User management in Sharded PostgreSQL

Written by

Yandex Cloud

Updated at April 9, 2026

Getting a list of users
Getting user info
Creating a user
Changing user settings
Changing a user password
Configuring deletion protection
Deleting a user

You can add and remove users, as well as manage their individual settings.

Getting a list of users

Management console

REST API

gRPC API

Navigate to the Yandex Managed Service for Sharded PostgreSQL service.
Click the name of your cluster and select the Users tab.

Get an IAM token for API authentication and put it into an environment variable:
```
export IAM_TOKEN="<IAM_token>"
```

Call the User.List method, e.g., via the following cURL request:

curl \
  --request GET \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --url 'https://mdb.api.cloud.yandex.net/managed-spqr/v1/clusters/<cluster_ID>/users'

View the server response to make sure your request was successful.

Get an IAM token for API authentication and put it into an environment variable:
```
export IAM_TOKEN="<IAM_token>"
```
Clone the cloudapi repository:
```
cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
```
Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

Call the UserService.List method, e.g., via the following gRPCurl request:

grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/spqr/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>"
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.spqr.v1.UserService.List

Check the server response to make sure your request was successful.

Getting user info

REST API

gRPC API

Get an IAM token for API authentication and put it into an environment variable:
```
export IAM_TOKEN="<IAM_token>"
```

Call the User.Get method, e.g., via the following cURL request:

curl \
  --request GET \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --url 'https://mdb.api.cloud.yandex.net/managed-spqr/v1/clusters/<cluster_ID>/users/<username>'

Check the server response to make sure your request was successful.

Get an IAM token for API authentication and put it into an environment variable:
```
export IAM_TOKEN="<IAM_token>"
```
Clone the cloudapi repository:
```
cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
```
Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

Call the UserService.Get method, e.g., via the following gRPCurl request:

grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/spqr/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_name": "<username>"
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.spqr.v1.UserService.Get

Check the server response to make sure your request was successful.

Creating a user

Management console

REST API

gRPC API

Navigate to the Yandex Managed Service for Sharded PostgreSQL service.
Click the name of your cluster and select the Users tab.
Click Create user.
Specify the database user name.

The username may contain Latin letters, numbers, hyphens, and underscores. It must start with a letter, number, or underscore, but cannot begin with a pg_ prefix. The name may be up to 63 characters long.

The following names are reserved: admin, repl, monitor, postgres, mdb_admin, mdb_monitor, mdb_replication. You cannot create users with these names.
Enter a password. It must be from 8 to 128 characters long.
Set the maximum number of user connections to the database.
Set the number of reconnect attempts from the router to the shards.
Select one or more grants to assign to the user.

The possible values are:
- reader
- writer
- admin
- transfer
Select the deletion protection option.

The possible values are:
- Like the cluster
- Enabled
- DIsabled
Select which databases the user should have access to:
1. In the Database field, click next to the drop-down list.
2. Select the database from the drop-down list.
3. Repeat these two steps to select all required databases.
4. To delete a database added by mistake, click next to its name.
Click Create.

Get an IAM token for API authentication and put it into an environment variable:
```
export IAM_TOKEN="<IAM_token>"
```
Call the User.Create method, e.g., via the following cURL request:
```
curl \
  --request POST \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --url 'https://mdb.api.cloud.yandex.net/managed-spqr/v1/clusters/<cluster_ID>/users' \
  --data '{
            "userSpec": {
              "name": "<username>",
              "password": "<user_password>",
              "permissions": [
                {
                  "databaseName": "<DB_name>"
                }
              ],
              "settings": {
                "connectionLimit": "<maximum_number_of_DB_connections>",
                "connectionRetries": "<number_of_reconnect_attempts_to_shards>"
              },
              "grants": [
                "<list_of_grants>"
              ],
              "deletionProtection": "<protect_user_from_deletion>"
            }
          }'
```
Where userSpec are the settings for the new database user:
- name: Username.
  
  The username may contain Latin letters, numbers, hyphens, and underscores. It must start with a letter, number, or underscore, but cannot begin with a pg_ prefix. The name may be up to 63 characters long.
  
  The following names are reserved: admin, repl, monitor, postgres, mdb_admin, mdb_monitor, mdb_replication. You cannot create users with these names.
- password: User password. The password must be from 8 to 128 characters long.
- permissions: List of databases the user needs access to. Each element in the list contains the databaseName parameter, which is the database name.
- settings: Connection settings:
  - connLimit: Maximum number of user connections to the database.
  - connectionRetries: Number of reconnect attempts from the router to the shards.
- grants: List of grants to be assigned to the user.
  
  The possible values are:
  - reader
  - writer
  - admin
  - transfer
- deletionProtection: User deletion protection, true or false.
Check the server response to make sure your request was successful.

Get an IAM token for API authentication and put it into an environment variable:
```
export IAM_TOKEN="<IAM_token>"
```
Clone the cloudapi repository:
```
cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
```
Below, we assume that the repository contents reside in the ~/cloudapi/ directory.
Call the UserService.Create method, e.g., via the following gRPCurl request:
```
grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/spqr/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_spec": {
          "name": "<username>",
          "password": "<user_password>",
          "permissions": [
            {
              "database_name": "<DB_name>"
            }
          ],
          "settings": {
            "connection_limit": "<maximum_number_of_DB_connections>",
            "connection_retries": "<number_of_reconnect_attempts_to_shards>"
          },
          "grants": [
            "<list_of_grants>"
          ],
          "deletion_protection": "<protect_user_from_deletion>"
        }
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.spqr.v1.UserService.Create
```
Where user_spec are the new database user settings:
- name: Username.
  
  The username may contain Latin letters, numbers, hyphens, and underscores. It must start with a letter, number, or underscore, but cannot begin with a pg_ prefix. The name may be up to 63 characters long.
  
  The following names are reserved: admin, repl, monitor, postgres, mdb_admin, mdb_monitor, mdb_replication. You cannot create users with these names.
- password: User password. The password must be from 8 to 128 characters long.
- permissions: List of databases the user needs access to. Each element in the list contains the database_name parameter, which is the database name.
- settings: Connection settings:
  - connection_limit: Maximum number of user connections to the database.
  - connection_retries: Number of reconnect attempts from the router to the shards.
- grants: List of grants to be assigned to the user.
  
  The possible values are:
  - reader
  - writer
  - admin
  - transfer
- deletion_protection: User deletion protection, true or false.
Check the server response to make sure your request was successful.

Changing user settings

Management console

REST API

gRPC API

Navigate to the Yandex Managed Service for Sharded PostgreSQL service.
Click the name of your cluster and select the Users tab.
Locate the user you need in the list, click in their row, and select Configure.
Change the maximum number of user connections to the database.
Change the number of reconnect attempts from the router to the shards.
Configure the grants assigned to the user.

The possible values are:
- reader
- writer
- admin
- transfer
Configure the deletion protection type.

The possible values are:
- Like the cluster
- Enabled
- DIsabled
Configure user access to databases:
1. To provide access to databases:
  1. In the Database field, click next to the drop-down list.
  2. Select the database from the drop-down list.
  3. Repeat the previous two steps until all the required databases are selected.
2. To revoke user access to a database, click next to its name.
Click Save.

Get an IAM token for API authentication and put it into an environment variable:
```
export IAM_TOKEN="<IAM_token>"
```
Call the User.Update method, e.g., via the following cURL request:

Warning

The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask parameter as a single comma-separated string.
```
curl \
  --request PATCH \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --url 'https://mdb.api.cloud.yandex.net/managed-spqr/v1/clusters/<cluster_ID>/users/<username>' \
  --data '{
            "updateMask": "<list_of_parameters_to_update>",
            "password": "<user_password>",
            "permissions": [
              {
                "databaseName": "<DB_name>"
              }
            ],
            "settings": {
              "connectionLimit": "<maximum_number_of_DB_connections>",
              "connectionRetries": "<number_of_reconnect_attempts_to_shards>"
            },
            "grants": [
              "<list_of_grants>"
            ],
            "deletionProtection": "<protect_user_from_deletion>"
          }'
```
Where:
- updateMask: Comma-separated string of settings you want to update.
- password: New password. It must be from 8 to 128 characters long.
- permissions: List of databases the user needs access to. Each element in the list contains the databaseName parameter, which is the database name.
- settings: Connection settings:
  - connLimit: Maximum number of user connections to the database.
  - connectionRetries: Number of reconnect attempts from the router to the shards.
- grants: List of grants to be assigned to the user.
  
  The possible values are:
  - reader
  - writer
  - admin
  - transfer
- deletionProtection: User deletion protection, true or false.
Check the server response to make sure your request was successful.

Get an IAM token for API authentication and put it into an environment variable:
```
export IAM_TOKEN="<IAM_token>"
```
Clone the cloudapi repository:
```
cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
```
Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

Call the UserService.Update method, e.g., via the following gRPCurl request:

Warning

The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the update_mask parameter as an array of paths[] strings.

Format for listing settings

"update_mask": {
    "paths": [
        "<setting_1>",
        "<setting_2>",
        ...
        "<setting_N>"
    ]
}

grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/spqr/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_name": "<username>",
        "update_mask": {
          "paths": [
            "<array_of_settings_to_update>"
          ]
        },
        "password": "<user_password>",
        "permissions": [
          {
            "database_name": "<DB_name>"
          }
        ],
        "settings": {
          "connection_limit": "<maximum_number_of_DB_connections>",
          "connection_retries": "<number_of_reconnect_attempts_to_shards>"
        },
        "grants": [
          "<list_of_grants>"
        ],
        "deletion_protection": "<protect_user_from_deletion>"
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.spqr.v1.UserService.Update

Where:

update_mask: List of settings to update as an array of strings (paths[]).
password: Password. The password must be from 8 to 128 characters long.
permissions: List of databases the user needs access to. Each element in the list contains the database_name parameter, which is the database name.
settings: Connection settings:
- connection_limit: Maximum number of user connections to the database.
- connection_retries: Number of reconnect attempts from the router to the shards.
grants: List of grants to be assigned to the user.

The possible values are:
- reader
- writer
- admin
- transfer
deletion_protection: User deletion protection, true or false.

Check the server response to make sure your request was successful.

Changing a user password

Management console

REST API

gRPC API

Navigate to the Yandex Managed Service for Sharded PostgreSQL service.
Click the name of your cluster and select the Users tab.
Locate the user you need in the list, click in their row, and select Change password.
Specify a new password. It must be from 8 to 128 characters long.
Click Edit.

Get an IAM token for API authentication and put it into an environment variable:
```
export IAM_TOKEN="<IAM_token>"
```
Call the User.Update method, e.g., via the following cURL request:

Warning

The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask parameter as a single comma-separated string.
```
curl \
  --request PATCH \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --url 'https://mdb.api.cloud.yandex.net/managed-spqr/v1/clusters/<cluster_ID>/users/<username>' \
  --data '{
            "updateMask": "password",
            "password": "<new_password>"
          }'
```
Where:
- updateMask: Comma-separated string of settings to update.
  
  Here, we provide only one setting.
- password: New password. It must be from 8 to 128 characters long.
Check the server response to make sure your request was successful.

Get an IAM token for API authentication and put it into an environment variable:
```
export IAM_TOKEN="<IAM_token>"
```
Clone the cloudapi repository:
```
cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
```
Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

Call the UserService.Update method, e.g., via the following gRPCurl request:

Warning

Format for listing settings

"update_mask": {
    "paths": [
        "<setting_1>",
        "<setting_2>",
        ...
        "<setting_N>"
    ]
}

grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/spqr/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_name": "<username>",
        "update_mask": {
          "paths": [
            "password"
          ]
        },
        "password": "<new_password>"
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.spqr.v1.UserService.Update

Where:

update_mask: List of settings you want to update as an array of strings (paths[]).

Here, we provide only one setting.
password: New password. It must be from 8 to 128 characters long.

Check the server response to make sure your request was successful.

Configuring deletion protection

Management console

REST API

gRPC API

Navigate to the Yandex Managed Service for Sharded PostgreSQL service.
Click the name of your cluster and select the Users tab.
Locate the user you need in the list, click in their row, and select Configure.
Change the deletion protection type in the Deletion protection field.
Click Save.

Get an IAM token for API authentication and put it into an environment variable:
```
export IAM_TOKEN="<IAM_token>"
```
Call the User.Update method, e.g., via the following cURL request:

Warning

The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask parameter as a single comma-separated string.
```
curl \
  --request PATCH \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --url 'https://mdb.api.cloud.yandex.net/managed-spqr/v1/clusters/<cluster_ID>/users/<username>' \
  --data '{
            "updateMask": "deletionProtection",
            "deletionProtection": "<protect_user_from_deletion>"
          }'
```
Where:
- updateMask: Comma-separated string of settings to update.
  
  Here, we provide only one setting.
- deletionProtection: User deletion protection, true or false.
Check the server response to make sure your request was successful.

Get an IAM token for API authentication and put it into an environment variable:
```
export IAM_TOKEN="<IAM_token>"
```
Clone the cloudapi repository:
```
cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
```
Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

Call the UserService.Update method, e.g., via the following gRPCurl request:

Warning

Format for listing settings

"update_mask": {
    "paths": [
        "<setting_1>",
        "<setting_2>",
        ...
        "<setting_N>"
    ]
}

grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/spqr/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_name": "<username>",
        "update_mask": {
          "paths": [
            "deletion_protection"
          ]
        },
        "deletion_protection": "<protect_user_from_deletion>"
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.spqr.v1.UserService.Update

Where:

update_mask: List of settings you want to update as an array of strings (paths[]).

Here, we provide only one setting.
deletion_protection: User deletion protection, true or false.

Check the server response to make sure your request was successful.

Deleting a user

A user account can have deletion protection enabled. To delete such a user, disable the protection first.

Management console

REST API

gRPC API

To delete a user:

Navigate to the Yandex Managed Service for Sharded PostgreSQL service.
Click the name of your cluster and select the Users tab.
Locate the user you need in the list, click in their row, and select Delete.
Confirm the deletion.

Get an IAM token for API authentication and put it into an environment variable:
```
export IAM_TOKEN="<IAM_token>"
```

Call the User.Delete method, e.g., via the following cURL request:

curl \
  --request DELETE \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --url 'https://mdb.api.cloud.yandex.net/managed-spqr/v1/clusters/<cluster_ID>/users/<username>'

Check the server response to make sure your request was successful.

Get an IAM token for API authentication and put it into an environment variable:
```
export IAM_TOKEN="<IAM_token>"
```
Clone the cloudapi repository:
```
cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
```
Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

Call the UserService.Delete method, e.g., via the following gRPCurl request:

grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/spqr/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_name": "<username>"
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.spqr.v1.UserService.Delete

Check the server response to make sure your request was successful.

User management in Sharded PostgreSQL

Getting a list of usersGetting a list of users

Getting user infoGetting user info

Creating a userCreating a user

Changing user settingsChanging user settings

Changing a user passwordChanging a user password

Configuring deletion protectionConfiguring deletion protection

Deleting a userDeleting a user

Was the article helpful?

Getting a list of users

Getting user info

Creating a user

Changing user settings

Changing a user password

Configuring deletion protection

Deleting a user