create an account for an apsaradb rds for mariadb instance - ApsaraDB RDS

This topic describes how to create an account for an ApsaraDB RDS for MariaDB instance.

Account types

ApsaraDB RDS for MariaDB supports two types of database accounts: privileged accounts and standard accounts. You can manage all accounts in the ApsaraDB RDS console.

Account type	Description
Privileged Account	You can create and manage privileged accounts in the ApsaraDB RDS console or by calling API operations. Only one privileged account can be created for each RDS instance. A privileged account has the permissions to manage all standard accounts and databases of the RDS instance on which the privileged account is created. A privileged account lets you manage permissions at fine-grained levels as needed. For example, you can grant each standard account the permissions to query specific tables. A privileged account has the permissions on all databases of the RDS instance on which the privileged account is created. You can disconnect any account. If the username of the privileged account is the same as that of an existing standard account, the privileged account replaces the standard account.
Standard Account	You can create and manage standard accounts in the ApsaraDB RDS console, by calling API operations, or using SQL statements. More than one standard account can be created for each RDS instance. The maximum number of standard accounts that are allowed for an RDS instance varies based on the minor engine version of the RDS instance. You must grant the permissions on specific databases to standard accounts. A standard account does not have the permissions to create, manage, or disconnect other accounts of the RDS instance on which the standard account is created.

Create a privileged account

Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the navigation pane on the left, choose Accounts, and click Create Account.

Set the following parameters and click OK.

Note

The privileged account is activated within seconds after it is created.

Parameter	Description
Database Account	Enter the name of the account. The following requirements must be met: The username must be 2 to 16 characters in length. The username must start with a letter and end with a letter or a digit. The name can contain lowercase letters, digits, and underscores (_). The username cannot be the same as the username of an existing account. Note If the username of the privileged account is the same as that of an existing standard account, the privileged account replaces the standard account.
Account Type	Select Privileged Account.
New Password	Enter the password of the account. The password must meet the following requirements: The password is 8 to 32 characters in length. The password must contain at least three types of the following characters: uppercase letters, lowercase letters, digits, and special characters. Special characters include `!@#$%^&*()_+-=`.
Confirm Password	Enter the password again.
Description	Enter a description that helps identify the account for future management. The description can be up to 256 characters in length.

Reset the permissions of a privileged account

If the permissions of a privileged account are accidentally revoked or encounter other exceptions, perform the following steps to reset the permissions:

Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the navigation pane on the left, choose Accounts, and click Reset Account Permissions to the right of the Privileged Account.
Enter the privileged account password to reset the account permissions.

Create a standard account

Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the navigation pane on the left, choose Accounts, and click Create Account.

Set the following parameters and click OK.

Parameter	Description
Database Account	Enter the name of the account. The following requirements must be met: The username must be 2 to 16 characters in length. The username must start with a letter and end with a letter or a digit. The name can contain lowercase letters, digits, and underscores (_).
Account Type	Select Standard Account.
Authorized Databases	You can grant permissions on one or more databases to the account. Select one or more databases from the left side and click > to add them to the right side. In the right box, select Read/Write (DDL+DML), Read-Only, DDL Only, or DML Only for the target database. If you want to set the same permissions for multiple databases in batch, click the button in the upper-right corner of the right box, such as Set All To Read/Write (DDL+DML). Note The parameter settings in the upper-right corner change after you click them. For example, after you click Set All To Read/Write (DDL+DML), the button changes to Set All To Read-Only. This parameter is optional. You can grant permissions to the account after you create it.
New Password	Enter the password of the account. The password must meet the following requirements: The password is 8 to 32 characters in length. The password must contain at least three types of the following characters: uppercase letters, lowercase letters, digits, and special characters. Special characters include `!@#$%^&*()_+-=`.
Confirm Password	Enter the password again.
Description	Optional. Enter a description that helps identify the account for future management. The description can be up to 256 characters in length.

API reference

You can use CreateAccount to create a database account.

FAQ

Why do I receive an `AccountLimitExceeded` error when creating a user with the CreateAccount API?

Problem description

When users create a database account using the CreateAccount API, if the parameters are not set correctly, the following error might occur:

"Code": "AccountLimitExceeded",
"Message": "AccountQuotaExceeded: Exceeding the allowed amount of account"

This error indicates that the instance has reached the maximum allowed number of accounts.

Error causes

Account quantity limitation: Only one privileged account is allowed, and the privileged account cannot be deleted.
Parameter setting issue: In MariaDB, if AccountType is set to Super (privileged account), but the database already has a privileged account, the AccountLimitExceeded error will be triggered.

Solution

Creating a standard account: Ensure AccountType is set to Normal. RDS typically has no limit on the number of standard accounts, though the specific number depends on the instance kernel.
Creating a privileged account: Ensure AccountType is set to Super. You can check if a privileged account already exists in the instance through the RDS console's Accounts page. If one already exists, avoid creating another one.