Master user account privileges

When you create a new DB cluster, the default master user that you use gets certain privileges for that DB cluster. You can't change the master user name after the DB cluster is created.

Important

We strongly recommend that you do not use the master user directly in your applications. Instead, adhere to the best practice of using a database user created with the minimal privileges required for your application.

Note

If you accidentally delete the permissions for the master user, you can restore them by modifying the DB cluster and setting a new master user password. For more information about modifying a DB cluster, see Modifying an Amazon Aurora DB cluster.

The following table shows the privileges and database roles the master user gets for each of the database engines.

Database engine	System privilege	Database role
Aurora MySQL	Version 2: `ALTER`, `ALTER ROUTINE`, `CREATE`, `CREATE ROUTINE`, `CREATE TEMPORARY TABLES`, `CREATE USER`, `CREATE VIEW`, `DELETE`, `DROP`, `EVENT`, `EXECUTE`, `GRANT OPTION`, `INDEX`, `INSERT`, `LOAD FROM S3`, `LOCK TABLES`, `PROCESS`, `REFERENCES`, `RELOAD`, `REPLICATION CLIENT`, `REPLICATION SLAVE`, `SELECT`, `SELECT INTO S3`, `SHOW DATABASES`, `SHOW VIEW`, `TRIGGER`, `UPDATE`	—
Version 3: `ALTER`, `APPLICATION_PASSWORD_ADMIN`, `ALTER ROUTINE`, `CONNECTION_ADMIN`, `CREATE`, `CREATE ROLE`, `CREATE ROUTINE`, `CREATE TEMPORARY TABLES`, `CREATE USER`, `CREATE VIEW`, `DELETE`, `DROP`, `DROP ROLE`, `EVENT`, `EXECUTE`, `INDEX`, `INSERT`, `LOCK TABLES`, `PROCESS`, `REFERENCES`, `RELOAD`, `REPLICATION CLIENT`, `REPLICATION SLAVE`, `ROLE_ADMIN`, `SET_USER_ID`, `SELECT`, `SHOW DATABASES`, `SHOW_ROUTINE` (Aurora MySQL version 3.04 and higher), `SHOW VIEW`, `TRIGGER`, `UPDATE`, `XA_RECOVER_ADMIN`	`rds_superuser_role` For more information about rds_superuser_role, see Role-based privilege model.
Aurora PostgreSQL	`LOGIN`, `NOSUPERUSER`, `INHERIT`, `CREATEDB`, `CREATEROLE`, `NOREPLICATION`, `VALID UNTIL 'infinity'`	`RDS_SUPERUSER` For more information about RDS_SUPERUSER, see Understanding PostgreSQL roles and permissions.

Database engine

System privilege

Database role

Aurora MySQL

Version 2:

ALTER, ALTER ROUTINE, CREATE, CREATE ROUTINE, CREATE TEMPORARY TABLES, CREATE USER, CREATE VIEW, DELETE, DROP, EVENT, EXECUTE, GRANT OPTION, INDEX, INSERT, LOAD FROM S3, LOCK TABLES, PROCESS, REFERENCES, RELOAD, REPLICATION CLIENT, REPLICATION SLAVE, SELECT, SELECT INTO S3, SHOW DATABASES, SHOW VIEW, TRIGGER, UPDATE

—

Version 3:

ALTER, APPLICATION_PASSWORD_ADMIN, ALTER ROUTINE, CONNECTION_ADMIN, CREATE, CREATE ROLE, CREATE ROUTINE, CREATE TEMPORARY TABLES, CREATE USER, CREATE VIEW, DELETE, DROP, DROP ROLE, EVENT, EXECUTE, INDEX, INSERT, LOCK TABLES, PROCESS, REFERENCES, RELOAD, REPLICATION CLIENT, REPLICATION SLAVE, ROLE_ADMIN, SET_USER_ID, SELECT, SHOW DATABASES, SHOW_ROUTINE (Aurora MySQL version 3.04 and higher), SHOW VIEW, TRIGGER, UPDATE, XA_RECOVER_ADMIN

rds_superuser_role

For more information about rds_superuser_role, see Role-based privilege model.

Aurora PostgreSQL

LOGIN, NOSUPERUSER, INHERIT, CREATEDB, CREATEROLE, NOREPLICATION, VALID UNTIL 'infinity'

RDS_SUPERUSER

For more information about RDS_SUPERUSER, see Understanding PostgreSQL roles and permissions.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Controlling access with security groups

Service-linked roles