Before you use ApsaraMQ for MQTT, you must activate it on the Alibaba Cloud official website. If you are a Resource Access Management (RAM) user, you must be granted the required permissions before you can access ApsaraMQ for MQTT resources and use SDKs to send and receive messages in the ApsaraMQ for MQTT console or by calling API operations.
Prerequisites
An Alibaba Cloud account is created, and real-name verification is complete. For more information, see Sign up with Alibaba Cloud.
Step 1: Activate ApsaraMQ for MQTT
Go to the product page of ApsaraMQ for MQTT.
In the upper-right corner of the page, click Log In.
On the Sign in to Alibaba Cloud page, enter your Alibaba Cloud account and password, and click Sign In.
On the product page of ApsaraMQ for MQTT, click Buy Now.
You are redirected to the ApsaraMQ for MQTT console.
On the Overview page, click Activate for Free.
On the service activation page, read the content of the order and the service agreement, select Message Queue for Apache RocketMQ Terms of Service, and then click Activate Now.
NoteApsaraMQ for MQTT is one of the services provided by ApsaraMQ for RocketMQ. After you activate ApsaraMQ for RocketMQ, ApsaraMQ for MQTT is activated. You can activate ApsaraMQ for RocketMQ for free.
(Required for a RAM user) Step 1: Grant permissions to a RAM user
If you activate ApsaraMQ for MQTT as a RAM user, you must use your Alibaba Cloud account to grant the required permissions to the RAM user before you use the RAM user to access ApsaraMQ for MQTT resources. If you activate ApsaraMQ for MQTT by using an Alibaba Cloud account, you have the permissions to access ApsaraMQ for MQTT resources by default. In this case, skip this step.
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose .
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Grant Permission panel, grant permissions to the RAM user.
Configure the Resource Scope parameter.
Account: The authorization takes effect on the current Alibaba Cloud account.
ResourceGroup: The authorization takes effect on a specific resource group.
ImportantIf you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
Configure the Principal parameter.
The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.
Configure the Policy parameter.
A policy contains a set of permissions. Policies can be classified into system policies and custom policies. You can select multiple policies at a time.
System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.
NoteThe system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.
Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.
Click Grant permissions.
Click Close.
ApsaraMQ for MQTT provides the following system policies. You can grant the related permissions to the RAM user based on the permission scope.
Policy | Description |
AliyunMQFullAccess | The permissions to manage ApsaraMQ for MQTT. A RAM user to which this policy is attached can manage all features the same way you use an Alibaba Cloud account to manage resources in the ApsaraMQ for MQTT console. Note After this policy is attached to a RAM user, the RAM user cannot view the list of instances in the ApsaraMQ for MQTT console. To view the list of instances in the ApsaraMQ for MQTT console, the RAM user must be granted the required permissions. The action for the permissions is mq:MqttInstanceAccess. For more information, see Permissions to manage instances in the console. |
AliyunMQPubOnlyAccess | The permissions to publish messages in ApsaraMQ for MQTT. A RAM user to which this policy is attached can use all resources of the Alibaba Cloud account to publish messages by using SDKs. |
AliyunMQSubOnlyAccess | The permissions to subscribe to messages in ApsaraMQ for MQTT. A RAM user to which this policy is attached can use all resources of the Alibaba Cloud account to subscribe to messages by using SDKs. |
AliyunMQReadOnlyAccess | The read-only permissions on ApsaraMQ for MQTT. A RAM user to which this policy is attached can only read resource information in the ApsaraMQ for MQTT console or by calling API operations. Note After this policy is attached to a RAM user, the RAM user cannot view the list of instances in the ApsaraMQ for MQTT console. To view the list of instances in the ApsaraMQ for MQTT console, the RAM user must be granted the required permissions. The action for the permissions is mq:MqttInstanceAccess. For more information, see Permissions to manage instances in the console. |
The Overview page in the ApsaraMQ for MQTT console displays the metadata of all your instances. You can use a RAM user to access the Overview page and homepage in the ApsaraMQ for MQTT console only after the RAM user is granted the required permissions. The action for the permissions is mq:MqttMetaData. If the RAM user is not granted the required permissions, errors are returned when you access the Overview page and homepage. To view the list of instances in the ApsaraMQ for MQTT console, you must grant a RAM user the required permissions after you access the Overview page by using the RAM user. The action for the permissions is mq:ListMqttInstance.