When you contact Alibaba Cloud technical support to troubleshoot issues on your ApsaraDB RDS for MySQL instance, you may need to grant temporary permissions to a service account. This service account allows support engineers to access and operate on the databases of your ApsaraDB RDS instance under controlled conditions. You choose which permissions to grant, set an expiration time, and can revoke access at any time. When the service account expires, ApsaraDB RDS automatically deletes it.
Prerequisites
Your ApsaraDB RDS instance runs one of the following MySQL versions and RDS editions:
MySQL 8.0 on RDS High-availability Edition with Premium Local SSDs or RDS Enterprise Edition
MySQL 5.7 on RDS High-availability Edition with Premium Local SSDs or RDS Enterprise Edition
MySQL 5.6 on RDS High-availability Edition
MySQL 5.5 on RDS High-availability Edition
Permission types
ApsaraDB RDS provides two levels of service account permissions. Grant only the level that matches your support scenario:
| Permission | When to use | Scope |
|---|---|---|
| Configure Permissions | Issues related to IP address whitelists or parameters | View and edit configurations |
| Data Permissions | Performance issues caused by applications | View table schema, indexes, and SQL statements |
For issues that are related to IP address whitelists or parameters, you can grant only Configure Permissions to the service account.
For performance issues that are caused by applications, you must grant Data Permissions to the service account.
Procedure
Go to the Instances page. In the top navigation bar, select the region in which the ApsaraDB RDS instance resides. Then, find the ApsaraDB RDS instance and click its instance ID.
In the left-side navigation pane, click Accounts.
Click the Service Account tab. Find the permission that you want to grant and turn on the switch in the Permission Status column.
In the dialog box that appears, specify the expiration time for the service account and click OK.
Revoke permissions or change the expiration time
After you grant permissions to the service account, you can revoke the permissions or change the expiration time on the Service Account tab at any time.