Alibaba Cloud provides Resource Access Management (RAM) for you to manage permissions on ApsaraMQ for MQTT. If you use RAM, you do not need to share the AccessKey pair of your Alibaba Cloud account with other users. You can grant the users only the required permissions. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. This topic describes the policies provided for ApsaraMQ for MQTT in RAM.
Policy types
In RAM, a policy is a collection of permissions that are described by using syntax. For more information, see Policy structure and syntax. A policy can accurately describe the authorized resource set, action set, and authorization conditions. ApsaraMQ for MQTT provides the following types of RAM policies:
System policies: System policies are created and updated by Alibaba Cloud. You can use system policies but cannot modify them.
Custom policies: You can create, update, and delete custom policies. You need to maintain the versions of custom policies.
System policies
ApsaraMQ for MQTT provides four default system policies.
ApsaraMQ for MQTT does not support independent system policies. When you attach the following system policies to RAM users, the policies take effect in both ApsaraMQ for MQTT and ApsaraMQ for RocketMQ.
Policy | Description |
AliyunMQFullAccess | The permissions to manage ApsaraMQ for MQTT. A RAM user to which this policy is attached can manage all features the same way you use an Alibaba Cloud account to manage resources in the ApsaraMQ for MQTT console. Note After this policy is attached to a RAM user, the RAM user cannot view the list of instances in the ApsaraMQ for MQTT console. To view the list of instances in the ApsaraMQ for MQTT console, the RAM user must be granted the required permissions. The action for the permissions is mq:MqttInstanceAccess. For more information, see Permissions to manage instances in the console. |
AliyunMQPubOnlyAccess | The permissions to publish messages in ApsaraMQ for MQTT. A RAM user to which this policy is attached can use all resources of the Alibaba Cloud account to publish messages by using SDKs. |
AliyunMQSubOnlyAccess | The permissions to subscribe to messages in ApsaraMQ for MQTT. A RAM user to which this policy is attached can use all resources of the Alibaba Cloud account to subscribe to messages by using SDKs. |
AliyunMQReadOnlyAccess | The read-only permissions on ApsaraMQ for MQTT. A RAM user to which this policy is attached can only read resource information in the ApsaraMQ for MQTT console or by calling API operations. Note After this policy is attached to a RAM user, the RAM user cannot view the list of instances in the ApsaraMQ for MQTT console. To view the list of instances in the ApsaraMQ for MQTT console, the RAM user must be granted the required permissions. The action for the permissions is mq:MqttInstanceAccess. For more information, see Permissions to manage instances in the console. |
Custom policies
Custom policies allow you to grant fine-grained permissions to users.
The following section describes the mappings between resources and actions in ApsaraMQ for MQTT.
In ApsaraMQ for MQTT, instances, topics, groups, and rules are different types of resources. Permissions must be granted to perform actions on the resources.
The possible values and corresponding rules of resources and actions in ApsaraMQ for MQTT can be divided into the following categories: console, API operation, and ApsaraMQ for MQTT client. Resource-related operations in the ApsaraMQ for MQTT console are divided into the following categories based on the resource type: instance, topic, group, and rule.
To access the resources of an ApsaraMQ for MQTT instance and call API operations to perform operations on the instance, you must obtain the required permissions on the instance. The corresponding action is mq:MqttInstanceAccess.
For information about sample custom policies, see Sample policies.
Permissions to publish and subscribe to messages on ApsaraMQ for MQTT clients
The permissions to publish and subscribe to messages involve the resource naming formats of topics and groups.
Topic: acs:mq:*:*:topic/{mqttInstanceId}/{topic}
Group ID: acs:mq:*:*:groupId/{mqttInstanceId}/{gid}
Action | Description | Remarks |
mq:PUB | Publishes messages. | Before you grant a RAM user permissions on a topic or group, you must obtain the permissions to access the instance to which the topic or group belongs. The action for the permissions is mq:MqttInstanceAccess. |
mq:SUB | Subscribes to messages. |
The permissions to publish and subscribe to messages on ApsaraMQ for MQTT clients cannot be granted across Alibaba Cloud accounts.
Permissions to manage instances in the console
The resource naming format of an ApsaraMQ for MQTT instance is acs:mq:*:*:instance/{mqttInstanceId}.
Action | Description | Remarks |
mq:MqttInstanceAccess | Queries the basic information about an instance. | Before you grant a RAM user permissions on a topic or group, you must obtain the permissions to access the instance to which the topic or group belongs. The action for the permissions is mq:MqttInstanceAccess. |
mq:DeleteMqttInstance | Deletes an instance. | None. |
mq:UpdateMqttInstance | Modifies instance information. | None. |
mq:ListMqttInstance | Queries the list of instances. | None. |
mq:UpdateMqttInstanceWarn | Updates the alert information about a specific instance. | None. |
mq:MqttMetaData | Accesses the Overview page and homepage in the ApsaraMQ for MQTT console. | After you grant a RAM user the permissions to access the Overview page and homepage in the ApsaraMQ for MQTT console, you must grant the user the permissions to view instances before the user can view the list of instances in the ApsaraMQ for MQTT console. |
Permissions to manage topics in the console
The resource naming format of a topic is acs:mq:*:*:topic/{mqttInstanceId}/{topic}.
Action | Description | Remarks |
mq:QueryMqttClientByTopic | Queries ApsaraMQ for MQTT clients that subscribe to a specific topic. | Before you grant a RAM user permissions on a topic or group, you must grant the user the permissions to access the instance to which the topic or group belongs. The action for the permissions is mq:MqttInstanceAccess. |
mq:QueryMqttMsgTransTrend | Queries messaging statistics based on a specific topic. | |
mq:SendMqttMessageByConsole | Tests the message sending feature in the console. | |
mq:CreateMqttTopic | Creates a topic. | |
mq:DeleteMqttTopic | Deletes a topic. | |
mq:ListMqttTopic | Queries a topic. | |
mq:UpdateMqttTopic | Updates the description of a topic. |
Permissions to manage groups in the console
The resource naming format of a group is acs:mq:*:*:groupId/{mqttInstanceId}/{gid}.
Action | Description | Remarks |
mq:CreateMqttGroupId | Creates a group. | Before you grant a RAM user permissions on a topic or group, you must grant the user the permissions to access the instance to which the topic or group belongs. The action for the permissions is mq:MqttInstanceAccess. |
mq:ListMqttGroupId | Queries the list of groups. | |
mq:QueryMqttClientByClientId | Queries ApsaraMQ for MQTT client information based on a specific client ID. | |
mq:QueryMqttClientByGroupId | Queries ApsaraMQ for MQTT client information based on a specific group ID. | |
mq:QueryMqttHistoryOnline | Queries the information about historical connected ApsaraMQ for MQTT clients based on a specific group ID. | |
mq:DeleteMqttGroupId | Deletes a group. | |
mq:QueryMqttTraceDevice | Queries the trace of an ApsaraMQ for MQTT client. | |
mq:QueryMqttDeviceTrace | Queries the information about a specific ApsaraMQ for MQTT client. |
Permissions to manage rules in the console
The resource naming format of a rule is acs:mq:*:*:rule/{mqttInstanceId}/{ruleId}.
When you grant permissions on a rule, make sure that the related instances, topics, and groups belong to the same Alibaba Cloud account.
Action | Description | Remarks |
mq:CreateMqttInboundRule | Creates a data inbound rule. | Before you grant a RAM user permissions on a topic or group, you must grant the user the permissions to access the instance to which the topic or group belongs. The action for the permissions is mq:MqttInstanceAccess. |
mq:DeleteMqttInboundRule | Deletes a data inbound rule. | |
mq:ListMqttInboundRule | Queries a data inbound rule. | |
mq:UpdateMqttInboundRule | Updates a data inbound rule. | |
mq:CreateMqttOutboundRule | Creates a data outbound rule. | |
mq:DeleteMqttOutboundRule | Deletes a data outbound rule. | |
mq:ListMqttOutboundRule | Queries a data outbound rule. | |
mq:UpdateMqttOutboundRule | Updates a data outbound rule. | |
mq:CreateClientStatusNotifyRule | Creates a rule for client status notification. | |
mq:DeleteClientStatusNotifyRule | Deletes a rule for client status notification. | |
mq:ListClientStatusNotifyRule | Queries a rule for client status notification. | |
mq:UpdateClientStatusNotifyRule | Updates a rule for client status notification. |
Permissions to call API operations
Before you grant permissions to perform operations on rules by calling API operations, make sure that the related instances, topics, and groups belong to the same Alibaba Cloud account.
API | Resource naming format | Resource naming example | Action |
acs:mq:*:*:* | acs:mq:*:*:* |
| |
acs:mq:*:*:* | acs:mq:*:*:* |
| |
|
|
| |
| |||
|
|
| |
| |||
| |||
|
|
| |
| |||
| |||
| |||
ListDeviceCredentialClientId |
| ||
| |||
| |||
| |||
| |||
Instance: acs:mq:*:*:instance/{mqttInstanceId} | Instance: acs:mq:*:*:instance/post-cn-09k1noy**** |
| |
| |||
Instance: acs:mq:*:*:instance/{mqttInstanceId} | Instance: acs:mq:*:*:instance/post-cn-09k1noy**** |
| |
| |||
| |||
DeleteCustomAuthConnectBlack |
| ||
| |||
| |||
| |||
| |||
| |||
| |||
UpdateCustomAuthPermission |
| ||
CreateTopic |
|
|
|
ListTopics |
| ||
DeleteTopic |
| ||
UpdateTopic |
| ||
UpdateMqttOutboundRule |
|
|
|
CreateMqttInboundRule |
| ||
DeleteMqttOutboundRule |
| ||
UpdateClientStatusNotifyRule |
| ||
ListClientStatusNotifyRuleInPages |
| ||
ListMqttInboundRuleInPages |
| ||
DeleteClientStatusNotifyRule |
| ||
CreateClientStatusNotifyRule |
| ||
CreateMqttOutboundRule |
| ||
UpdateMqttInboundRule |
| ||
DeleteMqttInboundRule |
| ||
ListMqttOutboundRuleInPages |
|
For more information about API operations, see List of operations by function.