Create and manage accounts - Tair (Redis® OSS-Compatible)

Tair (Redis OSS-compatible) supports multiple accounts per instance. Assign Read-only or Read/Write permissions to each account to control data access and reduce the risk of accidental changes.

Account types

Default account

When an instance is created, the system automatically creates a default account named after the instance ID (for example, r-bp1jpghfglv6******). You cannot delete, replace, or modify the permissions of this account, but you can view or reset its password on the Account Management page.

The default account authenticates the same way as open-source Redis — password only. For example:

# Connect using the default account (password-only authentication)
redis-cli -h r-bp1zx****.redis.rds.aliyuncs.com -p 6379 -a Rp829dlwa

Note

For some instances, the default account name is default instead of the instance ID. The name displayed in the console is authoritative.

Custom accounts

Custom accounts use the format username:password for authentication. If your account name is testaccount and the password is Rp829dlwa, the connection password is testaccount:Rp829dlwa. This applies to redis-cli and third-party tools such as RDM. For more information, see Log on to an instance.

Prerequisites

Before you begin, ensure that you have:

An instance running Redis 4.0 or later

Note

If your instance does not meet this requirement, upgrade the major version first. See Major version upgrade.

Limits

Each instance supports up to 20 accounts.
For instances running Redis Open-Source Edition 4.0 and 5.0 (earlier than 5.0.8), account names are case-insensitive. For instances running 5.0.8 or later, account names are case-sensitive.

Create an account

Log on to the console and go to the Instances page. In the top navigation bar, select the region where the instance resides. Find the instance and click its ID.
In the left navigation pane, click Account Management.
In the upper-right corner, click Create.

Set the account parameters.

Parameter	Description
Account type	Local account: Record the password manually or configure it in plaintext in your application code. KMS-managed account: The password is managed by Key Management Service (KMS). Your application calls the KMS API to retrieve credentials at runtime, with no static password in the code. For setup details, see Manage instance password credentials using KMS.
Account	Account name rules: starts with a letter; contains only lowercase letters, digits, and underscores (`_`); no more than 35 characters; cannot be a reserved word.
Privilege	Read-only: read data only. Read/Write: read, write, and delete data.
Password	Must be 8–32 characters and contain at least three of the following: uppercase letters, lowercase letters, digits, and special characters (`!@#$%^&*()+-=_`).
Confirm Password	Re-enter the password to confirm.
Description (optional)	2–256 characters. Starts with a letter or a Chinese character; cannot start with `http://` or `https://`. Contains letters, Chinese characters, digits, underscores (`_`), and hyphens (`-`).

Click OK.

The account status changes to Active after about one minute. Refresh the page if the status does not update.

Manage accounts

Reset a password

In the Actions column for the account, click Reset Password. Enter a new password and click OK.

Modify permissions

In the Actions column for the account, click Modify Privilege. Select the required permission and click OK.

Modify the description

In the Actions column for the account, click Modify Description. Enter a new description and click OK.

Delete an account

Warning

Deleting an account is permanent and cannot be undone. Update your client to use a different account before proceeding — otherwise, active connections that rely on this account will be interrupted.

In the column for the account, click > Delete. In the dialog box, click OK.

Reserved words for account names

The following reserved words cannot be used as account names.

Starting letter	Reserved words
a–c	add, admin, all, alter, analyze, and, as, asc, asensitive, aurora, before, between, bigint, binary, blob, both, by, call, cascade, case, change, char, character, check, collate, column, condition, connection, constraint, continue, convert, create, cross, current_date, current_time, current_timestamp, current_user, cursor
d–f	database, databases, day_hour, day_microsecond, day_minute, day_second, dec, decimal, declare, default, delayed, delete, desc, describe, deterministic, distinct, distinctrow, div, double, drc_rds, drop, dual, each, eagleye, else, elseif, enclosed, escaped, exists, exit, explain, false, fetch, float, float4, float8, for, force, foreign, from, fulltext
g–l	goto, grant, group, guest, having, high_priority, hour_microsecond, hour_minute, hour_second, if, ignore, in, index, infile, information_schema, inner, inout, insensitive, insert, int, int1, int2, int3, int4, int8, integer, interval, into, is, iterate, join, key, keys, kill, label, leading, leave, left, like, limit, linear, lines, load, localtime, localtimestamp, lock, long, longblob, longtext, loop, low_priority
m–r	match, mediumblob, mediumint, mediumtext, middleint, minute_microsecond, minute_second, mod, modifies, mysql, natural, no_write_to_binlog, not, null, numeric, on, optimize, option, optionally, or, order, out, outer, outfile, precision, primary, procedure, purge, raid0, range, read, reads, real, references, regexp, release, rename, repeat, replace, replicator, require, restrict, return, revoke, right, rlike, root
s–z	schema, schemas, second_microsecond, select, sensitive, separator, set, show, smallint, spatial, specific, sql, sql_big_result, sql_calc_found_rows, sql_small_result, sqlexception, sqlstate, sqlwarning, ssl, starting, straight_join, table, terminated, test, then, tinyblob, tinyint, tinytext, to, trailing, trigger, true, undo, union, unique, unlock, unsigned, update, usage, use, using, utc_date, utc_time, utc_timestamp, values, varbinary, varchar, varcharacter, varying, when, where, while, with, write, x509, xor, xtrabak, year_month, zerofill

FAQ

Why did account creation fail?

Check the most common causes:

Account limit reached: Each instance supports a maximum of 20 accounts. Delete unused accounts and try again.
Previous account not yet active: If you are creating accounts in sequence, wait until the previous account status changes to Active before creating the next one.
Version issue: Upgrade the minor version of the instance and try again.

API reference

API operation	Description
CreateAccount	Creates an account with specific permissions in an instance.
GrantAccountPrivilege	Modifies the permissions of an account in an instance.
ModifyAccountDescription	Modifies the description of an account in an instance.
ModifyAccountPassword	Modifies the password of a specified account in an instance.
DeleteAccount	Deletes a specified account from an instance.

What's next

Connect to an instance using redis-cli