ApsaraDB RDS for MySQL supports two types of database accounts: privileged accounts and standard accounts. This topic describes how to create each type in the console.
Prerequisites
Before you begin, ensure that you have:
An ApsaraDB RDS for MySQL instance. See Create an ApsaraDB RDS for MySQL instance
To create a RAM user and authorize it to manage specific instances, see Create a RAM user.
Account types
RDS for MySQL supports two account types. Each instance supports exactly one privileged account and multiple standard accounts.
| Account type | What it can do | How to create |
|---|---|---|
| Privileged account | Manages all standard accounts and databases on the instance. Has permissions on all databases and can disconnect any account. | Console or API only |
| Standard account | Connects to and operates specific databases. By default, has only the logon permission — other permissions must be explicitly granted. Cannot create, manage, or disconnect other accounts. | Console, API, or SQL |
Choosing between account types: Create one privileged account to manage the instance, then create separate standard accounts for each application or service. Avoid using the privileged account directly in applications — use standard accounts with the minimum required permissions instead.
Account types cannot be changed after creation. To change an account's type, delete the account and create a new one with the same name.
Quotas
| Account type | Databases | Tables | Users |
|---|---|---|---|
| Privileged account | Unlimited | <200,000 | Based on instance kernel parameters |
| Standard account | 500 | <200,000 | Based on instance kernel parameters |
The actual number of databases may also be limited by the number of folders allowed by the underlying file system.
Create a privileged account
Go to the Instances page. In the top navigation bar, select the region where your instance resides, then click the instance ID.
In the navigation pane, click Accounts.
Click Create Account.
Set the following parameters.
If you forget the password, you can reset it at any time. For MySQL 5.7 and MySQL 8.0 instances, you can also configure a custom password policy to enforce stricter security requirements.
Parameter Description Database Account Enter an account name. Requirements: - Length: 2–16 characters for MySQL 5.6; 2–32 characters for MySQL 5.7 and MySQL 8.0
- Characters: letters, digits, and underscores (
_) - Format: must start with a letter and end with a letter or digit
- Uniqueness: cannot duplicate an existing account name
- Similarity: a standard account name cannot be similar to the privileged account name (for example, if the privileged account is
Test1, you cannot usetest1for a standard account) - Reserved keywords: not allowed
Account Type Select Privileged Account. New Password Set a password. Requirements: - 8–32 characters
- At least three of the following: uppercase letters, lowercase letters, digits, special characters
- Allowed special characters:
!@#$%^&*()_+-=
Confirm Password Re-enter the password. Description (Optional) Up to 256 characters. Cannot contain http://orhttps://.Click OK.
Reset privileged account permissions
If the privileged account's permissions are unexpectedly revoked, reset them from the Accounts page:
Click Accounts in the navigation pane.
To the right of Privileged Account, click Reset Account Permissions.
Enter the account password and click OK.
Create a standard account
Go to the Instances page. In the top navigation bar, select the region where your instance resides, then click the instance ID.
In the navigation pane, click Accounts.
Click Create Account.
Set the following parameters.
Parameter Description Database Account Enter an account name. The requirements are the same as for a privileged account (see Create a privileged account). Account Type Select Standard Account. Authorize Database (Optional) Grant permissions on one or more databases. You can also skip this step and modify permissions after the account is created. <br><br>To authorize databases: select one or more databases from the left box, click > to move them to the right box, then choose a permission level: Read/Write (DDL + DML), Read-Only, DDL Only, or DML Only. To apply the same permission to multiple databases at once, use Set All to in the upper-right corner of the right box. <br><br>For details on each permission level, see List of account permissions. New Password Set a password using the same requirements as for a privileged account. Confirm Password Re-enter the password. Description (Optional) Up to 256 characters. Cannot contain http://orhttps://.Click OK.
API reference
Use the CreateAccount operation to create a database account programmatically. Set AccountType to Super for a privileged account or Normal for a standard account.