在Amazon RDS环境中创建新的MySQL用户

Question

I need to create a new MySQL user with limited permission on an existing Amazon RDS instance. After encountering a couple error messages I was sort of able to do this using the official MySQL Administrator tool and the user now appears in the list. However, I'm unable to assign any schema privileges as all the users are greyed out. I'm logged in as the "master user" created when the instance was launched. Not sure where to go from here. I do have the RDS command line tools installed but wasn't able to track down anything there either. Ideas

Answer 1

Your best bet is probably to connect to the database with a mysql command line client and call the SQL commands to create a new user and assign him privileges.

For instance, you might run something like this:

mysql -u [your_master_username] -p -h YOURRDSENDPOINT.rds.amazonaws.com

CREATE USER 'jeffrey'@'%' IDENTIFIED BY 'somepassword';
GRANT SELECT ON [your_database].[some_table] TO 'jeffrey'@'%';

On windows you could use the mysql.exe client, wherever that is.

Useful Docs

AWS RDS security groups documentation (a common area of confusion): http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithSecurityGroups.html

User creation documentation: http://dev.mysql.com/doc/refman/5.5/en/create-user.html

Privilege granting documentation: http://dev.mysql.com/doc/refman/5.5/en/grant.html

Answer 2

I know this thread is a couple of years old and well I keep finding it so I wanted to get an update out about the AWS RDS and User Permissions.

You cannot use GRANT ALL for any user with an RDS. When you use the GRANT ALL statement you are also attempting to provide Global (as AWS Calls them Super Permissions ) and with the way that the AWS RDS System is setup they do not allow assigning of Global Options to users.

You have to break out the Permissions to the following:

GRANT SELECT,INSERT,UPDATE,DELETE,DROP on

This will allow your user to be able to connect to the RDS once the security settings are setup to allow access from your EC2 Instances or from the Internet.

Hope this information helps anyone else that is running into the same issues that I was seeing with the AWS RDS Systems.

Waldo

Answer 3

I created like this:

CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'somepassword';
GRANT SELECT ON mydatabase.* TO 'jeffrey'@'localhost';

But then, AWS rejected to login to that user. And I tried to change Admin privileges, but not success. And I change 'localhost' to '%' through mysql workbench. (or you can remove the user and recreate) like :

CREATE USER 'jeffrey'@'%' IDENTIFIED BY 'somepassword';
GRANT SELECT ON mydatabase.* TO 'jeffrey'@'%';

Then only I was able to loggin through this new user.

In addition: Once you done this change, then your database allowed to connect from any ip. If you need to improve the security and restrict the accessing ip (Ex: if this is a staging database), you can set the bind-address in my.cnf file in your server.

bind-address = your.ip.add.ress

enter link description here

Answer 4

I had the most success using MySQL Workbench and executing raw SQL against RDS:

CREATE USER 'foo'@'localhost' IDENTIFIED BY 'password';

The bigger problem was permissions. Initially I tried:

Grant ALL on *.* to 'foo'@'localhost'

... which results in an Access Denied error.

Error Code: 1045. Access denied for user 'foo'@'%' (using password: YES)

The troublesome permission is "super" which RDS doesn't give me, and in turn I can't grant. As a result, I'm stuck doing permissions by hand:

Grant SELECT on *.* to 'foo'@'localhost';
Grant INSERT on *.* to 'foo'@'localhost';
Grant CREATE on *.* to 'foo'@'localhost';

Answer 5

I have used mySQL workbench and it works fine. just go to management/Users and Privileges, press "Add Account" button bottom left, and configure. You cannot give SUPER privileges, but most of the rest