Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

MySQL® user management

Written by
Updated at October 20, 2025

You can add and remove users, as well as manage their settings.

Warning

To change user permissions at the level of the entire cluster or an individual database, use the Yandex Cloud interfaces. Changes made by SQL commands are not saved.

For more information, see User permissions.

Getting a list of users

  1. Navigate to the folder dashboard and select Managed Service for MySQL.
  2. Click the name of the cluster you need and select the  Users tab.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To get a list of cluster users, run the following command:

yc managed-mysql user list --cluster-name=<cluster_name>

You can get the cluster name with the list of clusters in the folder.

  1. Get an IAM token for API authentication and save it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Use the User.list method and send the following request, e.g., via cURL:

    curl \
    --request GET \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --url 'https://mdb.api.cloud.yandex.net/managed-mysql/v1/clusters/<cluster_ID>/users'

    You can get the cluster ID with the list of clusters in the folder.

  3. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and save it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Use the UserService/List call and send the following request, e.g., via gRPCurl:

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/mysql/v1/user_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
          "cluster_id": "<cluster_ID>"
        }' \
    mdb.api.cloud.yandex.net:443 \
    yandex.cloud.mdb.mysql.v1.UserService.List

    You can get the cluster ID with the list of clusters in the folder.

  4. View the server response to make sure your request was successful.

Creating a user

  1. Navigate to the folder dashboard and select Managed Service for MySQL.

  2. Click the cluster name and select the Users tab.

  3. Click Create user.

  4. Enter a DB username.

    The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter or underscore. The name can be up to 32 characters long.

  5. Select how to set a password:

    • Enter manually: Enter your own password. The password must be from 8 to 128 characters long.

    • Generate: Generate a password with Connection Manager.

    To view the password, select the Users tab on the cluster page and click View password in the new user row. This will open the page of the Yandex Lockbox secret that stores your password. To view passwords, you need the lockbox.payloadViewer role.

  6. Select one or more databases the user should have access to:

    1. Click Add database.
    2. Select the database from the drop-down list.
    3. Repeat the previous two steps until all the required databases are selected.
    4. To delete a database added by mistake, hover over the row with the database name and click at the end of the row.

  7. Set up user privileges for each of the selected databases:

    1. In the Roles column, click .
    2. Select the privilege you want to add to the user from the drop-down list.
    3. Repeat the previous two steps until all the required privileges are added.

  8. To revoke a privilege granted by mistake, click to the right of its name.

  9. If necessary, specify the MySQL® settings and administrative privileges for the user.

  10. Click Create.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To create a user in a cluster, run this command:

yc managed-mysql user create <username> \
  --cluster-name=<cluster_name> \
  --password=<user_password> \
  --permissions=<DB_list>

Where:

  • cluster-name: Cluster name.

  • password: User password. The password must be from 8 to 128 characters long.

    You can also generate a password with Connection Manager. To do this, specify --generate-password instead of --password=<password>.

    To view the password, select the cluster you need in the management console, go to the Users tab, and click View password in the new user row. This will open the page of the Yandex Lockbox secret that stores your password. To view passwords, you need the lockbox.payloadViewer role.

  • permissions: List of DBs the user should have access to.

The username may contain Latin letters, numbers, hyphens, and underscores, and must start with a letter, number, or underscore. It must be from 1 to 32 characters long.

You can get the cluster name with the list of clusters in the folder.

  1. Open the current Terraform configuration file that defines your infrastructure.

    For more information about creating this file, see this guide.

  2. Add the yandex_mdb_mysql_user resource:

    resource "yandex_mdb_mysql_user" "<username>" {
  cluster_id = "<cluster_ID>"
  name       = "<username>"
  password   = "<password>"
  permission {
    database_name = "<DB_name>"
    roles         = [<list_of_privileges>]
  }
  ...
}

    Where:

    • database_name: Name of the DB the user must have access to.
    • roles: List of user privileges for the DB.

    The username may contain Latin letters, numbers, hyphens, and underscores, and must start with a letter, number, or underscore. It must be from 1 to 32 characters long.

    The password must be from 8 to 128 characters long.

    You can also generate a password using Connection Manager. To do this, specify generate_password = true instead of password = "<password>".

    To view the password, select the cluster you need in the management console, go to the Users tab, and click View password in the new user row. This will open the page of the Yandex Lockbox secret that stores your password. To view passwords, you need the lockbox.payloadViewer role.

  3. Validate your configuration.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider article.

  1. Get an IAM token for API authentication and save it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Create a file named body.json and paste the following code into it:

    {
    "userSpec": {
        "name": "<username>",
        "password": "<user_password>",
        "permissions": [
            {
                "databaseName": "<DB_name>",
                "roles": [
                    "<privilege_1>", "<privilege_2>", ..., "<privilege_N>"
                ]
            }
        ]
    }
}'

    Where userSpec lists the new DB user settings:

    • name: Username.

      The username may contain Latin letters, numbers, hyphens, and underscores, and must start with a letter, number, or underscore. It must be from 1 to 32 characters long.

    • password: User password. The password must be from 8 to 128 characters long.

      You can also generate a password with Connection Manager. To do this, specify "generatePassword": true instead of "password": "<user_password>".

      To view the password, select the cluster you created in the management console, go to the Users tab, and click View password in the user's row. This will open the page of the Yandex Lockbox secret that stores your password. To view passwords, you need the lockbox.payloadViewer role.

    • permissions: User permission settings:

      For each database, add a separate element with permission settings to the permissions array.

  3. Use the User.create method and send the following request, e.g., via cURL:

    curl \
    --request POST \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --header "Content-Type: application/json" \
    --url 'https://mdb.api.cloud.yandex.net/managed-mysql/v1/clusters/<cluster_ID>/users' \
    --data "@body.json"

    You can get the cluster ID with the list of clusters in the folder.

  4. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and save it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Create a file named body.json and paste the following code into it:

    {
    "cluster_id": "<cluster_ID>",
    "user_spec": {
        "name": "<username>",
        "password": "<user_password>",
        "permissions": [
            {
                "database_name": "<DB_name>",
                "roles": [
                    "<privilege_1>", "<privilege_2>", ..., "<privilege_N>"
                ]
            }
        ]
    }
}

    Where user_spec represents the new DB user settings:

    • name: Username.

      The username may contain Latin letters, numbers, hyphens, and underscores, and must start with a letter, number, or underscore. It must be from 1 to 32 characters long.

    • password: User password. The password must be from 8 to 128 characters long.

      You can also generate a password with Connection Manager. To do this, specify "generate_password": true instead of "password": "<user_password>".

      To view the password, select the cluster you created in the management console, go to the Users tab, and click View password in the user's row. This will open the page of the Yandex Lockbox secret that stores your password. To view passwords, you need the lockbox.payloadViewer role.

    • permissions: User permission settings:

      For each database, add a separate element with permission settings to the permissions array.

    You can get the cluster ID with the list of clusters in the folder.

  4. Use the UserService/Create call and send the following request, e.g., via gRPCurl:

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/mysql/v1/user_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d @ \
    mdb.api.cloud.yandex.net:443 \
    yandex.cloud.mdb.mysql.v1.UserService.Create \
    < body.json

  5. View the server response to make sure your request was successful.

Changing a password

  1. Navigate to the folder dashboard and select Managed Service for MySQL.

  2. Click the cluster name and select the Users tab.

  3. Click and select Change password.

  4. Select how to set a new password:

    • Enter manually: Enter your own password. The password must be from 8 to 128 characters long.

    • Generate: Generate a password with Connection Manager.

  5. Click Edit.

To view the new password, select the Users tab on the cluster page and click View password in the user's row. This will open the page of the Yandex Lockbox secret that stores your password. The new password version is labeled as Current.

To view passwords, you need the lockbox.payloadViewer role.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To change a user password, run this command:

yc managed-mysql user update <username> \
  --cluster-name=<cluster_name> \
  --password=<new_password>

The password must be from 8 to 128 characters long.

You can also generate a new password with Connection Manager. To do this, specify --generate-password instead of --password=<new_password>.

To view the new password, select the cluster in the management console, go to the Users tab, and click View password in the the user's row. This will open the page of the Yandex Lockbox secret that stores your password. The new password version is labeled as Current.

To view passwords, you need the lockbox.payloadViewer role.

You can get the cluster name with the list of clusters in the folder.

  1. Open the current Terraform configuration file that defines your infrastructure.

    For more information about creating this file, see this guide.

  2. Locate the user's yandex_mdb_mysql_user resource.

  3. Change the value of the password field:

    resource "yandex_mdb_mysql_user" "<username>" {
  cluster_id = "<cluster_ID>"
  name       = "<username>"
  password   = "<new_password>"
  ...
}

    The password must be from 8 to 128 characters long.

    You can also generate a new password with Connection Manager. To do this, specify generate_password = true instead of password = "<new_password>".

    To view the new password, select the cluster in the management console, go to the Users tab, and click View password in the the user's row. This will open the page of the Yandex Lockbox secret that stores your password. The new password version is labeled as Current.

    Note

    If the old password was generated, you cannot regenerate it using Terraform due to provider limitations.

  4. Validate your configuration.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  5. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider article.

  1. Get an IAM token for API authentication and save it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Use the User.update method and send the following request, e.g., using cURL:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask parameter as a single comma-separated string.

    curl \
    --request PATCH \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --header "Content-Type: application/json" \
    --url 'https://mdb.api.cloud.yandex.net/managed-mysql/v1/clusters/<cluster_ID>/users/<username>' \
    --data '{
              "updateMask": "password",
              "password": "<new_password>"
            }'

    Where:

    • updateMask: List of parameters to update as a single string, separated by commas.

      In this case, only one parameter is provided.

    • password: New password. The password must be from 8 to 128 characters long.

      You can also generate a password with Connection Manager. To do this, edit the contents of the data field:

      {
  "updateMask": "generatePassword",
  "generatePassword": true
}

      To view the new password, select the cluster in the management console, go to the Users tab, and click View password in the the user's row. This will open the page of the Yandex Lockbox secret that stores your password. The new password version is labeled as Current.

      To view passwords, you need the lockbox.payloadViewer role.

    You can request the cluster ID with the list of clusters in the folder and the username, with the list of users in the cluster.

  3. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and save it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Use the UserService/Update call and send the following request, e.g., using gRPCurl:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the update_mask parameter as an array of paths[] strings.

    Format for listing settings
    "update_mask": {
    "paths": [
        "<setting_1>",
        "<setting_2>",
        ...
        "<setting_N>"
    ]
}

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/mysql/v1/user_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
          "cluster_id": "<cluster_ID>",
          "user_name": "<username>",
          "update_mask": {
            "paths": [
              "password"
            ]
          },
          "password": "<new_password>"
        }' \
    mdb.api.cloud.yandex.net:443 \
    yandex.cloud.mdb.mysql.v1.UserService.Update

    Where:

    • update_mask: List of parameters to update as an array of paths[] strings.

      Only one parameter is provided in this case.

    • password: New password. The password must be from 8 to 128 characters long.

      You can also generate a password with Connection Manager. To do this, edit the contents of the d parameter:

      {
  "cluster_id": "<cluster_ID>",
  "user_name": "<username>",
  "update_mask": {
    "paths": [
      "generate_password"
    ]
  },
  "generate_password": true
}

      To view the new password, select the cluster in the management console, go to the Users tab, and click View password in the the user's row. This will open the page of the Yandex Lockbox secret that stores your password. The new password version is labeled as Current.

      To view passwords, you need the lockbox.payloadViewer role.

    You can request the cluster ID with the list of clusters in the folder and the username, with the list of users in the cluster.

  4. View the server response to make sure your request was successful.

Changing user settings

Tip

To change user permissions to access databases, follow this guide.

  1. Navigate to the folder dashboard and select Managed Service for MySQL.
  2. Click the cluster name and select the Users tab.
  3. Click and select Configure.
  4. Configure the MySQL® settings for the user.
  5. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To configure the MySQL® settings for the user, run the command:

yc managed-mysql user update <username> \
  --cluster-name=<cluster_name> \
  --global-permissions=<list_of_privileges> \
  --authentication-plugin=<authentication_plugin> \
  --max-questions-per-hour=<maximum_requests> \
  --max-updates-per-hour=<maximum_UPDATE_requests> \
  --max-connections-per-hour=<maximum_connections> \
  --max-user-connections=<maximum_concurrent_connections>

Where:

  • global-permissions: Comma-separated list of administrative privileges.
  • max-questions-per-hour: Maximum number of requests per hour.
  • max-updates-per-hour: Maximum number of UPDATE requests per hour.
  • max-connections-per-hour: Maximum number of connections per hour.
  • max-user-connections: Maximum number of concurrent connections.

You can get the cluster name with the list of clusters in the folder.

  1. Open the current Terraform configuration file that defines your infrastructure.

    For more information about creating this file, see this guide.

  2. Locate the user's yandex_mdb_mysql_user resource.

  3. To set limits on the number of connections and requests, add the connection_limits section to the resource description:

    resource "yandex_mdb_mysql_user" "<username>" {
  ...
  connection_limits {
    max_questions_per_hour   = <maximum_requests>
    max_updates_per_hour     = <maximum_UPDATE_requests>
    max_connections_per_hour = <maximum_connections>
    max_user_connections     = <maximum_concurrent_connections>
    ...
  }
}

    Where:

    • max-questions-per-hour: Maximum number of requests per hour.
    • max-updates-per-hour: Maximum number of UPDATE requests per hour.
    • max-connections-per-hour: Maximum number of connections per hour.
    • max-user-connections: Maximum number of concurrent connections.

  4. To configure a user authentication plugin, add the authentication_plugin section to the resource description:

    resource "yandex_mdb_mysql_user" "<username>" {
  ...
  authentication_plugin = "<authentication_plugin>"
}

  5. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  6. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider article.

  1. Get an IAM token for API authentication and save it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Use the User.update method and send the following request, e.g., using cURL:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask parameter as a single comma-separated string.

    curl \
    --request PATCH \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --header "Content-Type: application/json" \
    --url 'https://mdb.api.cloud.yandex.net/managed-mysql/v1/clusters/<cluster_ID>/users/<username>' \
    --data '{
              "updateMask": "globalPermissions,connectionLimits,authenticationPlugin",
              "globalPermissions": [
                "<administrative_privilege_1>",
                "<administrative_privilege_2>",
                ...,
                "<administrative_privilege_N>"
              ],
              "connectionLimits": {
                "maxQuestionsPerHour": "<maximum_requests>",
                "maxUpdatesPerHour": "<maximum_UPDATE_requests>",
                "maxConnectionsPerHour": "<maximum_connections>",
                "maxUserConnections": "<maximum_concurrent_connections>"
              },
              "authenticationPlugin": "<authentication_plugin>"
            }'

    Where:

    • updateMask: List of parameters to update as a single string, separated by commas.

    • globalPermissions: Array of administrative privileges. each provided as a separate string in the array. For the list of possible values, see the method description.

    • connectionLimits: User connection settings:

      • maxQuestionsPerHour: Maximum number of requests per hour.
      • maxUpdatesPerHour: Maximum number of UPDATE requests per hour.
      • maxConnectionsPerHour: Maximum number of connections per hour.
      • maxUserConnections: Maximum number of concurrent connections.

      The minimum value for each connection setting is 0.

    • authenticationPlugin: User authentication plugin. For the list of available plugins, see the method description.

    You can request the cluster ID with the list of clusters in the folder and the username, with the list of users in the cluster.

  3. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and save it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Use the UserService/Update call and send the following request, e.g., using gRPCurl:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the update_mask parameter as an array of paths[] strings.

    Format for listing settings
    "update_mask": {
    "paths": [
        "<setting_1>",
        "<setting_2>",
        ...
        "<setting_N>"
    ]
}

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/mysql/v1/user_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
          "cluster_id": "<cluster_ID>",
          "user_name": "<username>",
          "update_mask": {
            "paths": [
              "global_permissions",
              "connection_limits",
              "authentication_plugin"
            ]
          },
          "global_permissions": [
            "<administrative_privilege_1>",
            "<administrative_privilege_2>",
            ...,
            "<administrative_privilege_N>"
          ],
          "connection_limits": {
            "max_questions_per_hour": "<maximum_requests>",
            "max_updates_per_hour": "<maximum_UPDATE_requests>",
            "max_connections_per_hour": "<maximum_connections>",
            "max_user_connections": "<maximum_concurrent_connections>"
          },
          "authentication_plugin": "<authentication_plugin>"
        }' \
    mdb.api.cloud.yandex.net:443 \
    yandex.cloud.mdb.mysql.v1.UserService.Update

    Where:

    • update_mask: List of parameters to update as an array of paths[] strings.

    • global_permissions: Array of administrative privileges. each provided as a separate string in the array. For the list of possible values, see the method description.

    • connection_limits: User connection settings:

      • max_questions_per_hour: Maximum number of requests per hour.
      • max_updates_per_hour: Maximum number of UPDATE requests per hour.
      • max_connections_per_hour: Maximum number of connections per hour.
      • max_user_connections: Maximum number of concurrent connections.

      The minimum value for each connection setting is 0.

    • authentication_plugin: User authentication plugin. For a list of available plugins, see the method description.

    You can request the cluster ID with the list of clusters in the folder and the username, with the list of users in the cluster.

  4. View the server response to make sure your request was successful.

Deleting a user

  1. Navigate to the folder dashboard and select Managed Service for MySQL.
  2. Click the cluster name and select the Users tab.
  3. Click and select Delete.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To delete a user, run this command:

yc managed-mysql user delete <username> --cluster-name=<cluster_name>

You can get the cluster name with the list of clusters in the folder.

  1. Open the current Terraform configuration file that defines your infrastructure.

    For more information about creating this file, see this guide.

  2. Delete the yandex_mdb_mysql_user resource with the user description.

  3. Validate your configuration.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider article.

  1. Get an IAM token for API authentication and save it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Use the User.delete method and send the following request, e.g., via cURL:

    curl \
    --request DELETE \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --url 'https://mdb.api.cloud.yandex.net/managed-mysql/v1/clusters/<cluster_ID>/users/<username>'

    You can request the cluster ID with the list of clusters in the folder and the username, with the list of users in the cluster.

  3. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and save it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Use the UserService/Delete call and send the following request, e.g., via gRPCurl:

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/mysql/v1/user_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
          "cluster_id": "<cluster_ID>",
          "user_name": "<username>"
        }' \
    mdb.api.cloud.yandex.net:443 \
    yandex.cloud.mdb.mysql.v1.UserService.Delete

    You can request the cluster ID with the list of clusters in the folder and the username, with the list of users in the cluster.

  4. View the server response to make sure your request was successful.

Examples

Creating a user with read-only permissions

To create a new user named user2 with the SecretPassword password and read-only access to the db1 database in an existing cluster1:

Create a user named user2. When creating a user:

  1. Add the db1 database to the list of DBs.
  2. Add the SELECT role for the db1 database.

  1. Create a user named user2:

    yc managed-mysql user create "user2" \
  --cluster-name "cluster1" \
  --password "SecretPassword"

  2. Add the SELECT role for the db1 database:

    yc managed-mysql users grant-permission "user2" \
  --cluster-name "cluster1" \
  --database "db1" \
  --permissions "SELECT"

  1. Open the current Terraform configuration file with an infrastructure plan.

    For more information about creating this file, see Creating a MySQL® cluster.

  2. Add the yandex_mdb_mysql_user resource:

    resource "yandex_mdb_mysql_user" "user2" {
  cluster_id = yandex_mdb_mysql_cluster.cluster1.id
  name       = "user2"
  password   = "SecretPassword"
  permission {
    database_name = "db1"
    roles         = ["SELECT"]
  ...
  }
}

  3. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see the Terraform provider documentation.

Previous
Database management
Next
Managing user permissions