# rds-account Part of **RDS** # ApsaraDB RDS Account Management Console Guide ## Operations Overview | Operation | Console Navigation Path | Prerequisites | Description | |----------|------------------------|---------------|-------------| | Manage Database Account | Console > RDS > Instances > Account Management | An RDS instance must be created and running; You must have the necessary permissions to manage accounts (e.g., Owner or DBA role) | Create, configure, and delete database accounts with assigned privileges | | Manage Account Permissions | Console > RDS > Accounts > Manage Permissions | An ApsaraDB RDS instance must be created; User must have administrator or owner role on the RDS instance | Modify existing account privileges such as Read-Only, Read-Write, or Full Admin | | Configure Alipay Authentication | RDS Console > AI Application Development > Supabase instances > [Instance] > Authentication | An active RDS Supabase project; An Alipay Open Platform account with developer identity verification completed | Enable Alipay OAuth login for RDS Supabase users | | Configure Email Authentication | Console > AI Application Development > RDS Supabase > [Instance Name] > Authentication Configuration | RDS Supabase instance in running state; SMTP email server ready (e.g., 163 Mail) | Set up email-based sign-up, confirmation, and password reset using an SMTP provider | | Configure SMS Authentication | RDS Console > AI Application Development > Instance ID > Authentication | RDS Supabase instance created; Alibaba Cloud SMS enabled; Available SMS signature and template obtained; Alibaba Cloud Function Compute enabled (for SMS webhook method) | Enable SMS OTP authentication via Alibaba Cloud SMS or a custom Function Compute webhook | | Configure GitHub Authentication | RDS Console > AI Application Development | A GitHub account; An RDS for Supabase instance with public access enabled; Application server IP address or CIDR block for allowlisting | Integrate GitHub OAuth 2.0 for passwordless user sign-in | ## Operation Steps ### Manage Database Account **Navigation**: Console > RDS > Instances > Account Management **Prerequisites**: - An RDS instance must be created and running - You must have the necessary permissions to manage accounts (e.g., Owner or DBA role) 1. Navigate to the RDS console and select the target instance - Element: **Instances** (link) — left navigation panel 2. Click on the instance to open its details page - Element: **Instance ID** (link) — instance list 3. Go to the Account Management tab - Element: **Account Management** (tab) — top navigation bar of the instance details page 4. Click the Create Account button - Element: **Create Account** (button) — top-right corner of the Account Management section 5. Enter the account name and password, then assign privileges - Element: **Account Name** (text_input) — form fields in the create account dialog - Notes: The account name must be unique within the instance. 6. Confirm and submit the form - Element: **OK** (button) — bottom of the form | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Account Name | text_input | Yes | — | The unique identifier for the database user. Must be between 1-16 characters. | | Password | text_input | Yes | — | The password for the account. Must meet complexity requirements. | | Privileges | dropdown | Yes | Read, Write, Read/Write, Admin | The level of access this account has on the database. | ### Manage Account Permissions **Navigation**: Console > RDS > Accounts > Manage Permissions **Prerequisites**: - An ApsaraDB RDS instance must be created - User must have administrator or owner role on the RDS instance 1. Navigate to the Accounts page in the RDS console - Element: **Accounts** (link) — left navigation panel 2. Click on the specific account to edit its permissions - Element: **Edit Permissions** (button) — main content area - Notes: The Edit Permissions button appears only for accounts with editable roles. 3. Select the desired privileges from the available options - Element: **Privilege Selection** (dropdown) — form fields section - Notes: Available privileges include read-only, read-write, and full admin access. 4. Confirm changes by clicking Save - Element: **Save** (button) — bottom of form - Notes: Changes take effect immediately after saving. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Account Name | text_input | Yes | — | The name of the database account to manage permissions for. | | Privilege Level | dropdown | Yes | Read-Only, Read-Write, Full Admin | Defines the level of access this account has to the database. | ### Configure Alipay Authentication **Navigation**: RDS Console > AI Application Development > Supabase instances > [Instance] > Authentication **Prerequisites**: - An active RDS Supabase project - An Alipay Open Platform account with developer identity verification completed 1. Log on to the RDS Console and navigate to AI Application Development - Element: **AI Application Development** (menu) — left-side navigation pane 2. Click the instance ID to open the instance details page - Element: **[Instance ID]** (link) — Supabase instances page 3. Navigate to the Network section and copy the public endpoint - Element: **Public String** (text_input) — Network section of instance details 4. Go to the Alipay Open Platform and create a new web/mobile app - Element: **Create Web/Mobile App** (button) — Web & Mobile Apps tab 5. Configure interface signing method by uploading the app public key - Element: **Details** (link) — Application details page 6. Return to the RDS Supabase instance details page and click the Authentication configuration button - Element: **Authentication** (button) — instance details page 7. Select Alipay as the authentication provider and enter the required parameters - Element: **Alipay Provider** (menu) — Authentication configuration page 8. Add client IP addresses to the whitelist - Element: **Add** (button) — Whitelist section 9. Enable public network access via the toggle switch - Element: **Bind Elastic Network** (toggle) — Network section 10. Download and configure the front-end verification project - Element: **Connect** (button) — Supabase Studio - Notes: Obtain SUPABASE_URL and SUPABASE_ANON_KEY from this button | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Alipay AppID | text_input | Yes | — | The AppID of the application created in the Alipay Open Platform. | | Alipay App Secret | text_input | Yes | — | The single-line, Base64-encoded app secret from the Alipay Open Platform. | | authorized redirect URI | text_input | Yes | — | Format: http(s)://your-supabase-url/auth/v1/callback. Replace your-supabase-url with the public endpoint of your Supabase instance. | ### Configure Email Authentication **Navigation**: Console > AI Application Development > RDS Supabase > [Instance Name] > Authentication Configuration **Prerequisites**: - RDS Supabase instance in running state - SMTP email server ready (e.g., 163 Mail) 1. Log in to 163 Mail and enable POP3/SMTP/IMAP service - Element: **POP3/SMTP/IMAP** (menu) — top of the page 2. Click Enable to activate the SMTP service and generate an authorization code - Element: **Enable** (button) — IMAP/SMTP service section - Notes: The authorization code is displayed only once; record it immediately. 3. Go to the RDS console and select the target RDS Supabase instance - Element: **RDS Supabase** (list) — left-side navigation pane 4. On the Basic Information page, record the public endpoint - Element: **public endpoint** (text_input) — Network information section 5. Navigate to the Authentication configuration page - Element: **Authentication** (menu) — left-side navigation pane 6. Click the Email provider button to open the email configuration panel - Element: **Email provider** (button) — Authentication Providers section 7. Enter SMTP configuration details including host, port, username, password, sender name, admin email, site URL, API external access address, OTP length, and expiration - Element: **Configure parameters** (text_input) — email configuration panel 8. Click OK and wait for the instance to restart - Element: **OK** (button) — bottom of the configuration panel 9. Add the client's public IP address to the instance's IP address whitelist - Element: **Add White List** (button) — Whitelist information section 10. Download and extract the sample React application package - Element: **supabase_auth_email.zip** (link) — page content 11. Create a .env file from .env.example and add Supabase URL and Anon Key - Element: **.env** (link) — project directory - Notes: Supabase URL and Anon Key can be found on the instance details page. 12. Run npm install and npm run dev to start the development server - Element: **npm run dev** (text_input) — terminal 13. Test sign-up, email confirmation, login, and password reset features in the browser - Element: **Sign Up** (button) — application UI 14. Create HTML files for custom email templates - Element: **confirm-signup.html** (link) — local project - Notes: Templates use placeholders like {{ .ConfirmationURL }} and {{ .Token }} 15. Open the Supabase Dashboard via the public endpoint link - Element: **public endpoint** (link) — Network information section 16. In the Supabase Dashboard, go to Storage and create a new bucket - Element: **Storage** (menu) — left-side navigation pane 17. Set the bucket name and turn on Public bucket - Element: **Public bucket** (toggle) — bucket creation form 18. Upload the HTML template files to the created bucket - Element: **Upload files** (button) — upper-right corner of the bucket 19. Return to the RDS Supabase console and navigate to the Email Templates tab - Element: **Email Templates** (tab) — Authentication configuration page 20. Enter the full URL of the uploaded template into the corresponding field - Element: **Password Reset Template URL** (text_input) — Email Templates tab 21. Click Confirm and wait for the instance to restart - Element: **Confirm** (button) — bottom of the form | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Enable external email login | toggle | No | — | Turns on email login functionality. | | SMTP port | text_input | Yes | — | SSL-encrypted port for SMTP connection. Default: 465 | | Email sender name | text_input | Yes | — | Display name shown in recipient emails. | | SMTP username | text_input | Yes | — | Your email address used for SMTP authentication. | | SMTP password | text_input | Yes | — | Authorization code from your email provider, not your account password. | | Admin email | text_input | Yes | — | Administrator's email address, typically same as SMTP username. | | SMTP host | text_input | Yes | — | SMTP server address (e.g., smtp.163.com). | | Email auto confirmation | toggle | No | — | If enabled, users can sign up without email confirmation. Recommended to keep off. | | Site URL | text_input | Yes | — | Front-end URL used for confirmation links in emails. Default: http://localhost:3000 | | API external access address | text_input | Yes | — | Public endpoint of the RDS Supabase instance in format http://:80. | | Email OTP length | number_input | No | — | Length of the one-time password sent via email. Default: 6 | | Email OTP expiration | number_input | No | — | Validity period of the OTP in seconds (default: 1 hour). | ### Configure SMS Authentication **Navigation**: RDS Console > AI Application Development > Instance ID > Authentication **Prerequisites**: - RDS Supabase instance created - Alibaba Cloud SMS enabled - Available SMS signature and template obtained in Alibaba Cloud SMS console - Alibaba Cloud Function Compute enabled (for SMS webhook method) 1. Log in to the RDS console and click AI Application Development in the left-side navigation pane - Element: **AI Application Development** (link) — left-side navigation panel 2. Select a region at the top, then click the ID of the target instance to go to the instance details page - Element: **Instance ID** (link) — top region selector 3. In the left-side navigation pane, click Authentication - Element: **Authentication** (link) — left-side navigation panel 4. On the Authentication page, find and configure the following parameters: AccessKey ID, AccessKey Secret, Region ID, Sign Name, Template Code, Is Test, OTP Exp, Auto Confirm - Element: **AccessKey ID** (text_input) — main content area - Notes: Use RAM user credentials for security; Access Key Secret is only visible upon creation. 5. After configuring the parameters, click Confirm. The instance automatically restarts to apply the new settings. - Element: **Confirm** (button) — bottom of form - Notes: Wait for the restart to complete before proceeding. 6. Go to the Function Compute console, select the same region as your RDS Supabase instance, and click Create Function - Element: **Create Function** (button) — top-right corner 7. Select Web Function, choose Node.js 20 for the runtime environment, and upload the code.zip package - Element: **Web Function** (radio) — runtime selection 8. In Advanced Settings, set the Startup Command to npm start, and the Listening Port to 80 - Element: **Startup Command** (text_input) — Advanced Settings section 9. After the function is created, go to the function details page. On the Trigger management tab, find the public access address and disable authentication for the trigger - Element: **Trigger management** (tab) — top navigation - Notes: Record the public access address in the format https://xxx.ap-southeast-1.fcapp.run 10. Go to the RDS Supabase instance details page and select Authentication > Phone Provider > SMS Webhook - Element: **SMS Webhook** (tab) — left-side navigation panel 11. Configure the following parameters: SMS Enabled (true), SMS Service URL (public access address + /hooks/send-sms), SMS Hook Key (optional but recommended), Auto Confirm (false), OTP Exp - Element: **SMS Service URL** (text_input) — main content area - Notes: The hook secret must start with v1,whsec_ and be followed by a 60-character base64 string. 12. Set the hook secret in the Function Compute environment variables as SMS_HOOK_SECRET - Element: **Environment Variables** (tab) — Function Compute console - Notes: This shared secret validates incoming requests and prevents unauthorized access. 13. Add the client's public IP address to the RDS Supabase allowlist - Element: **Add** (button) — Access Allowlist section - Notes: Ensure your front-end application can access the RDS Supabase instance. 14. Enable public network access by turning on the Elastic Network switch in the Network section - Element: **Elastic Network** (toggle) — Network section - Notes: Allows the RDS Supabase instance to call external APIs or webhooks. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | AccessKey ID | text_input | Yes | — | The AccessKey ID of the RAM user with permissions to call the SMS API. | | AccessKey Secret | text_input | Yes | — | The AccessKey Secret of the RAM user. Only visible upon creation. | | Region ID | dropdown | Yes | ap-southeast-1, cn-beijing, cn-shanghai, cn-hangzhou | The region where your Alibaba Cloud SMS is deployed. | | Sign Name | text_input | Yes | — | The SMS signature name applied for in Alibaba Cloud SMS. Default: Sutong Interconnect Verification Code | | Template Code | text_input | Yes | — | The template code applied for in Alibaba Cloud SMS. Default: 100001 | | Is Test | checkbox | No | — | Enable if using system-provided signature and template from Alibaba Cloud SMS. Default: true | | OTP Exp | number_input | No | — | The validity period for the OTP in seconds. Default: 60 | | Auto Confirm | checkbox | No | — | If enabled, users are automatically confirmed upon first registration. Generally not recommended. Default: false | | SMS Enabled | checkbox | Yes | — | Enables SMS authentication for the instance. Default: true | | SMS Service URL | text_input | Yes | — | The public HTTPS endpoint of the Function Compute webhook, including /hooks/send-sms path. | | SMS Hook Key | text_input | No | — | An optional security key starting with v1,whsec_ followed by a 60-character base64 string. | ### Configure GitHub Authentication **Navigation**: RDS Console > AI Application Development **Prerequisites**: - A GitHub account - An RDS for Supabase instance with public access enabled - Application server IP address or CIDR block for allowlisting - Access to the RDS for Supabase instance details page 1. Navigate to Developer settings and create a new OAuth App - Element: **Settings > Developer settings > OAuth Apps** (menu) — top navigation panel 2. Click 'New OAuth App' to start registration - Element: **New OAuth App** (button) — page content area 3. Enter application details including name, homepage URL, and callback URL - Element: **Application name** (text_input) — form fields - Notes: The Authorization callback URL must be set to your RDS for Supabase instance's public URL with /auth/v1/callback appended. 4. Generate a new client secret after app creation - Element: **Generate a new client secret** (button) — app registration page - Notes: The client secret is displayed only once — copy it immediately and store securely. 5. Go to RDS Console and select the target region and project ID - Element: **project ID** (link) — instance list 6. Click on 'Auth Configuration' in the left-side navigation pane - Element: **Auth Configuration** (menu) — left navigation panel 7. Find and click on 'GitHub' in the Authentication Providers list - Element: **GitHub** (button) — authentication providers section 8. Enter the GitHub Client ID and Client Secret, and confirm the callback URL - Element: **Enable GitHub login** (toggle) — configuration form - Notes: Ensure all values match exactly what was configured in GitHub. 9. Click 'Confirm' to apply the configuration - Element: **Confirm** (button) — bottom of form - Notes: The instance will restart automatically. 10. Turn on public access for the instance - Element: **Allow Instance to Access Public Network** (toggle) — Network Information section 11. Add application server IP addresses or CIDR blocks to the allowlist - Element: **Add allowlist group** (button) — Allowlist Information section 12. Log in to Supabase Studio to verify user data - Element: **public endpoint** (link) — Network Information section - Notes: Use the project password to log in. 13. Navigate to Authentication > Users in Supabase Studio - Element: **Authentication > Users** (menu) — left navigation panel | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Application name | text_input | Yes | — | A custom name for your app, such as 'MySaaS Platform'. | | Homepage URL | text_input | Yes | — | The public homepage of your application, e.g., https://app.example.com. | | Authorization callback URL | text_input | Yes | — | The URL where GitHub redirects users after successful authentication. Must include /auth/v1/callback path. | | Enable GitHub login | toggle | No | On, Off | Turns on GitHub authentication for the RDS for Supabase instance. Default: Off | | GitHub OAuth app's Client ID | text_input | Yes | — | The Client ID obtained from GitHub OAuth app registration. | | GitHub OAuth app's Client Secret | text_input | Yes | — | The Client Secret generated during GitHub app setup. Must be stored securely. | | Authorization callback URL | text_input | Yes | — | For verification; should match the value configured in GitHub. | ## FAQ Q: Where do I find the Account Management page for my RDS instance? A: After logging into the RDS console, click on your instance ID in the Instances list, then select the "Account Management" tab in the top navigation bar of the instance details page. Q: Can I modify an account's privileges after creation? A: Yes. Navigate to the Accounts page, locate the account, and click "Edit Permissions" to change its privilege level (Read-Only, Read-Write, or Full Admin). Q: What happens if I leave the "Email auto confirmation" option enabled? A: Users will be able to sign up without verifying their email address, which reduces security. It is recommended to keep this disabled in production environments. Q: Do I need to restart the RDS Supabase instance after changing authentication settings? A: Yes. After confirming changes to email, SMS, GitHub, or Alipay authentication configurations, the instance automatically restarts to apply the new settings. Q: What permissions are required to manage database accounts? A: You must have the Owner or DBA role on the RDS instance. Standard users without these roles cannot create or modify accounts. ## Pricing & Billing ### Billing Model Account management operations (creating accounts, assigning privileges) are included in the RDS instance billing and do not incur additional charges. Third-party authentication features (email, SMS, GitHub, Alipay) also do not add extra costs beyond underlying services. ### Price Reference - **Standard RDS Instance**: 0.08 / (account management included) - **Account Permission Management**: 0.05 / (included in instance cost) - **SMS Authentication**: - Alibaba Cloud SMS: charged per message sent - Function Compute (webhook mode): billed based on resource usage, invocations, and public outbound traffic; free tier available - RDS Supabase: billed based on instance specification - **GitHub/Alipay/Email Authentication**: No additional charges beyond base RDS Supabase instance cost ### Free Tier Function Compute has a free tier available for SMS webhook implementations. No free tier is mentioned for other authentication methods or account management. ### Billing Notes - Account management and permission changes are fully included in the RDS instance hourly billing. - Enabling third-party authentication does not directly increase RDS costs, but associated services (e.g., SMS messages, Function Compute invocations) may incur separate charges. - Data transfer fees during OAuth flows (GitHub, Alipay) are typically negligible and not billed separately.