Before you can use ApsaraMQ for MQTT to send and receive messages, you must activate the service. If a Resource Access Management (RAM) user needs to access ApsaraMQ for MQTT resources, use your Alibaba Cloud account to grant the required permissions.
Prerequisites
Before you begin, make sure that you have:
An Alibaba Cloud account with real-name verification completed. For more information, see Sign up with Alibaba Cloud
Activate ApsaraMQ for MQTT
Log on to the ApsaraMQ for MQTT console.
On the Overview page, click Activate for Free.
-
On the service activation page, click Activate Now.
NoteApsaraMQ for MQTT is provided as part of ApsaraMQ for RocketMQ. Activating ApsaraMQ for RocketMQ automatically activates ApsaraMQ for MQTT. Activation is free.
Grant permissions to a RAM user
If you use an Alibaba Cloud account, you already have full access to ApsaraMQ for MQTT resources. Skip this section.
If you use a RAM user, grant the required permissions through your Alibaba Cloud account before the RAM user can access ApsaraMQ for MQTT resources.
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Identities > Users.
-
On the Users page, find the RAM user and click Add Permissions in the Actions column.
To grant permissions to multiple RAM users at once, select the users and click Add Permissions at the bottom of the page.
-
In the Grant Permission panel, configure the following parameters:
-
Set Resource Scope.
Account: The authorization applies to the current Alibaba Cloud account.
ResourceGroup: The authorization applies to a specific resource group.
ImportantIf you select ResourceGroup, make sure that the cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about resource group-based authorization, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
Verify the Principal.
The principal is the RAM user to which you want to grant permissions. The current RAM user is selected by default.
-
Select a Policy.
A policy defines a set of permissions. Select one or more policies from the following types:
-
System policies: Predefined by Alibaba Cloud. You can use but not modify these policies. Alibaba Cloud maintains version updates. For more information, see Services that work with RAM.
NoteThe system flags high-risk policies such as AdministratorAccess and AliyunRAMFullAccess. Avoid attaching these policies unless necessary.
Custom policies: Created and managed by you based on your business requirements. For more information, see Create a custom policy.
-
Click Grant permissions.
-
Click Close.
System policies for ApsaraMQ for MQTT
The following table lists the system policies available for ApsaraMQ for MQTT. Attach a policy based on the access level that the RAM user needs.
| Policy | Description |
|---|---|
| AliyunMQFullAccess | Full management permissions for ApsaraMQ for MQTT. A RAM user with this policy can manage all features in the console, equivalent to an Alibaba Cloud account. This policy does not grant permissions to view the instance list. To view instances, grant the mq:MqttInstanceAccess action separately. For more information, see Permissions to manage instances in the console. |
| AliyunMQPubOnlyAccess | Publish-only permissions. A RAM user with this policy can publish messages by using SDKs across all resources under the Alibaba Cloud account. |
| AliyunMQSubOnlyAccess | Subscribe-only permissions. A RAM user with this policy can subscribe to messages by using SDKs across all resources under the Alibaba Cloud account. |
| AliyunMQReadOnlyAccess | Read-only permissions for ApsaraMQ for MQTT. A RAM user with this policy can view resource information in the console or through API operations. This policy does not grant permissions to view the instance list. To view instances, grant the mq:MqttInstanceAccess action separately. For more information, see Permissions to manage instances in the console. |
The Overview page displays metadata for all your instances. A RAM user needs the mq:MqttMetaData permission to access the Overview page and homepage. Without this permission, errors are returned. To also view the instance list, grant the mq:ListMqttInstance permission.