Relational Database ServiceRelational Database Service

Elastic Cloud Server
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
Domain Name Service
VPC Endpoint
Cloud Connect
Enterprise Switch
Security & Compliance
Web Application Firewall
Host Security Service
Data Encryption Workshop
Database Security Service
Advanced Anti-DDoS
Data Security Center
Container Guard Service
Situation Awareness
Managed Threat Detection
Cloud Certificate Manager
Anti-DDoS Service
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GaussDB(for MySQL)
Distributed Database Middleware
GaussDB(for openGauss)
Developer Services
Distributed Cache Service
Simple Message Notification
Application Performance Management
Application Operations Management
Blockchain Service
API Gateway
Cloud Performance Test Service
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Cloud Communications
Message & SMS
Cloud Ecosystem
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP License Service
Support Plans
Customer Operation Capabilities
Partner Support Plans
Professional Services
Intelligent EdgeFabric
SDK Developer Guide
API Request Signing Guide
Koo Command Line Interface
Updated at: Apr 02, 2022 GMT+08:00

Database Account Security

Password Strength Requirements

  • For information about the database password strength requirements on the RDS console, see the database configuration table in Buying a DB Instance.
  • RDS has a password security policy for user-created database accounts. Passwords must:
    • Consist of at least eight characters.
    • Contain letters, digits, and special characters.
    • Not contain the username.

Suggestions for Creating Users

When you run CREATE USER or CREATE ROLE, you are advised to specify a password expiration time with the VALID UNTIL 'timestamp' parameter (timestamp indicates the expiration time).

Suggestions for Accessing Databases

When you access a database object, you are advised to specify the schema name of the database object to prevent trojan-horse attacks.

Account Description

To provide O&M services, the system automatically creates system accounts when you create RDS for PostgreSQL DB instances. These system accounts are unavailable to you.

Attempting to delete, rename, and change passwords or permissions for these accounts will result in an error.

  • rdsAdmin: management account, which has the superuser permissions and is used to query and modify DB instance information, rectify faults, migrate data, and restore data.
  • pg_execute_server_program: account that allows users who run the database to execute programs on the database server to cooperate with COPY and other functions that allow the execution of server programs.
  • pg_read_all_settings: account that reads all configuration variables, even those that are usually visible only to the super user.
  • pg_read_all_stats: account that reads all pg_stat_* views and uses various extension-related statistics, even those that are usually visible only to the super user.
  • pg_stat_scan_tables: account that executes a monitoring function that may obtain an ACCESS SHARE lock on the table (and may hold the lock for a long time).
  • pg_signal_backend: account that sends a signal (for example, a signal for canceling a query operation or an abortion signal) to another backend.
  • pg_read_server_files: account that allows a database user to use the COPY and other file access functions to read files from any accessible directory on a server.
  • pg_write_server_files: account that allows a database user to use the COPY and other file access functions to write files to any accessible directory on a server.
  • pg_monitor: account that reads and executes various monitoring views and functions. It is a member of pg_read_all_settings, pg_read_all_stats, and pg_stat_scan_tables.
  • rdsRepl: replication account, which is used to synchronize data from primary DB instances to standby DB instances or read replicas.
  • rdsBackup: backup account, which is used for backend backup.
  • rdsMetric: metric monitoring account, which is used by watchdog to collect database status data.
  • __rds_pg_profile_user_: metric monitoring account, which is used by the pg_profile_pro plugin to collect database status data. This account is available only for the latest version of RDS for PostgreSQL 12 and is automatically created after pg_profile_pro is created.

    pg_profile_pro is not supported temporarily due to its defects. Therefore, this account will not be automatically created for new instances.

  • rdsProxy: database proxy account, which is used for authentication when the database is connected through the read/write splitting address. This account is automatically created when you enable read/write splitting.

Did you find this page helpful?

Failed to submit the feedback. Please try again later.

Which of the following issues have you encountered?

Please complete at least one feedback item.

Content most length 200 character

Content is empty.

OK Cancel