SET GLOBAL statements in session initialization scripts: dbt projects that include `SET GLOBAL innodb_lock_wait_timeout = 300;` or similar in `on-run-start` hooks will fail immediately on managed MySQL because GLOBAL variable changes require the SUPER or SYSTEM_VARIABLES_ADMIN privilege.. Stored procedures or functions with an explicit DEFINER clause: `CREATE DEFINER='root'@'%' PROCEDURE ...` will fail on RDS and Azure if the calling user is not the named definer — managed services block setting a DEFINER other than the current session user unless you hold SUPER.. Binary log and replication control statements: `RESET MASTER`, `PURGE BINARY LOGS`, and `CHANGE MASTER TO` all require SUPER or REPLICATION_CLIENT/REPLICATION_SLAVE. These appear in data-sync pipelines that manage CDC or binlog-based ingestion.. SET sql_log_bin = 0 in migration scripts: some schema migration tools disable binary logging per-session to speed up large data loads. This requires SUPER on MySQL 5.7 and SYSTEM_VARIABLES_ADMIN or SESSION_VARIABLES_ADMIN on MySQL 8.0+, neither of which is available on most managed services.. KILL QUERY / KILL CONNECTION statements: query management scripts that programmatically terminate long-running queries using `KILL` require SUPER when the target connection belongs to a different user. A monitoring agent or dbt macro that tries to kill blocking queries will hit 1227 if it connects as a non-SUPER service account.. Loading data with LOAD DATA LOCAL INFILE in combination with SUPER-gated options: some bulk-load strategies set `local_infile` or other server variables before loading, requiring SUPER or SYSTEM_VARIABLES_ADMIN on the database server.. Creating scheduled events with a foreign DEFINER: `CREATE DEFINER='admin'@'%' EVENT ...` follows the same restriction as stored procedures — on managed MySQL the DEFINER must match the current user or the statement is rejected with 1227.

Step 1 — Identify the exact statement that triggered 1227. Run `SHOW PROCESSLIST;` or query `information_schema.processlist` immediately after the failure, or inspect the connector's full error log for the offending SQL statement. The error message typically includes the statement type, e.g., 'Access denied; you need (at least one of) the SUPER, SYSTEM_VARIABLES_ADMIN privilege(s) for this operation'.. Step 2 — On AWS RDS, grant the rds_superuser role to your service account instead of attempting to use SUPER: `GRANT rds_superuser TO 'your_user'@'%'; FLUSH PRIVILEGES;` — this covers most admin operations except those RDS permanently blocks (binary log manipulation, replication setup).. Step 3 — On MySQL 8.0+ (RDS, Azure, Cloud SQL), replace SUPER with fine-grained dynamic privileges where the operation allows it: `GRANT SYSTEM_VARIABLES_ADMIN ON *.* TO 'your_user'@'%';` for SET GLOBAL; `GRANT SESSION_VARIABLES_ADMIN ON *.* TO 'your_user'@'%';` for SET SESSION on restricted variables; `GRANT REPLICATION_CLIENT, REPLICATION_SLAVE ON *.* TO 'repl_user'@'%';` for replication reads.. Step 4 — Remove or rewrite DEFINER clauses in stored procedures. On managed MySQL, strip the DEFINER entirely so it defaults to the executing user: change `CREATE DEFINER='root'@'%' PROCEDURE proc_name()` to `CREATE PROCEDURE proc_name()`. In dbt, check `macros/` and `models/` for any raw SQL that includes DEFINER and remove it before deployment.. Step 5 — Replace SET GLOBAL variable changes in dbt `on-run-start` hooks with SET SESSION equivalents where the variable supports session scope. For example, `SET SESSION wait_timeout = 600;` does not require SUPER. Check the MySQL documentation for each variable to confirm whether session scope is available.. Step 6 — For Azure Database for MySQL Flexible Server, use the Azure Portal to change server parameters instead of SET GLOBAL: navigate to the server → 'Server parameters' blade → search for the parameter → change value → Save. Changes that require SUPER in standard MySQL are exposed as portal-managed settings in Azure.. Step 7 — If the operation genuinely requires SUPER and no privilege-scoped alternative exists (e.g., RESET MASTER on a self-hosted instance), ensure the pipeline service account connects with a user that holds SUPER: `GRANT SUPER ON *.* TO 'etl_admin'@'10.0.0.%'; FLUSH PRIVILEGES;` — restrict the host mask to pipeline IP ranges rather than '%' to limit exposure.

High severitypermission

MySQL Error:
1227

Impact

Any dbt run or ADF pipeline that touches stored procedures, sets global variables, or manages replication will hard-fail — not retry — on managed MySQL, leaving downstream tables stale until the permission is fixed or the SQL is rewritten. If the failing step is in a dbt `on-run-start` hook, the entire run aborts before any model executes.

MySQL 1227 is a hard failure — MySQL does not retry permission errors and neither do ADF or dbt by default. An ADF pipeline will mark the activity as Failed immediately, stopping all dependent activities. A dbt run aborts at the point of failure; if 1227 occurs in an `on-run-start` hook, zero models execute. Downstream tables receive no refresh, incremental models accumulate data debt, and any SLA-bound reports consuming those tables will serve stale data until the root cause is resolved and the pipeline is manually re-triggered.

What does this error mean?

MySQL Error 1227 is thrown when a statement requires the SUPER privilege or a specific administrative privilege that the connecting user does not hold. In data pipelines, this typically surfaces when dbt, Azure Data Factory, or an ETL tool attempts to SET GLOBAL variables, create stored procedures with an explicit DEFINER clause, or configure replication settings. On managed cloud services (AWS RDS, Azure Database for MySQL, Google Cloud SQL), the SUPER privilege is withheld entirely — even from the admin account — which means operations that work on self-hosted MySQL will fail silently or with this error in cloud environments. The engineer sees a pipeline failure with 'Access denied; you need (at least one of) the SUPER privilege(s)' in the connector log.

Common causes

1SET GLOBAL statements in session initialization scripts: dbt projects that include `SET GLOBAL innodb_lock_wait_timeout = 300;` or similar in `on-run-start` hooks will fail immediately on managed MySQL because GLOBAL variable changes require the SUPER or SYSTEM_VARIABLES_ADMIN privilege.
2Stored procedures or functions with an explicit DEFINER clause: `CREATE DEFINER='root'@'%' PROCEDURE ...` will fail on RDS and Azure if the calling user is not the named definer — managed services block setting a DEFINER other than the current session user unless you hold SUPER.
3Binary log and replication control statements: `RESET MASTER`, `PURGE BINARY LOGS`, and `CHANGE MASTER TO` all require SUPER or REPLICATION_CLIENT/REPLICATION_SLAVE. These appear in data-sync pipelines that manage CDC or binlog-based ingestion.
4SET sql_log_bin = 0 in migration scripts: some schema migration tools disable binary logging per-session to speed up large data loads. This requires SUPER on MySQL 5.7 and SYSTEM_VARIABLES_ADMIN or SESSION_VARIABLES_ADMIN on MySQL 8.0+, neither of which is available on most managed services.
5KILL QUERY / KILL CONNECTION statements: query management scripts that programmatically terminate long-running queries using `KILL` require SUPER when the target connection belongs to a different user. A monitoring agent or dbt macro that tries to kill blocking queries will hit 1227 if it connects as a non-SUPER service account.
6Loading data with LOAD DATA LOCAL INFILE in combination with SUPER-gated options: some bulk-load strategies set `local_infile` or other server variables before loading, requiring SUPER or SYSTEM_VARIABLES_ADMIN on the database server.
7Creating scheduled events with a foreign DEFINER: `CREATE DEFINER='admin'@'%' EVENT ...` follows the same restriction as stored procedures — on managed MySQL the DEFINER must match the current user or the statement is rejected with 1227.

How to fix it

1Step 1 — Identify the exact statement that triggered 1227. Run `SHOW PROCESSLIST;` or query `information_schema.processlist` immediately after the failure, or inspect the connector's full error log for the offending SQL statement. The error message typically includes the statement type, e.g., 'Access denied; you need (at least one of) the SUPER, SYSTEM_VARIABLES_ADMIN privilege(s) for this operation'.
2Step 2 — On AWS RDS, grant the rds_superuser role to your service account instead of attempting to use SUPER: `GRANT rds_superuser TO 'your_user'@'%'; FLUSH PRIVILEGES;` — this covers most admin operations except those RDS permanently blocks (binary log manipulation, replication setup).
3Step 3 — On MySQL 8.0+ (RDS, Azure, Cloud SQL), replace SUPER with fine-grained dynamic privileges where the operation allows it: `GRANT SYSTEM_VARIABLES_ADMIN ON *.* TO 'your_user'@'%';` for SET GLOBAL; `GRANT SESSION_VARIABLES_ADMIN ON *.* TO 'your_user'@'%';` for SET SESSION on restricted variables; `GRANT REPLICATION_CLIENT, REPLICATION_SLAVE ON *.* TO 'repl_user'@'%';` for replication reads.
4Step 4 — Remove or rewrite DEFINER clauses in stored procedures. On managed MySQL, strip the DEFINER entirely so it defaults to the executing user: change `CREATE DEFINER='root'@'%' PROCEDURE proc_name()` to `CREATE PROCEDURE proc_name()`. In dbt, check `macros/` and `models/` for any raw SQL that includes DEFINER and remove it before deployment.
5Step 5 — Replace SET GLOBAL variable changes in dbt `on-run-start` hooks with SET SESSION equivalents where the variable supports session scope. For example, `SET SESSION wait_timeout = 600;` does not require SUPER. Check the MySQL documentation for each variable to confirm whether session scope is available.
6Step 6 — For Azure Database for MySQL Flexible Server, use the Azure Portal to change server parameters instead of SET GLOBAL: navigate to the server → 'Server parameters' blade → search for the parameter → change value → Save. Changes that require SUPER in standard MySQL are exposed as portal-managed settings in Azure.
7Step 7 — If the operation genuinely requires SUPER and no privilege-scoped alternative exists (e.g., RESET MASTER on a self-hosted instance), ensure the pipeline service account connects with a user that holds SUPER: `GRANT SUPER ON *.* TO 'etl_admin'@'10.0.0.%'; FLUSH PRIVILEGES;` — restrict the host mask to pipeline IP ranges rather than '%' to limit exposure.

Example log output

com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Access denied; you need (at least one of) the SUPER, SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
[ADF] Activity 'SetGlobalTimeout' failed: ErrorCode=2200, Message=Failure happened on 'Source' side. ErrorCode=UserErrorFailedToConnectToMySqlServer, Type=Microsoft.DataTransfer.Common.Shared.HybridDeliveryException
[dbt] Database Error in model stg_orders (models/staging/stg_orders.sql): 1227 (42000): Access denied; you need (at least one of) the SUPER privilege(s) for this operation

Frequently asked questions

MySQL 1227 fix on AWS RDS — what replaces SUPER?

AWS RDS does not expose SUPER to any user. For most admin operations, grant the `rds_superuser` role: `GRANT rds_superuser TO 'your_user'@'%';`. For SET GLOBAL on specific variables, grant `SYSTEM_VARIABLES_ADMIN`. For replication reads, grant `REPLICATION_CLIENT`. For operations RDS blocks entirely (RESET MASTER, direct binlog writes), use RDS-native APIs or parameter groups instead.

1227 error when creating stored procedure — how do I fix the DEFINER issue?

Remove the DEFINER clause entirely from your CREATE PROCEDURE or CREATE FUNCTION statement. Without DEFINER, MySQL sets it to the current user automatically, which is always allowed. If you imported the procedure from a mysqldump, strip the DEFINER with: `sed 's/DEFINER=[^ ]* //' dump.sql > clean_dump.sql` before importing on the managed instance.

dbt 1227 error on SET GLOBAL in on-run-start hook — can I work around it?

Yes. Check whether the variable supports session scope — most timeout and buffer variables do. Replace `SET GLOBAL innodb_lock_wait_timeout = N` with `SET SESSION innodb_lock_wait_timeout = N`, which requires no elevated privilege. For variables that are GLOBAL-only (like `max_connections`), set them via the cloud provider's parameter group or server parameters UI and remove the hook entirely.

MySQL 1227 retry — will the pipeline retry automatically?

No. Permission errors are deterministic failures — retrying the same statement with the same credentials will produce the same 1227 error. ADF will not auto-retry by default, and dbt will not retry a run that fails on a permission error. Fix the underlying privilege or rewrite the statement, then manually re-trigger the pipeline or dbt run.

Source · dev.mysql.com/doc/mysql-errors/8.0/en/server-error-reference.html