(Recommended) Buying an RDS for MySQL Instance and Connecting to It Through DAS

Data Admin Service (DAS) enables you to connect to and manage DB instances with ease on a web-based console. The permission required for connecting to DB instances through DAS has been enabled for you by default. Using DAS to connect to your DB instance is recommended, which is more secure and convenient.

This section describes how to buy an RDS for MySQL instance and how to connect to the instance through DAS.

Operation Process

Process	Description
Preparations	Sign up for a HUAWEI ID, enable Huawei Cloud services, make sure you have a valid payment method configured, create IAM users, and grant them specific RDS permissions.
Step 1: Buy an RDS for MySQL DB Instance	Select required basic settings and additional options and buy an RDS for MySQL DB instance.
Step 2: Connect to the RDS for MySQL Instance	Connect to the RDS for MySQL instance through DAS.

Preparations

Sign up for a HUAWEI ID and enable Huawei Cloud services.
For fine-grained permissions management on Huawei Cloud resources, use Identity and Access Management (IAM) to create a user and user group and grant the user specific operation permissions. For details, see Creating a User and Granting Permissions.

Procedure

Step 1: Buy an RDS for MySQL DB Instance

Go to the Buy DB Instance page.

On the Quick Config page, set basic parameters.

Only mandatory parameters are provided on the Quick Config page. If the available parameters do not match your workloads, try Custom Config.

The following parameter settings are only for reference. Tailor your settings to your workloads.

Figure 1 Basic Settings

**Table 1** Basic Settings
Parameter	Example Value	Description
Billing Mode	Pay-per-use	The billing mode of an instance. Yearly/Monthly: A prepaid billing mode in which you pay for resources before using it. Bills are settled based on the subscription period. The longer the subscription, the bigger the discount. This mode is a good option for long-term, stable services. Pay-per-use: A postpaid billing mode. You pay as you go and just pay for what you use. The DB instance usage is calculated by the second but billed every hour. This mode allows you to adjust resource usage easily. You neither need to prepare for resources in advance, nor end up with excessive or insufficient preset resources.
Region	CN-Hong Kong	The region where your resources are located. Products in different regions cannot communicate with each other through a private network. After a DB instance is created, the region cannot be changed. Therefore, exercise caution when selecting a region.
DB Engine Version	8.0	The database version.
DB Instance Type	Primary/Standby	The architecture type of an instance. Primary/Standby: An HA architecture. In a primary/standby pair, each instance has the same instance class. When a primary instance is being created, a standby instance is provisioned along with it to provide data redundancy. The standby instance is invisible to you after being created.
Instance Class	General-purpose \| 2 vCPU \| 4 GB	The vCPUs and memory of an instance.
Storage	Cloud SSD \| 100 GB	The storage space of an instance. It contains the system overhead required for inodes, reserved blocks, and database operation.
Disk Encryption	Disable	Enabling disk encryption enhances data security but reduces the database's read and write performance by 5%. If a shared KMS key is used, the corresponding CTS events are createdatakey and decrydatakey. Only the key owner can receive the events.

Set parameters for Additional Options.

Figure 2 Additional Options

**Table 2** Additional Options
Parameter	Example Value	Description
VPC	default_vpc	The virtual network in which your instance is located. A VPC can isolate networks for different workloads. If no VPC is available, click Create VPC. After a VPC is created, click . For details, see Creating a VPC with a Subnet.
Subnet	default_subnet	A subnet provides dedicated network resources that are logically isolated from other networks for network security.
Security Group	default	It can enhance security by controlling access to RDS for MySQL from other services.
Enterprise Project	default	If your account has been associated with an enterprise project, select the target project from the Enterprise Project drop-down list. For more information about enterprise projects, see Enterprise Management User Guide.
Table Name	Case insensitive	Whether table names are case sensitive. Restoration may fail if the case sensitivity settings of table names on the source and target instances are different. The case sensitivity of table names for created RDS for MySQL 8.0 instances cannot be changed.
Quantity	1	The number of instances to be created in a batch.

Click Buy.
Check the purchased DB instance.
Figure 3 Instance successfully purchased

Step 2: Connect to the RDS for MySQL Instance

Since no password is configured in Step 1: Buy an RDS for MySQL DB Instance, you need to reset the password before connecting to the instance. In the instance list, choose More > Reset Password.

Figure 4 Instance list
Enter a new password, confirm the password, and click OK.

Figure 5 Resetting a password
Click Log In in the Operation column.

Figure 6 Instance list
Enter the required information and click Log In.
- Login Username: Enter root.
- Password: Enter the password you specified in 2.
Figure 7 Logging in to an instance
Choose SQL Operations > SQL Query.

Figure 8 SQL Query
Query databases.
```
show databases;
```
Figure 9 Querying databases
Create a database, for example, db_test.
```
create database db_test;
```
Figure 10 Creating a database
Switch to the db_test database and create a table named t_test.
```
create table t_test(id int(4), name char(20), age int(4));
```
Figure 11 Creating a table

Insert one data record to the table.

insert into t_test(id, name, age) values(1, 'zhangsan', 30);

Figure 12 Inserting data

Query table data.
```
select * from t_test;
```
Figure 13 Querying data
Update the value of age for the data record whose id is 1 in the table.
```
update t_test set age=31 where id=1;
```
Figure 14 Updating data
Query the updated table data.
```
select * from t_test where id=1;
```
Figure 15 Querying updated data
Delete the data record whose id is 1 from the table.
```
delete from t_test where id=1;
```
Figure 16 Deleting table data
Delete the table structure.
```
drop table t_test;
```
Figure 17 Deleting table structure
Delete the database.
```
drop database db_test;
```
Figure 18 Deleting a database

FAQ

What Can I Do If the DAS Console Is Not Displayed After I Click Log In in the Operation Column of an Instance on the Instances Page?

Set your browser to allow pop-ups and try again.

What Should I Do If I Can't Connect to My DB Instance Due to Insufficient Permissions?

Error message: You do not have the required permission. The policy does not allow action das:connections:xxx.
Error cause: Your account does not have the DAS FullAccess permission.

Solution: Add the DAS FullAccess permission by referring to Creating a User and Granting Permissions.
Error message: You do not have the permission to perform this operation. Contact your administrator to request the required permission.
Error cause: Your account does not have the DAS FullAccess permission.

Solution: Add the DAS FullAccess permission by referring to Creating a User and Granting Permissions.
Error message: Your current account only has the read-only permission and cannot perform this operation. To ensure that you can use DAS smoothly, add the DAS Administrator permission.
Error cause: Your account does not have the DAS FullAccess permission.

Solution: Add the DAS FullAccess permission by referring to Creating a User and Granting Permissions.

What Should I Do If I Fail to Connect to My DB Instance Using DAS?

Error message: Access denied for user 'user_name'@'100.xxx.xx.xx' (using password: YES).
1. Error cause: The username or password of the RDS instance is incorrect.
  Solution: Check whether the username and password are correct. If you are not sure, log in to the RDS console to reset the password.
  
  Changing the password may affect services.
  
  If the username and password are correct, log in to the database using a client or CLI and run select * from mysql.user where user = 'user_name' to view the account. If 100.% (an IP address starting with 100) is assigned to a user, only the user can connect to the database through DAS. user_name @% and user_name @100.% are different users with independent passwords and permissions. Enter the password of user_name @100.%.
2. Error cause: The IP address of the DAS server is not in the whitelist of the login user.
  Solution: Log in to the database using the client or CLI tool, and create a user account that can be used to access the database through DAS.
```
create user 'user_name'@'100.%' identified by 'password'; 
grant select on *.* to 'user_name'@'100.%';
```
  Ensure that the IP address of the DAS server is in a CIDR block starting with 100. Add the IP address to the whitelist of the login user.
  
  Grant permissions to user user_name@100.% based on service requirements.
3. Error cause: The SSL function is not enabled on the server.
  Solution: Run the following statement to check whether the user is an SSL user. If yes, enable SSL on the RDS instance details page. The user is an SSL user if the ssl_type field has a value.
```
select user, host, ssl_type from mysql.user where user = 'user_name';
```
Error message: Trying to connect with ssl, but ssl not enabled in the server.
Error cause: The SSL function is not enabled on the server.
Solution: Run the following statement to check whether the user is an SSL user. If yes, enable SSL on the RDS instance details page. The user is an SSL user if the ssl_type field has a value.
```
select user, host, ssl_type from mysql.user where user = 'user_name';
```
Error message: Client does not support authentication protocol requested by server. plugin type was = 'sha256_password'.
1. Error cause: DAS does not allow you to connect to the database whose password is encrypted with SHA-256.
  Solution: Execute the following SQL statements to change the password encryption method to mysql_native_password.
```
alter user 'user_name'@'%' identified with mysql_native_password by 'password';
```
2. Error cause: For MySQL 8.0, the IP address of the DAS server is not in the whitelist of the user.
  Solution: Log in to the database using the client or CLI tool, and create a user that can be used to access the database through DAS.
Error message: Communications link failure The last packet sent successfully to the server was 0 milliseconds ago. The driver has not received any packets from the server.
Error cause: The network between the DAS server and the target instance is disconnected.

Solution: Submit a service ticket to contact customer service.
Error message: Instance connect timeout, please login again.
Error cause: The connection to the DAS server timed out.

Solution: Submit a service ticket to contact customer service.
Error information: RSA public key is not available client side (option serverRsaPublicKeyFile not set).
Error cause: The identity authentication mode of the database user has high requirements on password security. The password transmitted over the network during user authentication must be encrypted.
- For an SSL connection, the SSL certificate and key pair are used during the TSL handshake to securely establish a symmetric key. This symmetric key is then used to encrypt the password and data.
- For a non-SSL connection, the client uses the RSA public key of the MySQL server to encrypt the user password, and the server uses the RSA private key to decrypt and verify the password. This protects the password against snooping during network transmission.
Solution: Enable SSL for the instance or change the identity authentication mode of the database user.