How do I create another administration user for my Amazon RDS for MySQL DB instance?

3 minute read

I want to create another user that has administration account permissions for my Amazon Relational Database Service (Amazon RDS) for MySQL DB instance.

Resolution

By default, Amazon RDS for MySQL has one primary administration account. It's a best practice to create another user with minimal permissions to use with your application. For more information, see Role-based privilege model for RDS for MySQL.

Note: Depending on the version of MySQL that you use, you can also run the GRANT command to attach dynamic permissions to a user.

For MySQL versions 8.0.36 and higher

To use rds_superuser_role to grant role-based permissions to users, complete the following steps:

As the primary administration user, run the SHOW GRANTS command to see the list of permissions for the rds_superuser_role role:
```
SHOW GRANTS FOR rds_superuser_role@'%';
```

Run the CREATE USER command to create a new administrative user:

CREATE USER 'new_admin_user'@'%' IDENTIFIED BY 'password';

Run the GRANT command to grant the new role to the new user:

grant rds_superuser_role to 'new_admin_user'@'%';

Run the following command to activate the rds_superuser_role for the new user:
```
set role all;
```

Run the following query to verify that you granted rds_superuser_role to the new user:

select current_role();

Example output:

+--------------------------+  
| current_role() |  
+--------------------------+  
| `rds_superuser_role`@`%` |  
+--------------------------+

For MySQL versions lower than 8.0.36

Complete the following steps:

Connect to your RDS for MySQL DB instance.
Run the following command to get a list of the permissions that are currently available to the administrative account:
```
SHOW GRANTS for admin_username;
```
Note: Replace admin_username with your username.

Copy your output of the list of permissions to use in step 5.
Example output:

+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| Grants for admin@% |  
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+  
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, PROCESS, REFERENCES, INDEX, ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER ON *.* TO 'admin'@'%' WITH GRANT OPTION |  
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Run the following command to create a new user:

CREATE USER 'new_admin_user'@'%' IDENTIFIED BY 'password';

Note: Replace new_admin_user and password with your username and password.

Run the following GRANT command and include the list of permissions that you got in step 2 to attach to the new user:

GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, PROCESS, REFERENCES, INDEX, ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER ON *.* TO 'new_admin_user'@'%' WITH GRANT OPTION;

Use the new user to log in.
Run the following query to verify that you granted the permissions to the new administrative user:
```
SHOW GRANTS for admin_username;
```
Note: Replace admin_username with your username.

Related information

Common DBA tasks for MySQL DB instances

How do I allow users to authenticate to an Amazon RDS for MySQL DB instance through their IAM credentials?

Topics: Analytics Migration & Modernization Database
Tags: MySQL Amazon Relational Database Service MariaDB
Language: English

Relevant content

AWS Lambda in Java Cannot Connect to RDS using password: Access Denied Error for User 'admin'
Accepted Answer
rohan
asked 2 years ago
MySQL on RDS another account with root privileges
Dataedo
asked 3 years ago
How do I use MySQL Master/Slave replication on RDS for multiple instances?
Soon
asked 2 years ago
when i use admin user in rds mysql but i cannot see the global variables
rePost-User-8728016
asked 3 years ago
EC2 Instance Connection of RDS DB
Micah Blackburn
asked 3 years ago
How do I create a cross-Region read replica of my Amazon RDS for MySQL DB instance in another AWS account?
AWS OFFICIALUpdated 10 months ago
How do I migrate my Amazon RDS for MySQL DB instance using a custom start time?
AWS OFFICIALUpdated 5 years ago
How do I create another user with the same privileges as a default user for my Amazon RDS or Aurora DB instance with PostgreSQL?
AWS OFFICIALUpdated 3 years ago
Why is my Amazon RDS for MySQL DB instance stuck in "Rebooting"?
AWS OFFICIALUpdated 5 years ago
Best Practices for Aurora MySQL Advanced Auditing with Amazon RDS Proxy
EXPERT
Ramu Varanasi
published 24 days ago