Create privileged and standard accounts for MariaDB - ApsaraDB RDS

ApsaraDB RDS for MariaDB supports two types of database accounts: privileged accounts and standard accounts. Create the account type that matches how it will be used.

Account types

Account type	Description
Privileged account	One per instance. Has full permissions over all databases and standard accounts on the instance, including the ability to disconnect any account. Lets you manage permissions at fine-grained levels — for example, you can grant each standard account the permissions to query specific tables. Create and manage privileged accounts through the console or API operations.
Standard account	Multiple per instance (exact limit depends on the minor engine version). Has permissions only on the databases you explicitly grant. Create and manage standard accounts through the console, API operations, or SQL statements.

Important

Use the privileged account only for administrative tasks such as managing other accounts and databases. For application connections, create a standard account with the minimum permissions required.

Prerequisites

Before you begin, ensure that you have:

An ApsaraDB RDS for MariaDB instance
Access to the ApsaraDB RDS console

Create a privileged account

Each instance supports only one privileged account. The account becomes active within seconds of creation.

If the username you specify matches an existing standard account, the privileged account replaces that standard account.

Go to the Instances page. In the top navigation bar, select the region where your instance resides, then click the instance ID.
In the left navigation pane, click Accounts, then click Create Account.
Configure the following parameters and click OK.

Parameter	Description
Database Account	Enter a username: 2–16 characters, starting with a letter and ending with a letter or digit, using only lowercase letters, digits, and underscores (_). Must not duplicate an existing account name.
Account Type	Select Privileged Account.
New Password	Enter a password: 8–32 characters containing at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters (`!@#$%^&*()_+-=`).
Confirm Password	Re-enter the password.
Description	Enter a description up to 256 characters to help identify the account.

Reset privileged account permissions

If the privileged account loses permissions due to an accidental revocation or other error, reset them as follows:

Go to the Instances page. Select the region, then click the instance ID.
In the left navigation pane, click Accounts, then click Reset Account Permissions to the right of the privileged account.
Enter the privileged account password to confirm.

Create a standard account

Go to the Instances page. In the top navigation bar, select the region where your instance resides, then click the instance ID.
In the left navigation pane, click Accounts, then click Create Account.
Configure the following parameters and click OK.

Parameter	Description
Database Account	Enter a username: 2–16 characters, starting with a letter and ending with a letter or digit, using only lowercase letters, digits, and underscores (_). Must not duplicate an existing account name.
Account Type	Select Standard Account.
Authorized Databases	(Optional) Grant permissions on one or more databases now, or skip and grant them after account creation. To grant permissions: select databases from the left list and click > to move them to the right. Then set a permission level for each database: Read/Write (DDL+DML), Read-Only, DDL Only, or DML Only. To set the same level for all selected databases, use the batch buttons in the upper-right corner of the right panel (the button label updates to reflect the next available batch action after each click).
New Password	Enter a password: 8–32 characters containing at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters (`!@#$%^&*()_+-=`).
Confirm Password	Re-enter the password.
Description	(Optional) Enter a description up to 256 characters to help identify the account.

API reference

Use the CreateAccount API operation to create a database account programmatically. Set AccountType to Super for a privileged account or Normal for a standard account.

FAQ

Why do I get an `AccountLimitExceeded` error when calling CreateAccount?

Problem description

When you create a database account using the CreateAccount API, if the parameters are not set correctly, the following error might occur:

"Code": "AccountLimitExceeded",
"Message": "AccountQuotaExceeded: Exceeding the allowed amount of account"

Error causes

Each instance allows only one privileged account, and it cannot be deleted. If you call CreateAccount with AccountType set to Super when a privileged account already exists, the API returns AccountLimitExceeded.

Solution

To check whether a privileged account exists, open the Accounts page for the instance in the RDS console. If one exists and you need another account, create a standard account instead by setting AccountType to Normal.

What's next

To connect your application to the instance using the account you created, see Connect to an ApsaraDB RDS for MariaDB instance.