This topic provides sample policies that are used to grant permissions on ApsaraMQ for MQTT.
Usage notes
Before you read this topic, we recommend that you view the policies provided by ApsaraMQ for MQTT in Resource Access Management (RAM).
If you want to directly use the sample code, delete the two forward slashes (//) and the text description that follows after you copy the code. Replace the following values in the sample policies with your actual resource information:
post-cn-09k1noy****: Replace it with your instance ID.
Topic_****: Replace it with your topic name.
GID_****: Replace it with your group ID.
Rule****: Replace it with your rule ID.
Example 1: Grant a RAM user the permissions to access the Overview page and homepage in the ApsaraMQ for MQTT console
{
"Version": "1",
"Statement": [
{ // Before you grant a RAM user the permissions to publish and subscribe to messages by using an ApsaraMQ for MQTT client, grant the RAM user the permissions to access the corresponding instance.
"Effect": "Allow",
"Action": "mq:MqttInstanceAccess",
"Resource": "acs:mq:*:*:instance/mqtt-cn-7213l8z****"
},
{ // Grant the RAM user the permissions to access the Overview page and homepage in the ApsaraMQ for MQTT console. Otherwise, an error message is returned when you access the console.
"Effect": "Allow",
"Action": "mq:MqttMetaData",
"Resource": "acs:mq:*:198126978280****:*"
},
{ // Grant the RAM user the permissions to access instances. Otherwise, you cannot view the instance list.
"Effect": "Allow",
"Action": "mq:ListMqttInstance",
"Resource": "acs:mq:*:198126978280****:instance/mqtt-cn-7213l8z****"
}
]
}Example 2: Grant a RAM user the permissions to publish and subscribe to messages by using an ApsaraMQ for MQTT client
Note
You cannot grant a RAM user the permissions to publish and subscribe to messages by using an ApsaraMQ for MQTT client across Alibaba Cloud accounts.
{
"Version":"1",
"Statement":[
{ // Before you grant a RAM user the permissions to publish messages and subscribe to messages by using an ApsaraMQ for MQTT client, grant the RAM user the permissions to access the corresponding instance.
"Effect":"Allow",
"Action":[
"mq:MqttInstanceAccess"
],
"Resource":[
"acs:mq:*:*:instance/post-cn-09k1noy****"
]
},
{ // Grant the RAM user the permissions to publish messages to and receive messages from a topic.
"Effect":"Allow",
"Action":[
"mq:PUB",
"mq:SUB"
],
"Resource":[
"acs:mq:*:*:topic/post-cn-09k1noy****/Topic_****"
]
},
{ // Grant the RAM user the permissions to subscribe to messages by using a group.
"Effect":"Allow",
"Action":[
"mq:SUB"
],
"Resource":[
"acs:mq:*:*:groupId/post-cn-09k1noy****/GID_****"
]
}
]
}
Example 3: Grant a RAM user the permissions to publish messages to a topic in the console
{
"Version":"1",
"Statement":[
{ // Before you grant a RAM user the permissions to publish messages to a topic in the ApsaraMQ for MQTT console, grant the RAM user the permissions to access the corresponding instance.
"Effect":"Allow",
"Action":[
"mq:MqttInstanceAccess"
],
"Resource":[
"acs:mq:*:*:instance/post-cn-09k1noy****"
]
},
{ // Grant the RAM user the permissions to publish messages to a topic in the ApsaraMQ for MQTT console.
"Effect":"Allow",
"Action":[
"mq:SendMqttMessageByConsole"
],
"Resource":[
"acs:mq:*:*:topic/post-cn-09k1noy****/Topic_****"
]
}
]
}Example 4: Grant a RAM user the permissions to call the API operation to apply for a token
{
"Version":"1",
"Statement":[
{ // Before you grant a RAM user the permissions to call the API operation to apply for a token, grant the RAM user the permissions to access the corresponding instance.
"Effect":"Allow",
"Action":[
"mq:MqttInstanceAccess"
],
"Resource":[
"acs:mq:*:*:instance/post-cn-09k1noy****"
]
},
{ // Grant the RAM user the permissions to call the API operation to apply for a token.
"Effect":"Allow",
"Action":[
"mq:ApplyToken"
],
"Resource":[
"acs:mq:*:*:topic/post-cn-09k1noy****/Topic_****"
]
}
]
}Example 5: Grant a RAM user the permissions to call all API operations used to manage data outbound rules
Before you grant a RAM user the permissions to call all API operations used to manage data outbound rules, make sure that the instance, topic, and group are created in the same Alibaba Cloud account.
{
"Version":"1",
"Statement":[
{ // Before you grant a RAM user the permissions to call all API operations used to manage data outbound rules, grant the RAM user permissions to access the corresponding instance.
"Effect":"Allow",
"Action":[
"mq:MqttInstanceAccess"
],
"Resource":[
"acs:mq:*:*:instance/post-cn-09k1noy****"
]
},
{ // Grant the RAM user the permissions to call all API operations used to manage data outbound rules.
"Effect":"Allow",
"Action":[
"mq:CreateMqttOutboundRule",
"mq:DeleteMqttOutboundRule",
"mq:ListMqttOutboundRule",
"mq:UpdateMqttOutboundRule"
],
"Resource":[
"acs:mq:*:*:rule/post-cn-09k1noy****/Rule****"
]
}
]
}Example 6: Grant a RAM user all permissions on an instance
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "mq:MqttInstanceAccess",
"Resource": "acs:mq:*:*:instance/post-cn-09k1noy****"
},
{
"Effect": "Allow",
"Action": "mq:MqttMetaData",
"Resource": "acs:mq:*:*:*"
},
{
"Effect": "Allow",
"Action": "mq:ListMqttInstance",
"Resource": "acs:mq:*:*:instance/post-cn-09k1noy****"
},
{
"Effect": "Allow",
"Action": "mq:*",
"Resource": "acs:mq:*:*:*/post-cn-09k1noy****/*"
}
]
}