Using the legacy MySQL 5.6 combined syntax `GRANT ... TO 'user'@'host' IDENTIFIED BY 'password'` on MySQL 8.0+, where implicit user creation via GRANT was fully removed. The statement fails even if the executing user has all privileges.. The NO_AUTO_CREATE_USER SQL mode is active (default since MySQL 5.7.7). Even on 5.7.x, this mode blocks GRANT from creating users unless the GRANT includes an IDENTIFIED BY clause — and on 8.0+ the clause itself is removed from GRANT syntax entirely.. The executing MySQL account has GRANT OPTION but lacks the CREATE USER privilege. GRANT can only assign privileges; creating the account requires a separate privilege.. Infrastructure-as-code tools (Terraform mysql_grant resource, Ansible mysql_user module) configured with an older provider version that emits the legacy GRANT syntax instead of CREATE USER + GRANT. Upgrading the MySQL server without updating the provider triggers 1410.. A read-replica promotion or failover script that provisions a replication user via GRANT on the new primary. The script was written for MySQL 5.6 and never updated — the replica starts but the replication user is never created, causing replication to break with 1410 followed by Access denied.

Step 1: Verify MySQL version and current SQL mode: `SELECT VERSION(); SELECT @@GLOBAL.sql_mode;` — check if NO_AUTO_CREATE_USER is present (5.7) or if you are on 8.0+ where it is enforced unconditionally.. Step 2: Create the user as a separate statement before granting: `CREATE USER IF NOT EXISTS 'pipeline_user'@'%' IDENTIFIED BY 'your_password';` — the IF NOT EXISTS clause makes this idempotent for automation scripts.. Step 3: Grant privileges in a second statement: `GRANT SELECT, INSERT, UPDATE ON target_db.* TO 'pipeline_user'@'%'; FLUSH PRIVILEGES;`. Step 4: Verify the account exists and has correct privileges: `SHOW GRANTS FOR 'pipeline_user'@'%';` — confirm that the expected database and table permissions are listed.. Step 5: Search your codebase for legacy GRANT syntax: `grep -rn 'GRANT.*IDENTIFIED BY' /path/to/infra/ --include='*.sql' --include='*.yml' --include='*.tf'` — every match needs to be split into CREATE USER + GRANT.. Step 6: For Terraform, update the MySQL provider to v3.0+ and use separate `mysql_user` and `mysql_grant` resources instead of a single `mysql_grant` with a password. For Ansible, set `state: present` on a `mysql_user` task before the `mysql_query` task that runs GRANT.. Step 7: Test the fix against a MySQL 8.0 instance before deploying: `docker run --rm -e MYSQL_ROOT_PASSWORD=test -p 3307:3306 mysql:8.0` — run your provisioning script against localhost:3307 to confirm no 1410 errors.

Medium severitypermission

MySQL Error:
1410

What does this error mean?

MySQL raises error 1410 when a GRANT statement references a user account that does not yet exist and the server blocks implicit user creation. In MySQL 5.7.7+ with NO_AUTO_CREATE_USER enabled (the default) and in all MySQL 8.0+ versions, GRANT can only assign privileges to existing accounts — it cannot create them on the fly. In data pipelines this typically surfaces during infrastructure provisioning: a Terraform or Ansible playbook runs a GRANT ... IDENTIFIED BY statement copied from a MySQL 5.6-era runbook, an ADF Linked Service setup script fails to create the service account, or a dbt pre-hook tries to grant permissions to a freshly provisioned replica user. The symptom is immediate — the GRANT fails, the user account is never created, and subsequent pipeline connections fail with Access denied for user.

Common causes

1Using the legacy MySQL 5.6 combined syntax `GRANT ... TO 'user'@'host' IDENTIFIED BY 'password'` on MySQL 8.0+, where implicit user creation via GRANT was fully removed. The statement fails even if the executing user has all privileges.
2The NO_AUTO_CREATE_USER SQL mode is active (default since MySQL 5.7.7). Even on 5.7.x, this mode blocks GRANT from creating users unless the GRANT includes an IDENTIFIED BY clause — and on 8.0+ the clause itself is removed from GRANT syntax entirely.
3The executing MySQL account has GRANT OPTION but lacks the CREATE USER privilege. GRANT can only assign privileges; creating the account requires a separate privilege.
4Infrastructure-as-code tools (Terraform mysql_grant resource, Ansible mysql_user module) configured with an older provider version that emits the legacy GRANT syntax instead of CREATE USER + GRANT. Upgrading the MySQL server without updating the provider triggers 1410.
5A read-replica promotion or failover script that provisions a replication user via GRANT on the new primary. The script was written for MySQL 5.6 and never updated — the replica starts but the replication user is never created, causing replication to break with 1410 followed by Access denied.

How to fix it

1Step 1: Verify MySQL version and current SQL mode: `SELECT VERSION(); SELECT @@GLOBAL.sql_mode;` — check if NO_AUTO_CREATE_USER is present (5.7) or if you are on 8.0+ where it is enforced unconditionally.
2Step 2: Create the user as a separate statement before granting: `CREATE USER IF NOT EXISTS 'pipeline_user'@'%' IDENTIFIED BY 'your_password';` — the IF NOT EXISTS clause makes this idempotent for automation scripts.
3Step 3: Grant privileges in a second statement: `GRANT SELECT, INSERT, UPDATE ON target_db.* TO 'pipeline_user'@'%'; FLUSH PRIVILEGES;`
4Step 4: Verify the account exists and has correct privileges: `SHOW GRANTS FOR 'pipeline_user'@'%';` — confirm that the expected database and table permissions are listed.
5Step 5: Search your codebase for legacy GRANT syntax: `grep -rn 'GRANT.*IDENTIFIED BY' /path/to/infra/ --include='*.sql' --include='*.yml' --include='*.tf'` — every match needs to be split into CREATE USER + GRANT.
6Step 6: For Terraform, update the MySQL provider to v3.0+ and use separate `mysql_user` and `mysql_grant` resources instead of a single `mysql_grant` with a password. For Ansible, set `state: present` on a `mysql_user` task before the `mysql_query` task that runs GRANT.
7Step 7: Test the fix against a MySQL 8.0 instance before deploying: `docker run --rm -e MYSQL_ROOT_PASSWORD=test -p 3307:3306 mysql:8.0` — run your provisioning script against localhost:3307 to confirm no 1410 errors.

Example log output

ERROR 1410 (42000) at line 14: You are not allowed to create a user with GRANT
mysql> GRANT ALL PRIVILEGES ON analytics.* TO 'adf_reader'@'10.0.0.%' IDENTIFIED BY '***';
ERROR 1410 (42000): You are not allowed to create a user with GRANT

Frequently asked questions

What changed in MySQL 8.0 regarding user creation with GRANT?

MySQL 8.0 fully removed the IDENTIFIED BY clause from GRANT syntax and removed the NO_AUTO_CREATE_USER SQL mode (because it is now always enforced). Any GRANT statement that references a non-existent user fails with error 1410. The fix is to always use CREATE USER first, then GRANT.

How do I update old MySQL 5.6 provisioning scripts for MySQL 8.0?

Replace each `GRANT privileges ON db.* TO 'user'@'host' IDENTIFIED BY 'pass';` with two statements: `CREATE USER IF NOT EXISTS 'user'@'host' IDENTIFIED BY 'pass'; GRANT privileges ON db.* TO 'user'@'host';` The IF NOT EXISTS clause makes the script safe to re-run. Search your repo with `grep -rn 'GRANT.*IDENTIFIED BY'` to find all instances.

Does error 1410 also occur on MySQL 5.7 or only on 8.0?

It can occur on MySQL 5.7.7+ when the NO_AUTO_CREATE_USER SQL mode is active, which is the default. On 5.7 you can work around it by removing NO_AUTO_CREATE_USER from sql_mode, but this is not recommended — the two-step CREATE USER + GRANT pattern is safer and forward-compatible with 8.0.

My ADF pipeline fails with Access denied right after a 1410 error — are they related?

Yes. Error 1410 means the user account was never created. The subsequent Access denied is the pipeline trying to connect with that non-existent account. Fix the 1410 first by creating the user with CREATE USER, and the Access denied resolves automatically.

Source · dev.mysql.com/doc/mysql-errors/8.0/en/server-error-reference.html