Creating A New MySQL User In Amazon RDS Environment
I need to create a new MySQL user with limited permission on an existing Amazon RDS instance. After encountering a couple error messages I was sort of able to do this using the official MySQL Administrator tool and the user now appears in the list. However, I'm unable to assign any schema privileges as all the users are greyed out. I'm logged in as the "master user" created when the instance was launched. Not sure where to go from here. I do have the RDS command line tools installed but wasn't able to track down anything there either. Ideas
Your best bet is probably to connect to the database with a mysql command line client and call the SQL commands to create a new user and assign him privileges.
For instance, you might run something like this:
mysql -u [your_master_username] -p -h YOURRDSENDPOINT.rds.amazonaws.com
CREATE USER 'jeffrey'@'%' IDENTIFIED BY 'somepassword';
GRANT SELECT ON [your_database].[some_table] TO 'jeffrey'@'%';
On windows you could use the mysql.exe client, wherever that is.
Useful Docs
AWS RDS security groups documentation (a common area of confusion): http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithSecurityGroups.html
User creation documentation: http://dev.mysql.com/doc/refman/5.5/en/create-user.html
Privilege granting documentation: http://dev.mysql.com/doc/refman/5.5/en/grant.html
I know this thread is a couple of years old and well I keep finding it so I wanted to get an update out about the AWS RDS and User Permissions.
You cannot use GRANT ALL for any user with an RDS. When you use the GRANT ALL statement you are also attempting to provide Global (as AWS Calls them Super Permissions) and with the way that the AWS RDS System is setup they do not allow assigning of Global Options to users.
You have to break out the Permissions to the following:
GRANT SELECT,INSERT,UPDATE,DELETE,DROP on
This will allow your user to be able to connect to the RDS once the security settings are setup to allow access from your EC2 Instances or from the Internet.
Hope this information helps anyone else that is running into the same issues that I was seeing with the AWS RDS Systems.
Waldo
GRANT ALL I still unable to connect. Now it is clear.
ALL is: ERROR 1045 (28000): Access denied for user 'root'@'%' (using password: YES)
GRANT ALL if all privileges were selected. Adding privileges in two steps so that it did not use GRANT ALL let me get past the "permission denied" error when trying to add privileges and is only mildly annoying to have to do it in two steps.
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, PROCESS, REFERENCES, INDEX, ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER ON *.* TO 'user'@'%' WITH GRANT OPTION;
I created like this:
CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'somepassword';
GRANT SELECT ON mydatabase.* TO 'jeffrey'@'localhost';
But then, AWS rejected to login to that user. And I tried to change Admin privileges, but not success. And I change 'localhost' to '%' through mysql workbench. (or you can remove the user and recreate) like :
CREATE USER 'jeffrey'@'%' IDENTIFIED BY 'somepassword';
GRANT SELECT ON mydatabase.* TO 'jeffrey'@'%';
Then only I was able to loggin through this new user.
In addition: Once you done this change, then your database allowed to connect from any ip. If you need to improve the security and restrict the accessing ip (Ex: if this is a staging database), you can set the bind-address in my.cnf file in your server.
bind-address = your.ip.add.ress
I had the most success using MySQL Workbench and executing raw SQL against RDS:
CREATE USER 'foo'@'localhost' IDENTIFIED BY 'password';
The bigger problem was permissions. Initially I tried:
Grant ALL on *.* to 'foo'@'localhost'
... which results in an Access Denied error.
Error Code: 1045. Access denied for user 'foo'@'%' (using password: YES)
The troublesome permission is "super" which RDS doesn't give me, and in turn I can't grant. As a result, I'm stuck doing permissions by hand:
Grant SELECT on *.* to 'foo'@'localhost';
Grant INSERT on *.* to 'foo'@'localhost';
Grant CREATE on *.* to 'foo'@'localhost';
GRANT USAGE ON *.* TO 'foo'@'localhost' tested on rds mariadb, I think mysql should be the same. see MySQL on Amazon RDS
I have used mySQL workbench and it works fine. just go to management/Users and Privileges, press "Add Account" button bottom left, and configure. You cannot give SUPER privileges, but most of the rest
Follow WeChat
Success story sharing
