Contact UsTry it for free
© 2025 Direct Cursus Technology L.L.C.

Managing MySQL® users

Written by
Updated at December 17, 2025

You can add and remove users, as well as manage their settings.

Warning

To change user permissions at the cluster or database level, use the Yandex Cloud interfaces. Changes made using SQL commands are not saved.

For more information, see User permissions.

Getting a list of users

  1. Go to Managed Service for MySQL.
  2. Click the name of your cluster and open the  Users tab.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To get a list of cluster users, run this command:

yc managed-mysql user list --cluster-name=<cluster_name>

You can get the cluster name with the list of clusters in the folder.

  1. Get an IAM token for API authentication and set it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.list method, e.g., via the following cURL request:

    curl \
    --request GET \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --url 'https://mdb.api.cloud.yandex.net/managed-mysql/v1/clusters/<cluster_ID>/users'

    You can get the cluster ID with the list of clusters in the folder.

  3. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and set it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Call the UserService/List method, e.g., via the following gRPCurl request:

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/mysql/v1/user_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
          "cluster_id": "<cluster_ID>"
        }' \
    mdb.api.cloud.yandex.net:443 \
    yandex.cloud.mdb.mysql.v1.UserService.List

    You can get the cluster ID with the list of clusters in the folder.

  4. Check the server response to make sure your request was successful.

Creating a user

  1. Go to Managed Service for MySQL.

  2. Click the name of your cluster and select the Users tab.

  3. Click Create user.

  4. Specify the database user’s name.

    The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter or underscore. The name may be up to 32 characters long.

  5. Select the method for setting a password:

    • Enter manually: Set your own password. It must be from 8 to 128 characters long.

    • Generate: Generate a password using Connection Manager.

    To view the password, navigate to the cluster page, select the Users tab, and click View password for the new user. This will open the page of the Yandex Lockbox secret containing the password. To view passwords, you need the lockbox.payloadViewer role.

  6. Select one or more databases the user must have access to:

    1. Click Add database.
    2. Select the database from the drop-down list.
    3. Repeat these two steps to select all required databases.
    4. To delete a database added by mistake, hover over the database row and click .

  7. Set up user privileges for each of the selected databases:

    1. In the Roles column, click .
    2. In the drop-down list, select the privilege you want to grant the user.
    3. Repeat these two steps to add all required privileges.

  8. To revoke a privilege granted by mistake, click to its right.

  9. Configure the MySQL® settings and administrative privileges for the user, if required.

  10. Click Create.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To create a cluster user, run this command:

yc managed-mysql user create <username> \
  --cluster-name=<cluster_name> \
  --password=<user_password> \
  --permissions=<database_list>

Where:

  • cluster-name: Cluster name.

  • password: User password. The password must be from 8 to 128 characters long.

    You can also generate a password using Connection Manager. Do it by specifying --generate-password instead of --password=<password>.

    To view the password, select your cluster in the management console, navigate to the Users tab, and click View password for the new user. This will open the page of the Yandex Lockbox secret containing the password. To view passwords, you need the lockbox.payloadViewer role.

  • permissions: List of databases the user should have access to.

The username may contain Latin letters, numbers, hyphens, and underscores, and must start with a letter, number, or underscore. It must be from 1 to 32 characters long.

You can get the cluster name with the list of clusters in the folder.

  1. Open the current Terraform configuration file describing your infrastructure.

    To learn how to create this file, see Creating a cluster.

  2. Add the yandex_mdb_mysql_user resource:

    resource "yandex_mdb_mysql_user" "<username>" {
  cluster_id = "<cluster_ID>"
  name       = "<username>"
  password   = "<password>"
  permission {
    database_name = "<DB_name>"
    roles         = [<list_of_privileges>]
  }
  ...
}

    Where:

    • database_name: Name of the database the user will have access to.
    • roles: List of user privileges for the database.

    The username may contain Latin letters, numbers, hyphens, and underscores, and must start with a letter, number, or underscore. It must be from 1 to 32 characters long.

    The password must be from 8 to 128 characters long.

    You can also generate a password using Connection Manager. Do it by specifying generate_password = true instead of password = "<password>".

    To view the password, select your cluster in the management console, navigate to the Users tab, and click View password for the new user. This will open the page of the Yandex Lockbox secret containing the password. To view passwords, you need the lockbox.payloadViewer role.

  3. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider article.

  1. Get an IAM token for API authentication and set it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Create a file named body.json and paste the following code into it:

    {
    "userSpec": {
        "name": "<username>",
        "password": "<user_password>",
        "permissions": [
            {
                "databaseName": "<DB_name>",
                "roles": [
                    "<privilege_1>", "<privilege_2>", ..., "<privilege_N>"
                ]
            }
        ]
    }
}'

    Where userSpec are the settings for the new database user:

    • name: Username.

      The username may contain Latin letters, numbers, hyphens, and underscores, and must start with a letter, number, or underscore. It must be from 1 to 32 characters long.

    • password: User password. The password must be from 8 to 128 characters long.

      You can also generate a password using Connection Manager. Do it by specifying "generatePassword": true instead of "password": "<user_password>".

      To view the password, select your cluster in the management console, navigate to the Users tab, and click View password for the relevant user. This will open the page of the Yandex Lockbox secret containing the password. To view passwords, you need the lockbox.payloadViewer role.

    • permissions: User permission settings:

      For each database, add a separate element with permission settings to the permissions array.

  3. Call the User.create method, e.g., via the following cURL request:

    curl \
    --request POST \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --header "Content-Type: application/json" \
    --url 'https://mdb.api.cloud.yandex.net/managed-mysql/v1/clusters/<cluster_ID>/users' \
    --data "@body.json"

    You can get the cluster ID with the list of clusters in the folder.

  4. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and set it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Create a file named body.json and paste the following code into it:

    {
    "cluster_id": "<cluster_ID>",
    "user_spec": {
        "name": "<username>",
        "password": "<user_password>",
        "permissions": [
            {
                "database_name": "<DB_name>",
                "roles": [
                    "<privilege_1>", "<privilege_2>", ..., "<privilege_N>"
                ]
            }
        ]
    }
}

    Where user_spec are the settings for the new database user:

    • name: Username.

      The username may contain Latin letters, numbers, hyphens, and underscores, and must start with a letter, number, or underscore. It must be from 1 to 32 characters long.

    • password: User password. The password must be from 8 to 128 characters long.

      You can also generate a password using Connection Manager. Do it by specifying "generate_password": true instead of "password": "<user_password>".

      To view the password, select your cluster in the management console, navigate to the Users tab, and click View password for the relevant user. This will open the page of the Yandex Lockbox secret containing the password. To view passwords, you need the lockbox.payloadViewer role.

    • permissions: User permission settings:

      For each database, add a separate element with permission settings to the permissions array.

    You can get the cluster ID with the list of clusters in the folder.

  4. Call the UserService/Create method, e.g., via the following gRPCurl request:

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/mysql/v1/user_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d @ \
    mdb.api.cloud.yandex.net:443 \
    yandex.cloud.mdb.mysql.v1.UserService.Create \
    < body.json

  5. Check the server response to make sure your request was successful.

Changing a password

  1. Go to Managed Service for MySQL.

  2. Click the name of your cluster and select the Users tab.

  3. Click and select Change password.

  4. Select the method for setting a new password:

    • Enter manually: Set your own password. It must be from 8 to 128 characters long.

    • Generate: Generate a password using Connection Manager.

  5. Click Edit.

To view the new password, navigate to the cluster page, select the Users tab, and click View password for the relevant user. This will open the page of the Yandex Lockbox secret containing the password. The new password version is marked as Current.

To view passwords, you need the lockbox.payloadViewer role.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To change a user password, run this command:

yc managed-mysql user update <username> \
  --cluster-name=<cluster_name> \
  --password=<new_password>

The password must be from 8 to 128 characters long.

You can also generate a new password using Connection Manager. Do it by specifying --generate-password instead of --password=<new_password>.

To view the new password, select your cluster in the management console, navigate to the Users tab, and click View password for the relevant user. This will open the page of the Yandex Lockbox secret containing the password. The new password version is marked as Current.

To view passwords, you need the lockbox.payloadViewer role.

You can get the cluster name with the list of clusters in the folder.

  1. Open the current Terraform configuration file describing your infrastructure.

    To learn how to create this file, see Creating a cluster.

  2. Locate the yandex_mdb_mysql_user resource for the user in question.

  3. Change the password field value:

    resource "yandex_mdb_mysql_user" "<username>" {
  cluster_id = "<cluster_ID>"
  name       = "<username>"
  password   = "<new_password>"
  ...
}

    The password must be from 8 to 128 characters long.

    You can also generate a new password using Connection Manager. Do it by specifying generate_password = true instead of password = "<new_password>".

    To view the new password, select your cluster in the management console, navigate to the Users tab, and click View password for the relevant user. This will open the page of the Yandex Lockbox secret containing the password. The new password version is marked as Current.

    Note

    If the current password has been automatically generated, you cannot regenerate it using Terraform due to the provider limitations.

  4. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  5. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider guide.

  1. Get an IAM token for API authentication and set it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.update method, e.g., via the following cURL request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask parameter as a single comma-separated string.

    curl \
    --request PATCH \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --header "Content-Type: application/json" \
    --url 'https://mdb.api.cloud.yandex.net/managed-mysql/v1/clusters/<cluster_ID>/users/<username>' \
    --data '{
              "updateMask": "password",
              "password": "<new_password>"
            }'

    Where:

    • updateMask: Comma-separated list of settings you want to update.

      Here, we provide only one setting.

    • password: New password. The password must be from 8 to 128 characters long.

      You can also generate a password using Connection Manager. To do this, edit the data field as follows:

      {
  "updateMask": "generatePassword",
  "generatePassword": true
}

      To view the new password, select your cluster in the management console, navigate to the Users tab, and click View password for the relevant user. This will open the page of the Yandex Lockbox secret containing the password. The new password version is marked as Current.

      To view passwords, you need the lockbox.payloadViewer role.

    You can get the cluster ID with the list of clusters in the folder, and the username, with the list of users in the cluster.

  3. Check the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and set it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Call the UserService/Update method, e.g., via the following gRPCurl request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the update_mask parameter as an array of paths[] strings.

    Format for listing settings
    "update_mask": {
    "paths": [
        "<setting_1>",
        "<setting_2>",
        ...
        "<setting_N>"
    ]
}

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/mysql/v1/user_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
          "cluster_id": "<cluster_ID>",
          "user_name": "<username>",
          "update_mask": {
            "paths": [
              "password"
            ]
          },
          "password": "<new_password>"
        }' \
    mdb.api.cloud.yandex.net:443 \
    yandex.cloud.mdb.mysql.v1.UserService.Update

    Where:

    • update_mask: List of settings you want to update as an array of strings (paths[]).

      Here, we provide only one setting.

    • password: New password. The password must be from 8 to 128 characters long.

      You can also generate a password using Connection Manager. To do this, edit the d parameter as follows:

      {
  "cluster_id": "<cluster_ID>",
  "user_name": "<username>",
  "update_mask": {
    "paths": [
      "generate_password"
    ]
  },
  "generate_password": true
}

      To view the new password, select your cluster in the management console, navigate to the Users tab, and click View password for the relevant user. This will open the page of the Yandex Lockbox secret containing the password. The new password version is marked as Current.

      To view passwords, you need the lockbox.payloadViewer role.

    You can get the cluster ID from the folder’s cluster list, and the username from the list of cluster users.

  4. Check the server response to make sure your request was successful.

Changing user settings

Tip

To change user's database access privileges, follow this guide.

  1. Go to Managed Service for MySQL.
  2. Click the name of your cluster and select the Users tab.
  3. Click and select Configure.
  4. Configure the MySQL® settings for the user.
  5. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To configure the MySQL® settings for a user, run this command:

yc managed-mysql user update <username> \
  --cluster-name=<cluster_name> \
  --global-permissions=<list_of_privileges> \
  --authentication-plugin=<authentication_plugin> \
  --max-questions-per-hour=<maximum_requests> \
  --max-updates-per-hour=<maximum_UPDATE_requests> \
  --max-connections-per-hour=<maximum_connections> \
  --max-user-connections=<maximum_concurrent_connections>

Where:

  • global-permissions: Comma-separated list of administrative privileges.
  • max-questions-per-hour: Maximum number of requests per hour.
  • max-updates-per-hour: Maximum number of UPDATE requests per hour.
  • max-connections-per-hour: Maximum number of connections per hour.
  • max-user-connections: Maximum number of concurrent connections.

You can get the cluster name with the list of clusters in the folder.

  1. Open the current Terraform configuration file describing your infrastructure.

    To learn how to create this file, see Creating a cluster.

  2. Locate the yandex_mdb_mysql_user resource for the user in question.

  3. To set limits on the number of connections and requests, add the connection_limits section to the user description:

    resource "yandex_mdb_mysql_user" "<username>" {
  ...
  connection_limits {
    max_questions_per_hour   = <maximum_requests>
    max_updates_per_hour     = <maximum_UPDATE_requests>
    max_connections_per_hour = <maximum_connections>
    max_user_connections     = <maximum_concurrent_connections>
    ...
  }
}

    Where:

    • max-questions-per-hour: Maximum number of requests per hour.
    • max-updates-per-hour: Maximum number of UPDATE requests per hour.
    • max-connections-per-hour: Maximum number of connections per hour.
    • max-user-connections: Maximum number of concurrent connections.

  4. To configure a user authentication plugin, add the authentication_plugin section to the user description:

    resource "yandex_mdb_mysql_user" "<username>" {
  ...
  authentication_plugin = "<authentication_plugin>"
}

  5. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  6. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider article.

  1. Get an IAM token for API authentication and set it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.update method, e.g., via the following cURL request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask parameter as a single comma-separated string.

    curl \
    --request PATCH \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --header "Content-Type: application/json" \
    --url 'https://mdb.api.cloud.yandex.net/managed-mysql/v1/clusters/<cluster_ID>/users/<username>' \
    --data '{
              "updateMask": "globalPermissions,connectionLimits,authenticationPlugin",
              "globalPermissions": [
                "<administrative_privilege_1>",
                "<administrative_privilege_2>",
                ...,
                "<administrative_privilege_N>"
              ],
              "connectionLimits": {
                "maxQuestionsPerHour": "<maximum_requests>",
                "maxUpdatesPerHour": "<maximum_UPDATE_requests>",
                "maxConnectionsPerHour": "<maximum_connections>",
                "maxUserConnections": "<maximum_concurrent_connections>"
              },
              "authenticationPlugin": "<authentication_plugin>"
            }'

    Where:

    • updateMask: Comma-separated list of settings you want to update.

    • globalPermissions: Array of administrative privileges, each provided as a separate string in the array. For the list of possible values, see the method description.

    • connectionLimits: User connection settings:

      • maxQuestionsPerHour: Maximum number of requests per hour.
      • maxUpdatesPerHour: Maximum number of UPDATE requests per hour.
      • maxConnectionsPerHour: Maximum number of connections per hour.
      • maxUserConnections: Maximum number of concurrent connections.

      The minimum value for each of these connection settings is 0.

    • authenticationPlugin: User authentication plugin. For the list of available plugins, see the method description.

    You can get the cluster ID from the folder’s cluster list, and the username from the list of cluster users.

  3. Check the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and set it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Call the UserService/Update method, e.g., via the following gRPCurl request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the update_mask parameter as an array of paths[] strings.

    Format for listing settings
    "update_mask": {
    "paths": [
        "<setting_1>",
        "<setting_2>",
        ...
        "<setting_N>"
    ]
}

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/mysql/v1/user_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
          "cluster_id": "<cluster_ID>",
          "user_name": "<username>",
          "update_mask": {
            "paths": [
              "global_permissions",
              "connection_limits",
              "authentication_plugin"
            ]
          },
          "global_permissions": [
            "<administrative_privilege_1>",
            "<administrative_privilege_2>",
            ...,
            "<administrative_privilege_N>"
          ],
          "connection_limits": {
            "max_questions_per_hour": "<maximum_requests>",
            "max_updates_per_hour": "<maximum_UPDATE_requests>",
            "max_connections_per_hour": "<maximum_connections>",
            "max_user_connections": "<maximum_concurrent_connections>"
          },
          "authentication_plugin": "<authentication_plugin>"
        }' \
    mdb.api.cloud.yandex.net:443 \
    yandex.cloud.mdb.mysql.v1.UserService.Update

    Where:

    • update_mask: List of settings you want to update as an array of strings (paths[]).

    • global_permissions: Array of administrative privileges, each provided as a separate string in the array. For the list of possible values, see the method description.

    • connection_limits: User connection settings:

      • max_questions_per_hour: Maximum number of requests per hour.
      • max_updates_per_hour: Maximum number of UPDATE requests per hour.
      • max_connections_per_hour: Maximum number of connections per hour.
      • max_user_connections: Maximum number of concurrent connections.

      The minimum value for each of these connection settings is 0.

    • authentication_plugin: User authentication plugin. For the list of available plugins, see the method description.

    You can get the cluster ID from the folder’s cluster list, and the username from the list of cluster users.

  4. Check the server response to make sure your request was successful.

Deleting a user

  1. Go to Managed Service for MySQL.
  2. Click the name of your cluster and select the Users tab.
  3. Click and select Delete.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To delete a user, run this command:

yc managed-mysql user delete <username> --cluster-name=<cluster_name>

You can get the cluster name with the list of clusters in the folder.

  1. Open the current Terraform configuration file describing your infrastructure.

    For information on how to create such a file, see Creating a cluster.

  2. Delete the yandex_mdb_mysql_user resource with the user description.

  3. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider article.

  1. Get an IAM token for API authentication and set it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.delete method, e.g., via the following cURL request:

    curl \
    --request DELETE \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --url 'https://mdb.api.cloud.yandex.net/managed-mysql/v1/clusters/<cluster_ID>/users/<username>'

    You can get the cluster ID from the folder’s cluster list, and the username from the list of cluster users.

  3. Check the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and set it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Call the UserService/Delete method, e.g., via the following gRPCurl request:

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/mysql/v1/user_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
          "cluster_id": "<cluster_ID>",
          "user_name": "<username>"
        }' \
    mdb.api.cloud.yandex.net:443 \
    yandex.cloud.mdb.mysql.v1.UserService.Delete

    You can get the cluster ID from the folder’s cluster list, and the username from the list of cluster users.

  4. Check the server response to make sure your request was successful.

Examples

Creating a user with read-only permissions

To create a new user named user2 with the SecretPassword password and read-only access to the db1 database in the existing cluster1:

Create a user named user2. When creating the user:

  1. Add db1 to the database list.
  2. Add the SELECT role for db1.

  1. Create a user named user2:

    yc managed-mysql user create "user2" \
  --cluster-name "cluster1" \
  --password "SecretPassword"

  2. Add the SELECT role for db1:

    yc managed-mysql users grant-permission "user2" \
  --cluster-name "cluster1" \
  --database "db1" \
  --permissions "SELECT"

  1. Open the current Terraform configuration file describing your infrastructure.

    For more information on how to create this file, see this guide.

  2. Add the yandex_mdb_mysql_user resource:

    resource "yandex_mdb_mysql_user" "user2" {
  cluster_id = yandex_mdb_mysql_cluster.cluster1.id
  name       = "user2"
  password   = "SecretPassword"
  permission {
    database_name = "db1"
    roles         = ["SELECT"]
  ...
  }
}

  3. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider article.

Previous
Database management
Next
Managing user permissions