Before you can use an ApsaraDB RDS instance, you must create a database and an account
on the instance. This topic describes how to create a database and an account on an
ApsaraDB RDS for PostgreSQL instance.
Account types
ApsaraDB RDS for PostgreSQL instances support two types of accounts: privileged accounts
and standard accounts. The following table describes these types of accounts.
Account type |
Description |
Privileged account |
- You can create and manage privileged accounts in the ApsaraDB RDS console or by using
the ApsaraDB RDS API.
- You can create multiple privileged accounts for each RDS instance. The privileged
accounts of an RDS instance have the permissions to manage all standard accounts and
databases that are created on the instance.
- A privileged account allows you to manage permissions at fine-grained levels based
on your business requirements. For example, you can grant each standard account the
permissions to query specific tables.
- A privileged account has the permissions to log off all standard accounts on the instance
on which the privileged account is created.
Note
- The first privileged account that you create is the owner of the default public schema
of a standard system database named template1.
- By default, the CREATE DATABASE statement creates a database by replicating the template1 system database. The owners
of all databases that are created by using this statement from the template1 system
database are the first privileged account.
- The comment of the first privileged account starts with "template1 public schema owner."
|
Standard account |
- You can create and manage standard accounts in the ApsaraDB RDS console, by using
the ApsaraDB RDS API, or by executing SQL statements.
- You can create multiple standard accounts for each RDS instance.
- You must grant the permissions on specified databases to standard accounts.
- You cannot use a standard account to create, manage, or log off other accounts from
the instance on which the standard account is created.
|
Precautions
- You can create multiple privileged accounts and standard accounts in the ApsaraDB
RDS console. You can also create and manage standard accounts by using SQL statements.
- Before you can migrate data from an on-premises database to an RDS instance, you must
create a database and an account on the RDS instance. Make sure that the created database
has the same properties as the on-premises database. In addition, make sure that the
created account has the same permissions on the created database as the account that
is authorized to manage the on-premises database.
- We recommend that you follow the principle of least privilege (PoLP) and grant the
read and write permissions to accounts based on your business requirements. You can
create multiple accounts and grant each account only the permissions to access the
data of specified databases. If an account does not need to write data to a database,
we recommend that you grant only the read permissions on the database to the account.
- For security purposes, we recommend that you specify strong passwords for accounts
and change the passwords on a regular basis.
Create a database
- Visit the RDS instance list, select a region above, and click the target instance ID.
- In the left-side navigation pane, click Databases.
- Click Create Database.
- Configure the following parameters.
Parameter |
Description |
Database Name |
- The name of the database can contain up to 63 characters in length.
- The name of the database can contain lowercase letters, digits, hyphens (-), and underscores
(_).
- The name of the database must start with a lowercase letter and end with a lowercase
letter or a digit.
|
Supported Character Set |
The character set that is supported by the database. |
Collate |
The rule based on which strings are sorted. |
Ctype |
The type of character supported by the database. |
Authorized Account: |
The owner of the database. The owner has all permissions on the database. |
Description |
The description of the database. |
- Click Create.
Create an account
- Visit the RDS instance list, select a region above, and click the target instance ID.
- In the left-side navigation pane, click Accounts.
- Click Create Account.
- Configure the following parameters.
Parameter |
Description |
Database Account: |
- The username of the account must be 2 to 63 characters in length.
- The username of the account can contain lowercase letters, digits, and underscores
(_).
- The username of the account must start with a lowercase letter and end with a lowercase
letter or a digit.
- The username of the account cannot be the same as the username of an existing account.
- The username of the account cannot start with pg.
- The username of the account cannot contain SQL keywords. For more information, see
SQL Keywords.
|
Account Type: |
Specify the type of the account. Two types of accounts are supported: privileged accounts
and standard accounts.
- A privileged account has all operation permissions on all databases.
- Standard accounts have all operation permissions only on their authorized databases.
Note The operation permissions include SELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES,
and TRIGGER.
|
Password: |
- The password of the account must be 8 to 32 characters in length.
- The password of the account must contain at least three of the following character
types: uppercase letters, lowercase letters, digits, and special characters.
- The password of the account can contain any of the following special characters: !
@ # $ % ^ & * ( ) _ + - =
|
Confirm Password:
|
Enter the password of the account again. |
Description |
Enter the description of the account. |
- Click OK.
FAQ
After I create accounts on my primary RDS instance, can I manage the accounts on the
read-only RDS instances that are attached to my primary RDS instance?
No, although the accounts that are created on your primary RDS instance are synchronized
to the read-only RDS instances, you cannot manage the accounts on the read-only RDS
instances. The accounts have only the read permissions and do not have the write permissions
on the read-only RDS instances.
Related operations
Operation |
Description |
Create an account |
Creates an account on an ApsaraDB RDS instance. |