Note: AWS (Amazon Web Services) RDS (Relational Database Service) is a managed service, and it doesn't provide SYS access (SUPER privileges)
View permissions of root user
Show grants for RDS MySQL root user ie master username
SQL:
SHOW GRANTS FOR 'professor';
Result:
GRANT SELECT,
INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, PROCESS, REFERENCES, INDEX,
ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE,
REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE,
ALTER ROUTINE, CREATE USER, EVENT, TRIGGER ON *.* TO `professor`@`%` WITH
GRANT
Create new application user
Create a new user to be used by just the application
SQL:
CREATE USER 'express_app'@'%' IDENTIFIED BY '20charRandomPwd';
Note: The username should be related to the application, and the password does not need to be readable as it will only be used within the application configuration.
Grant permissions
For application users, remove:
CREATE, DROP, RELOAD,
PROCESS, REFERENCES, INDEX, ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES,
LOCK TABLES, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER,
EVENT
Leaving the basics:
SELECT, INSERT,
UPDATE, DELETE, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, TRIGGER
GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, TRIGGER ON *.* TO `express_app`@`%` WITH GRANT OPTION;
Note: If using multiple databases in a RDS instance, then grant access only to the required databases ie ON `planet.*` TO `express_app`
You can now use the newly created, and restricted, database user express_app in your application.
-End of Document-
Thanks for reading
No comments:
Post a Comment