All Products
Search

This Product

    ApsaraDB RDS:Create an account

    Document Center

    ApsaraDB RDS:Create an account

    Last Updated:Jul 25, 2024

    This topic describes how to create an account that can be used to manage the databases of an ApsaraDB RDS for MySQL instance.

    Prerequisites

    An RDS instance is created. For more information, see Create an ApsaraDB RDS for MySQL instance.

    Note

    You can create RAM users within your Alibaba Cloud account and grant the management permissions on specific RDS instances to the RAM users. For more information, see Create a RAM user.

    Account types

    ApsaraDB RDS for MySQL supports two types of accounts: privileged accounts and standard accounts. You can manage all the accounts and databases of your RDS instance in the ApsaraDB RDS console. For more information about the permissions that can be granted to each type of account, see Account permissions.

    Note

    After an account is created, you cannot change the type of the account. However, you can delete the account. Then, you can create an account that has the same username as the deleted account. For more information, see Delete an account.

    Account type

    Description

    Privileged account

    • You can create and manage privileged accounts in the ApsaraDB RDS console or by using the ApsaraDB RDS API.

    • Only one privileged account is allowed per RDS instance. A privileged account has the permissions to manage all the databases and standard accounts of the RDS instance on which the privileged account is created.

    • A privileged account allows you to manage more permissions at fine-grained levels based on your business requirements. For example, you can grant each standard account the permissions to query specific tables from the RDS instance on which the privileged account is created.

    • A privileged account has the permissions on all the databases of the RDS instance on which the privileged account is created.

    • A privileged account has the permissions to disconnect all the standard accounts of the RDS instance on which the privileged account is created.

    Standard account

    • You can create and manage standard accounts by using the ApsaraDB RDS console, API operations, or SQL statements.

    • More than one standard account is allowed per RDS instance. The maximum number of standard accounts that are allowed varies based on the minor engine version that is used.

    • By default, a standard account can be used only to log on to one or more databases on which the account has permissions. You must manually grant specific permissions to each standard account. For more information, see Modify the permissions of an account.

    • A standard account does not have the permissions to create, manage, or disconnect other accounts of the RDS instance on which the standard account is created.

    Account type

    Maximum number of databases

    Maximum number of tables

    Number of accounts

    Privileged account

    Unlimited

    200,000

    Varies based on the minor engine version.

    Standard account

    500

    200,000

    Varies based on the minor engine version.

    Note

    Create a privileged account

    1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

    2. In the left-side navigation pane, click Accounts.

    3. Click Create Account.

    4. Configure the parameters that are described in the following table.

      Parameter

      Description

      Database Account

      Enter a username for the account. The value must meet the following requirements:

      • If your RDS instance runs MySQL 5.6, the value must be 2 to 16 characters in length. If your RDS instance runs MySQL 8.0 or MySQL 5.7, the value must be 2 to 32 characters in length.

      • The value can contain letters, digits, and underscores (_).

      • The value must start with a letter and end with a letter or a digit.

      • The value cannot be the same as the username of an existing account.

      • The username of a standard account cannot be the same as or similar to the username of a privileged account. For example, if the username of the privileged account is Test1, the username of the standard account cannot be test1.

      • The value cannot contain reserved keywords.

      Account Type

      Select Privileged Account.

      New Password

      Enter a password for the account. The value must meet the following requirements:

      • The value must be 8 to 32 characters in length.

      • The value must contain at least three types of the following characters: uppercase letters, lowercase letters, digits, and special characters.

      • The value can contain the following special characters: ! @ # $ % ^ & * ( ) _ + - =

      Note

      If your RDS instance runs MySQL 5.7, you can configure a custom password policy for the RDS instance. For more information, see Configure a custom password policy.

      Confirm Password

      Enter the logon password again.

      Description

      Enter a description that is used to identify the account. The value can be up to 256 characters in length. The value cannot contain http:// or https://.

    5. Click OK.

    Reset the permissions of a privileged account

    If the privileged account of your RDS instance encounters exceptions, for example, the permissions are accidentally revoked, you can perform the following steps to reset the permissions:

    1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

    2. In the left-side navigation pane, click Accounts.

    3. Find the privileged account and click Reset Permissions in the Actions column.Privileged Account

    4. Enter a new password for the privileged account and click OK.

    Create a standard account

    1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

    2. In the left-side navigation pane, click Accounts.

    3. Click Create Account.

    4. Configure the parameters that are described in the following table.

      Parameter

      Description

      Database Account

      Enter a username for the account. The value must meet the following requirements:

      • If your RDS instance runs MySQL 5.6, the value must be 2 to 16 characters in length. If your RDS instance runs MySQL 8.0 or MySQL 5.7, the value must be 2 to 32 characters in length.

      • The value can contain letters, digits, and underscores (_).

      • The value must start with a letter and end with a letter or a digit.

      • The value cannot be the same as the username of an existing account.

      • The username of a standard account cannot be the same as or similar to the username of a privileged account. For example, if the username of the privileged account is Test1, the username of the standard account cannot be test1.

      • The value cannot contain reserved keywords.

      Account Type

      Select Standard Account.

      Authorize Database

      Specify the authorized databases of the account. You can specify one or more authorized databases. You can also leave this parameter empty at this time and authorize databases after the account is created.

      1. In the Unauthorized Databases section, select one or more databases. Then, click the > icon to move the selected databases to the Authorized Databases section.

      2. In the Authorized Databases section, select the Read/Write (DDL + DML), Read-only, DDL Only, or DML Only permissions for each authorized database.

        If you want to grant the same permissions on more than one authorized database at a time, select the authorized databases and click the Set All to button in the upper-right corner of the Authorized Database section. For example, you can click the button to grant the Read/Write (DDL + DML) permissions on the selected authorized databases.

        Note

        For more information, see Account permissions.

      New Password

      Enter a password for the account. The value must meet the following requirements:

      • The value must be 8 to 32 characters in length.

      • The value must contain at least three types of the following characters: uppercase letters, lowercase letters, digits, and special characters.

      • The value can contain the following special characters: ! @ # $ % ^ & * ( ) _ + - =

      Note

      If your RDS instance runs MySQL 5.7, you can configure a custom password policy for the RDS instance. For more information, see Configure a custom password policy.

      Confirm Password

      Enter the logon password again.

      Description

      Enter a description that is used to identify the account. The value can be up to 256 characters in length. The value cannot contain http:// or https://.

    5. Click OK.

    FAQ

    • Can I configure an account to have only the permissions to access my RDS instance over an internal network?

      Yes, you can use SQL statements to specify the source IP address from which an account can access your RDS instance. For more information, see Authorize an account to access its authorized databases from specified IP addresses. However, this operation is not supported in the ApsaraDB RDS console.

    • Can I configure the permissions of an account at finer-grained levels, such as the table level?

      Yes, you can use SQL statements to manage the permissions of an account at finer-grained levels. However, this operation is not supported in the ApsaraDB RDS console. For more information, see Authorize accounts to manage tables, views, and fields.

    Related operations

    Operation

    Description

    CreateAccount

    Creates an account that is used to manage the databases of an instance.