To prevent risks caused by the leak of the AccessKey pair of an Alibaba Cloud account, ApsaraMQ for MQTT allows you to grant permissions on instances, topics, and groups to Resource Access Management (RAM) users. Only authorized RAM users can manage resources in the ApsaraMQ for MQTT console and publish and subscribe to messages by using SDKs and calling API operations.
ApsaraMQ for MQTT does not support cross-account authorization.
Scenario
Enterprise A has activated ApsaraMQ for MQTT. Employees of Enterprise A need to manage ApsaraMQ for MQTT resources, such as instances, topics, and groups. Each of the employees is assigned with different duties. For example, some employees need to create resources, some need to publish messages, and some others need to subscribe to messages. In this case, Enterprise A needs to grant different permissions to the employees.
The following items describe the scenario:
For security reasons, Enterprise A does not want to disclose the AccessKey pair of the Alibaba Cloud account to employees. Instead, Enterprise A wants to create RAM users for the employees and grant different permissions to the employees.
An employee can manage resources only if the RAM user that the employee uses is granted the required permissions. All expenses of the RAM users are billed to the Alibaba Cloud account of Enterprise A.
Enterprise A can revoke the permissions granted to a RAM user and delete a RAM user at any time.
In this scenario, Enterprise A can grant its employees fine-grained permissions on resources by using the Alibaba Cloud account.
Procedure
Create a RAM user by using the Alibaba Cloud account of Enterprise A.
For more information, see Create a RAM user.
(Optional) Create custom policies for the new RAM user by using the Alibaba Cloud account of Enterprise A.
For more information, see Create custom policies.
ApsaraMQ for MQTT allows you to grant permissions on instances, topics, and groups to RAM users. For more information, see Policies.
Grant permissions to the RAM user by using the Alibaba Cloud account of Enterprise A.
For more information, see Grant permissions to a RAM user.
What to do next
After you create a RAM user by using an Alibaba Cloud account, you can share the logon name and password or AccessKey pair of the RAM user with other users. The users can perform the following steps to log on to the Alibaba Cloud Management Console or call API operations by using the RAM user.
Log on to the Alibaba Cloud Management Console
Open the RAM User Logon page in your browser.
In the Username field of the RAM User Logon page, enter the logon name of the RAM user and click Next. On the page that appears, enter the password. Then, click Log On.
NoteThe logon name of the RAM user is in the
<$username>@<$AccountAlias>or<$username>@<$AccountAlias>.onaliyun.comformat.<$AccountAlias>indicates the account alias. If no account alias is specified, the ID of the Alibaba Cloud account is used.On the RAM User Center page, click a service on which permissions are granted to access the console.
ImportantThe Overview page in the ApsaraMQ for MQTT console displays the metadata of all your instances. You can use a RAM user to access the Overview page and homepage in the ApsaraMQ for MQTT console only after the RAM user is granted the required permissions. The action for the permissions is mq:MqttMetaData. If the RAM user is not granted the required permissions, errors are returned when you access the Overview page and homepage. To view the list of instances in the ApsaraMQ for MQTT console, you must grant a RAM user the required permissions after you access the Overview page by using the RAM user. The action for the permissions is mq:ListMqttInstance.
Use the AccessKey pair of the RAM user to call API operations
Specify the AccessKey ID and AccessKey secret of the RAM user in the code.