Before your application can connect to an ApsaraDB RDS for PostgreSQL instance, you need a database account and a database. This topic walks you through both steps using the ApsaraDB RDS console. After completing both steps, your account is ready to connect to the database.
Account types
ApsaraDB RDS for PostgreSQL supports two account types: privileged accounts and standard accounts.
| Account type | Permissions | Management |
|---|---|---|
| Privileged account | All permissions on all databases in the instance. Can disconnect any account. | Create and manage only through the console or API — not via SQL. |
| Standard account | All permissions (SELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES, TRIGGER) on authorized databases only. Cannot create or manage other accounts. | Create and manage through the console, API, or SQL statements. |
Multiple accounts of either type are supported on a single instance. For standard accounts, you must manually grant permissions to specific databases after creation.
The first privileged account created on an instance becomes the schema owner of the public schema in the system database template1. Databases created with the CREATE DATABASE command replicate template1 by default, so those databases inherit the same schema owner. The default remarks for the first privileged account are template1 public schema owner.
When to use which account type:
Use a privileged account for administrative tasks — managing other accounts, granting permissions, and disconnecting sessions.
Use standard accounts for application access, following the principle of least privilege. Assign only the permissions each application actually needs.
Accounts created on a primary instance are automatically synchronized to its read-only instances. On read-only instances, these accounts have read-only permissions only, and you cannot manage (create, modify, or delete) accounts directly on read-only instances.
Prerequisites
Before you begin, make sure you have:
An ApsaraDB RDS for PostgreSQL instance in the Running state
The necessary permissions to manage accounts and databases on the instance
Create an account
Go to the Instances page. In the top navigation bar, select the region where your instance resides. Find the instance and click its ID.
In the left-side navigation pane, click Accounts.
Click Create Account.
Configure the following parameters.
Parameter Description Database Account The username for the account. Requirements: 2–63 characters; lowercase letters, digits, and underscores ( _) only; must start with a letter and end with a letter or digit; cannot start withpg; cannot match an existing account name; cannot contain SQL keywords.Account Type Select Privileged Account or Standard Account. For fine-grained access control — for example, granting read-only access to specific tables — see Manage permissions in an ApsaraDB RDS for PostgreSQL instance. New Password The account password. Requirements: 8–32 characters; must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters ( ! @ # $ % ^ & * ( ) _ + - =).Confirm Password Re-enter the password to confirm. Description An optional description for the account. Click OK.
Create a database
After creating an account, create the database that the account will access. For standard accounts, you can assign the account as the database owner during this step.
Go to the Instances page. In the top navigation bar, select the region where your instance resides. Find the instance and click its ID.
In the left-side navigation pane, click Databases.
Click Create Database.
Configure the following parameters.
Parameter Description Database Name The name of the database. Requirements: up to 63 characters; lowercase letters, digits, hyphens ( -), and underscores (_) only; must start with a lowercase letter and end with a lowercase letter or digit.Supported Character Set The character set for the database. This cannot be changed after the database is created. Collate The collation rule for sorting strings. Ctype The character type supported by the database. Authorized By The owner of the database. Set this to the account you created in the previous step. The owner has all permissions on the database. Description An optional description for the database. Click Create.
The database appears on the Databases page. 
Two additional fields are shown on the Databases page:
| Field | Description |
|---|---|
| ConnLimit | The maximum number of concurrent connections allowed. Default: unlimited. To change this, log in with a privileged account and run: ALTER DATABASE <database_name> CONNECTION LIMIT <limit>; |
| Tablespace | The tablespace the database belongs to. Default: pg_default. Tablespace paths cannot be viewed or modified. If you're migrating from a self-managed PostgreSQL database, the tablespace name carries over — you can change the name of the tablespace to which a database or a table belongs to pg_default if needed. For details on migration, see Use the cloud migration feature for an ApsaraDB RDS for PostgreSQL instance. |
Best practices
If you're migrating a self-managed database to ApsaraDB RDS, create the account and database with the same names as in the source database.
Create accounts based on business roles and the principle of least privilege. Assign read-only or read/write permissions as required. If an account doesn't need write access, assign only read permissions.
Set a strong password for each database account and rotate it regularly.
API reference
| Operation | Description |
|---|---|
| Create a database account | Creates an account for an ApsaraDB RDS instance. |