ApsaraDB RDS for PostgreSQL supports two account types: privileged accounts and standard accounts. Use the ApsaraDB RDS console to create either type.
Account types
| Account type | Permissions | Management methods |
|---|---|---|
| Privileged account | Full permissions on all databases on the instance. Can manage standard accounts and databases, grant table-level permissions to standard accounts, and log off standard accounts. You can create multiple privileged accounts per RDS instance. | ApsaraDB RDS console, API operations |
| Standard account | Permissions on authorized databases only. Permitted operations include SELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES, and TRIGGER. Cannot create, manage, or log off other accounts. | ApsaraDB RDS console, API operations, SQL statements |
The first privileged account you create becomes the owner of the default public schema in the template1 system database. All databases created with CREATE DATABASE inherit from template1, so their owner is also the first privileged account. The comment of the first privileged account starts with "template1 public schema owner."
Prerequisites
Before you begin, ensure that you have:
An ApsaraDB RDS for PostgreSQL instance
Access to the ApsaraDB RDS console
Create an account
Go to the Instances page. In the top navigation bar, select the region where your instance resides. Find the instance and click its ID.
In the left-side navigation pane, click Accounts.
Click Create Account.
Configure the following parameters.
Parameter Description Database Account The account username. Requirements: 2–63 characters. Lowercase letters, digits, and underscores ( _) only. Must start with a letter and end with a letter or digit. Cannot start withpg, match an existing account name, or contain SQL keywords.Account Type Select Privileged account or Standard account. For fine-grained permission management (for example, read-only access), see Manage permissions in an ApsaraDB RDS for PostgreSQL instance. New Password 8–32 characters. Must contain at least three of: uppercase letters, lowercase letters, digits, and special characters ( ! @ # $ % ^ & * ( ) _ + - =).Confirm Password Re-enter the password to confirm. Description A description for the account. Click OK.
Security recommendations
Follow the principle of least privilege (PoLP): grant only the permissions that each account needs. Grant read-only access to accounts that do not need to write data.
Use strong passwords and rotate them regularly.
Before migrating data from an on-premises database to an RDS instance, create a database with the same name and an account with the same username and password on the instance.
FAQ
How do I let a standard account access multiple databases?
Run GRANT statements to grant the account access to each database. For example, to let user_name connect to database_name and create temporary objects:
GRANT CONNECT, TEMPORARY, CREATE ON DATABASE database_name TO user_name;API reference
| Operation | Description |
|---|---|
| CreateAccount | Creates an account for managing databases on an RDS instance. |