Contact UsGet started

Managing user permissions

Written by
Updated at May 5, 2025

You can manage user permissions at the level of an individual database by updating user privileges.

Warning

To change user permissions at the level of the entire cluster or an individual database, use the Yandex Cloud interfaces. Changes made by SQL commands are not saved.

For more information, see User permissions.

Changing user privileges

  1. Go to the folder page and select Managed Service for MySQL.

  2. Click the name of the cluster you need and select the Users tab.

  3. Click and select Configure.

  4. Add the databases required for the user:

    1. Click Add database.
    2. Select the database from the drop-down list.
    3. Repeat the previous two steps until all the required databases are selected.
    4. To revoke access to a specific database, delete it from the list by clicking to the right of the database name.

  5. Set up user privileges for each of the user's databases.

    1. In the Roles column, click .
    2. Select the privilege you want to add to the user from the drop-down list.
    3. Repeat the previous two steps until all the required privileges are added.

  6. To revoke a privilege, click to the right of its name.

  7. If necessary, set the administrative privileges for the user.

  8. Click Save.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  • Granting privileges to a user:

    yc managed-mysql user grant-permission <username> \
  --cluster-name <cluster_name> \
  --database <DB_name> \
  --permissions <privileges_separated_by_commas>

    You can get the cluster name with the list of clusters in the folder, the DB name, with the list of databases in the cluster, and the user's name, with the list of users in the cluster.

  • Revoking user privileges:

    yc managed-mysql user revoke-permission <username> \
  --cluster-name <cluster_name> \
  --database <DB_name> \
  --permissions <privileges_separated_by_commas>

    To grant or revoke the ALL_PRIVILEGES privilege, specify the ALL synonym as the privilege name.

  1. Open the current Terraform configuration file with an infrastructure plan.

    For more information about creating this file, see Creating clusters.

  2. Find the yandex_mdb_mysql_user resource of the user you need and change the list of their privileges for the appropriate database in the roles parameter:

    resource "yandex_mdb_mysql_user" "<username>" {
  cluster_id = "<cluster_ID>"
  name       = "<username>"
  permission {
    database_name = "<DB_name>"
    roles         = [<list_of_privileges>]
  }
  ...
}

    Where:

    • database_name: Name of the DB the user must have access to.
    • roles: List of user privileges for the DB.

  3. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see the Terraform provider documentation.

  1. Get an IAM token for API authentication and put it into the environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Use the User.update method and make a request, e.g., using cURL:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask parameter as a single comma-separated string.

    curl \
    --request PATCH \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --header "Content-Type: application/json" \
    --url 'https://mdb.api.cloud.yandex.net/managed-mysql/v1/clusters/<cluster_ID>/users/<username>' \
    --data '{
              "updateMask": "permissions",
              "permissions": [
                {
                  "databaseName": "<DB_name>",
                  "roles": [
                    "<privilege_1>", "<privilege_2>", ..., "<privilege_N>"
                  ]
                }
              ]
            }'

    Where:

    • updateMask: List of parameters to update as a single string, separated by commas.

      In this case, only one parameter is provided.

    • permissions: User permission settings:

      • databaseName: Name of the database the user gets access to.
      • roles: Array of user's privileges, each provided as a separate string in the array. For the list of possible values, see User privileges in a cluster.

      For each database, add a separate item with permission settings to the permissions array.

    You can request the cluster ID with the list of clusters in the folder and the username, with the list of users in the cluster.

  3. View the server response to make sure the request was successful.

  1. Get an IAM token for API authentication and put it into the environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Use the UserService/Update call and make a request, e.g., using gRPCurl:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the update_mask parameter as an array of paths[] strings.

    Format for listing settings
    "update_mask": {
    "paths": [
        "<setting_1>",
        "<setting_2>",
        ...
        "<setting_N>"
    ]
}

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/mysql/v1/user_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
          "cluster_id": "<cluster_ID>",
          "user_name": "<username>",
          "update_mask": {
            "paths": [
              "permissions"
            ]
          },
          "permissions": [
            {
              "database_name": "<DB_name>",
              "roles": [
                "<privilege_1>", "<privilege_2>", ..., "<privilege_N>"
              ]
            }
          ]
        }' \
    mdb.api.cloud.yandex.net:443 \
    yandex.cloud.mdb.mysql.v1.UserService.Update

    Where:

    • update_mask: List of parameters to update as an array of paths[] strings.

      In this case, only one parameter is provided.

    • permissions: User permission settings:

      • database_name: Name of the database the user gets access to.
      • roles: Array of user's privileges, each provided as a separate string in the array. For the list of possible values, see User privileges in a cluster.

      For each database, add a separate item with permission settings to the permissions array.

    You can request the cluster ID with the list of clusters in the folder and the username, with the list of users in the cluster.

  4. View the server response to make sure the request was successful.

Examples

Creating a user with read-only permissions

To create a new user named user2 with the SecretPassword password and read-only access to the db1 database in an existing cluster1:

Create a user named user2. When creating a user:

  1. Add the db1 database to the list of DBs.
  2. Add the SELECT role for the db1 database.

  1. Create a user named user2:

    yc managed-mysql user create "user2" \
  --cluster-name "cluster1" \
  --password "SecretPassword"

  2. Add the SELECT role for the db1 database:

    yc managed-mysql users grant-permission "user2" \
  --cluster-name "cluster1" \
  --database "db1" \
  --permissions "SELECT"

  1. Open the current Terraform configuration file with an infrastructure plan.

    For more information about creating this file, see Creating a MySQL® cluster.

  2. Add the yandex_mdb_mysql_user resource:

    resource "yandex_mdb_mysql_user" "user2" {
  cluster_id = yandex_mdb_mysql_cluster.cluster1.id
  name       = "user2"
  password   = "SecretPassword"
  permission {
    database_name = "db1"
    roles         = ["SELECT"]
  ...
  }
}

  3. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see the Terraform provider documentation.

Previous
User management
Next
Viewing cluster logs