account parameter is displayed only after the permissions to create a system admin account are granted. For more information about how to grant the permissions, see Prerequisites.

    New Password

    Enter a password for the account. The password must meet the following requirements:

    • The password is 8 to 32 characters in length.

    • The password must contain at least three types of the following characters: uppercase letters, lowercase letters, digits, and special characters.

    • Special characters include ! @ # $ % ^ & * ( ) _ + - =

    Confirm Password

    Enter the password of the account again.

    Description

    Enter a description that can help identify the account. The description can be up to 256 characters in length.

  4. Read and select I have read and agree to the changes to the RDS Service Level Agreement caused by the creation of a host account.

  5. Click OK.

  6. Optional. Reset the password of the host account or delete the host account.

    You can click Reset Password or Delete in the Actions column to reset the password of the host account or delete the host account.

    image..png

Next step: Log on to the host on which the RDS instance runs

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. In the left-side navigation pane, click Accounts.

  3. On the Host Account tab, find the required account and click Remote Connection (Primary) in the Actions column.

  4. In the Remote Connection dialog box, enter the password of the host account.

    image..png

  5. After the modification, click OK.

    The system generates a webshell URL and automatically connects to the host on which the RDS instance runs by using the URL. The system displays a webshell page in a pop-up window. The page may be blocked by the browser. If the page is blocked, you can configure the browser to allow the appearance of the page. The following figure provides an example.

    image..png

Procedure

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. In the left-side navigation pane, click Databases.

  3. On the page that appears, click Create Database and configure the following parameters.

    Parameter

    Description

    Database Name

    The name of the database. The name must be 2 to 64 characters in length and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter and end with a letter or a digit.

    Supported Character Set

    The character set of the database.

    Description

    The description of the database. The description can be up to 256 characters in length.

  4. Click Create.

References

  • You can call the CreateAccount operation to create an account on an instance. For more information, see CreateAccount.

  • You can call the CreateDatabase operation to create a database on an instance. For more information, see CreateDatabase.

  • You can modify the permissions of a standard account or a privileged account on an instance. The system admin account has all the permissions on all the databases on an instance. You do not need to modify the permissions of a system admin account. For more information, see Modify the permissions of an account.

FAQ

Can I manage the accounts that are created on the primary RDS instance on read-only RDS instances?

No, you cannot manage the accounts on the read-only RDS instances. The accounts that are created on your primary RDS instance are synchronized to the read-only RDS instances and have only read permissions on the read-only RDS instances.