All Products
Search

This Product

    ApsaraDB RDS:Create an account

    Document Center

    ApsaraDB RDS:Create an account

    Last Updated:May 12, 2026

    Learn how to create database accounts for an ApsaraDB RDS for MySQL or instance.

    Prerequisites

    You have created an ApsaraDB RDS for MySQL instance.

    Note

    To create a RAM user for your Alibaba Cloud account and grant the RAM user permissions to manage instances, see Create a RAM user.

    Account types

    ApsaraDB RDS for MySQL or instances support two types of database accounts: privileged accounts and standard accounts. You can manage all accounts and databases in the ApsaraDB RDS console. For details about the permissions of each account type, see List of account permissions.

    Note

    You cannot change an account's type after you create it. You can delete the account and then create a new one with the same name.

    Account type

    Description

    Privileged Account

    • You can create and manage this account type only in the console or by using an API.

    • Each instance supports only one privileged account, which you can use to manage all standard accounts and databases.

    • Provides extended permissions for custom and fine-grained permission management. For example, you can grant query permissions on different tables to different users.

    • Has permissions on all databases within the instance.

    • Can disconnect any account.

    Standard Account

    • You can create and manage this account type in the console, by using an API, or by running an SQL statement.

    • You can create multiple standard accounts for an instance. The maximum number depends on the instance kernel.

    • By default, a standard account has only the permissions to log on to a database. You must manually grant additional permissions to the standard account as needed. For more information, see Modify account permissions.

    • You cannot use a standard account to create, manage, or disconnect other accounts.

    Account type

    Number of databases

    Number of tables

    Number of users

    privileged account

    Unlimited

    < 200,000

    Depends on the kernel parameters of the instance

    standard account

    500

    < 200,000

    Depends on the kernel parameters of the instance

    Note

    The maximum number of directories supported by the underlying file system may limit the number of databases you can create.

    Create a privileged account

    1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

    2. In the left-side navigation pane, click Accounts.

    3. Click Create Account.

    4. Configure the following parameters.

      Parameter

      Description

      Database Account

      Enter a name for the account. The name must meet the following requirements:

      • The account name must be 2 to 16 characters in length for MySQL 5.6, and 2 to 32 characters in length for MySQL 8.0 and MySQL 5.7.

      • It must consist of letters, digits, and underscores (_).

      • It must start with a letter and end with a letter or digit.

      • The name must be unique within the instance.

      • The name of a standard account cannot be similar to the name of the privileged account. For example, if the privileged account is named Test1, you cannot name a standard account test1.

      • The name cannot be a reserved keyword.

      Account Type

      Select Privileged Account.

      New Password

      Set a password for the account. The password must meet the following requirements:

      • The password must be 8 to 32 characters in length.

      • It must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.

      • The allowed special characters are !@#$%^&*()_+-=.

      Note

      • Keep your password secure. If you forget the password, you can reset it.

      • ApsaraDB RDS for MySQL 5.7 and 8.0 instances support custom password policies to improve security for database access.

      Confirm Password

      Enter the password again.

      Description

      Enter a description to help you manage the account. The description can be up to 256 characters in length and cannot contain http:// or https://.

    5. Click OK.

    Reset account permissions

    If an issue occurs with the privileged account, such as you accidentally revoke permissions (REVOKE) from the privileged account, you can restore its permissions by resetting them.

    1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

    2. In the left-side navigation pane, click Accounts.

    3. To the right of the Privileged Account, click Reset Account Permissions.

    4. Enter the password of the privileged account and click OK to reset the permissions.

    Create a standard account

    1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

    2. In the left-side navigation pane, click Accounts.

    3. Click Create Account.

    4. Configure the following parameters.

      Parameter

      Description

      Database Account

      Enter a name for the account. The name must meet the following requirements:

      • The account name must be 2 to 16 characters in length for MySQL 5.6, and 2 to 32 characters in length for MySQL 8.0 and MySQL 5.7.

      • It must consist of letters, digits, and underscores (_).

      • It must start with a letter and end with a letter or digit.

      • The name must be unique within the instance.

      • The name of a standard account cannot be similar to the name of the privileged account. For example, if the privileged account is named Test1, you cannot name a standard account test1.

      • The name cannot be a reserved keyword.

      Account Type

      Select Standard Account.

      Authorize Database:

      Grant permissions on one or more databases to the account. You can leave this parameter empty and grant permissions after you create the account.

      1. Select one or more databases from the left panel and click the > icon to add them to the right panel.

      2. In the right panel, select a permission level for each database: Read/Write (DDL + DML), Read-Only, DDL Only, or DML Only.

        To grant the same permissions to multiple databases, click the permission level you want next to Set All to in the upper-right corner of the right panel.

        Note

        For details about each permission, see List of account permissions.

      New Password

      Set a password for the account. The password must meet the following requirements:

      • The password must be 8 to 32 characters in length.

      • It must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.

      • The allowed special characters are !@#$%^&*()_+-=.

      Note

      • Keep your password secure. If you forget the password, you can reset it.

      • ApsaraDB RDS for MySQL 5.7 and 8.0 instances support custom password policies to improve security for database access.

      Confirm Password

      Enter the password again.

      Description

      Enter a description to help you manage the account. The description can be up to 256 characters in length and cannot contain http:// or https://.

    5. Click OK.

    API reference

    Call the CreateAccount operation to create a database account.

    FAQ

    Restrict internal network access

    The console does not support this setting. You can run an SQL statement to restrict the source IP addresses for logon. For more information, see Specify IP addresses from which a database account can access a database.

    Fine-grained permissions

    The console does not support this setting. You can run an SQL statement to set the permissions. For more information, see Restrict an account to access only specified tables, views, and columns.

    Root accounts

    ApsaraDB RDS does not support root accounts. You can create a Privileged Account (the account with the highest permissions in ApsaraDB RDS) and Standard Account.

    Error when creating a user by using the CreateAccount APIAccountLimitExceeded?

    Problem

    When you call the CreateAccount operation to create a database account, the API may return the following error message if you provide invalid parameters:

    "Code": "AccountLimitExceeded",
"Message": "AccountQuotaExceeded: Exceeding the allowed amount of account"

    This error indicates that the instance has reached the maximum number of accounts that are allowed.

    Cause

    • Account quota: Only one privileged account is allowed per instance.

    • Parameter settings: In MySQL, if AccountType is set to Super (privileged account) but a privileged account already exists on the instance, the API returns the AccountLimitExceeded error.

    Solution

    • To create a standard account, set the AccountType parameter to Normal. ApsaraDB RDS typically does not limit the number of standard accounts. The actual limit depends on the instance kernel.

    • To create a privileged account, set the AccountType parameter to Super. In the ApsaraDB RDS console, go to the Accounts page and check whether a privileged account already exists. If a privileged account exists, do not create another one.

    Password without special characters

    Yes. A password must contain characters from at least three of the following types: uppercase letters, lowercase letters, digits, and special characters. Therefore, you can omit special characters if the password includes characters from the other three types.