Create and manage database accounts - ApsaraDB for Redis

ApsaraDB for Redis allows you to create multiple database accounts for an instance. You can grant these accounts different permissions, such as the read-only, read/write, and replication permissions. This helps you flexibly manage instances and minimize user errors for data security.

Background information

To ensure data security, a default account is automatically created after an instance is created. Typically, the default account is named after the instance ID (such as r-bp1jpghfglv6******). You cannot delete or replace a default account. You can view or reset the password of the default account on the Account Management page in the Tair console.

You can use the default account to log on to your instance in the same way as in open source Redis, where you only need to enter the password of the account. The following example describes how to log on to a Tair instance by using redis-cli:

# Use the default account whose username is r-bp1jpghfglv6****** and password is Rp829dlwa to connect to your instance. 
redis-cli -h r-bp1zx****.redis.rds.aliyuncs.com -p 6379 -a Rp829dlwa

Note

The name of the default account is default for specific instances. The name that is displayed in the console prevails.

Precautions

You can create a maximum of 20 accounts for an ApsaraDB for Redis instance.

Prerequisites

The database engine version of the instance is Redis 4.0 or later.

Note If the database engine version of an instance does not meet this requirement, you can upgrade the version. For more information, see Upgrade the major version.

Procedure

Log on to the ApsaraDB for Redis console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.
In the left-side navigation pane, click Account Management.
Click Create in the upper-right corner of the page.

In the panel that appears, configure the parameters that are described in the following table.

Parameter	Description
Account	The account name. The name can contain lowercase letters, digits, and underscores (_) and must start with a lowercase letter. The name can be up to 35 characters in length. The name cannot contain any of the reserved words displayed in the Reserved words for accounts of a Tair instance section of this topic.
Privilege	The permissions that are granted to the account. Valid values: Read-only: The account has only permissions to read data and is not allowed to modify data. Read/Write: The account has permissions to read and write data. Copy: The account has permissions to read data, write data, and run the SYNC and PSYNC commands. Note Only specific instances allow you to create accounts that have the Copy permissions. The specific permissions that are displayed in the console prevail.
Password Settings	The password of the account. The password must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and specific special characters. These special characters include !@#$%^&*()+-=_ The password must be 8 to 32 characters in length.
Confirm Password	Enter the password again.
Description (optional)	The description of the account. The description must start with a letter and cannot start with `http://` or `https://`. The description can contain letters, digits, underscores (_), and hyphens (-). The description must be 2 to 256 characters in length.

Click OK.
After you create an account, the account is in the Unavailable state. Refresh the page about 1 minute later, and the state changes to Available.
Note
- The password is in the user:password format. For example, assume that an account is named testaccount and the password is Rp829dlwa. Enter testaccount:Rp829dlwa in the password field to log on to the instance. For more information, see Logon methods.
- If you use a third-party database management tool such as Redis Desktop Manager (RDM) to connect to a Tair instance, enter the password in the user:password format.
Optional: Perform the following operations based on your business requirements to manage the account:
- Reset the password
  Find the account and click Reset Password in the Actions column. In the panel that appears, reset the password and click OK.
- Modify the permissions
  Find the account and click Modify Privilege in the Actions column. In the panel that appears, select the required permissions and click OK.
- Modify the description
  Find the account and click Edit Description in the Actions column. In the panel that appears, modify the description and click OK.
- Delete an account
  Find the account and choose > Delete in the Actions column. In the panel that appears, click OK.
  Warning
  After you delete the account, you cannot log on to the instance by using this account. In this case, to prevent the impact on the connection of your client, change the account and password that are used to verify the connection of your client in advance.

Reserved words for account names

When you create an account, the account name cannot be one of the following reserved words. The reserved words are separated by commas (,) in the following table.

Initial	Reserved word
a~c	add,admin,all,alter,analyze,and,as,asc,asensitive,aurora,before,between,bigint,binary,blob,both,by,call,cascade,case,change,char,character,check,collate,column,condition,connection,constraint,continue,convert,create,cross,current_date,current_time,current_timestamp,current_user,cursor
d~f	database,databases,day_hour,day_microsecond,day_minute,day_second,dec,decimal,declare,default,delayed,delete,desc,describe,deterministic,distinct,distinctrow,div,double,drc_rds,drop,dual,each,eagleye,else,elseif,enclosed,escaped,exists,exit,explain,false,fetch,float,float4,float8,for,force,foreign,from,fulltext
g~l	goto,grant,group,guest,having,high_priority,hour_microsecond,hour_minute,hour_second,if,ignore,in,index,infile,information_schema,inner,inout,insensitive,insert,int,int1,int2,int3,int4,int8,integer,interval,into,is,iterate,join,key,keys,kill,label,leading,leave,left,like,limit,linear,lines,load,localtime,localtimestamp,lock,long,longblob,longtext,loop,low_priority
m~r	match,mediumblob,mediumint,mediumtext,middleint,minute_microsecond,minute_second,mod,modifies,mysql,natural,no_write_to_binlog,not,null,numeric,on,optimize,option,optionally,or,order,out,outer,outfile,precision,primary,procedure,purge,raid0,range,read,reads,real,references,regexp,release,rename,repeat,replace,replicator,require,restrict,return,revoke,right,rlike,root
s~z	schema,schemas,second_microsecond,select,sensitive,separator,set,show,smallint,spatial,specific,sql,sql_big_result,sql_calc_found_rows,sql_small_result,sqlexception,sqlstate,sqlwarning,ssl,starting,straight_join,table,terminated,test,then,tinyblob,tinyint,tinytext,to,trailing,trigger,true,undo,union,unique,unlock,unsigned,update,usage,use,using,utc_date,utc_time,utc_timestamp,values,varbinary,varchar,varcharacter,varying,when,where,while,with,write,x509,xor,xtrabak,year_month,zerofill

Related API operations

Operation	Description
CreateAccount	Creates an account that has the specified permissions for an ApsaraDB for Redis instance.
GrantAccountPrivilege	Modifies the permissions of an account for an ApsaraDB for Redis instance.
ModifyAccountDescription	Modifies the description of an account for an ApsaraDB for Redis instance.
ModifyAccountPassword	Changes the password of a specified account for an ApsaraDB for Redis instance.
DeleteAccount	Deletes a specified account for an ApsaraDB for Redis instance.