How to use custom policies of ApsaraMQ for RabbitMQ - ApsaraMQ for RabbitMQ

If the system policies of ApsaraMQ for RabbitMQ do not meet your business requirements, you can create custom policies to implement the principle of least privilege. Custom policies help you manage permissions in a fine-grained manner and improve resource access security. This topic describes the scenarios in which custom policies of ApsaraMQ for RabbitMQ are used. This topic also provides sample custom policies.

What is a custom policy?

Resource Access Management (RAM) policies are classified into system policies and custom policies. You need to maintain custom policies.

After you create a custom policy, you need to attach it to a RAM user, a user group, or a RAM role so that the permissions specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, you must detach the RAM policy from the principal before you can delete the RAM policy.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.

References

Custom policies

The following table describes the custom policies supported by ApsaraMQ for RabbitMQ.

Permission description for client API operations

Client API operation	Action	Resource	Description
exchange.declare (passive=false)	amqp:CreateExchange	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*	Declares an exchange and checks whether the exchange exists. If the specified exchange does not exist, the system creates an exchange and returns a message that indicates the declaration is successful. If the specified exchange exists, the system checks whether the information about the exchange is correct. If the information is correct, the system returns a message that indicates the declaration is successful. If the information is incorrect, the system returns an error.
exchange.declare (passive=true)	amqp:GetExchange	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName	Declares an exchange and checks whether the exchange exists. If the specified exchange does not exist, the system returns an error. If the specified exchange exists, the system returns a message that indicates the declaration is successful.
exchange.bind	amqp:GetExchange (source exchange)	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName (source exchange)	Binds a source exchange to a destination exchange.
exchange.bind	amqp:CreateExchange (destination exchange)	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* (destination exchange)	Binds a source exchange to a destination exchange.
exchange.unbind	amqp:GetExchange (source exchange)	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName (source exchange)	Unbinds a source exchange from a destination exchange.
exchange.unbind	amqp:CreateExchange (destination exchange)	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* (destination exchange)	Unbinds a source exchange from a destination exchange.
queue.declare (passive=false)	amqp:CreateQueue	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*	Declares a queue and checks whether the queue exists. If the specified queue does not exist, the system creates a queue. If the specified queue exists, the system checks whether the information about the queue is correct. If the information is correct, the system returns a message that indicates the declaration is successful. If the information is incorrect, the system returns an error.
queue.declare (passive=true)	amqp:CreateQueue	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName	Declares a queue and checks whether the queue exists. If the specified queue does not exist, the system returns an error. If the specified queue exists, the system returns a message that indicates the declaration is successful.
queue.declare (dead-letter exchange configured)	amqp:CreateQueue	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*	Declares a queue for which a dead-letter exchange is configured.
	amqp:GetQueue	acs:amqp:$region:$accountid:/vhosts/$vhostName/queues/$queueName
	amqp:CreateExchange (dead-letter exchange)	acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName (dead-letter exchange)
queue.bind	amqp:CreateQueue	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*	Binds a queue to an exchange.
queue.bind	amqp:GetExchange	acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName	Binds a queue to an exchange.
queue.unbind	amqp:CreateQueue	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*	Unbinds a queue from an exchange.
queue.unbind	amqp:GetExchange	acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName	Unbinds a queue from an exchange.
BasicRecover	amqp:BasicRecover	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*	Redelivers the messages that are not acknowledged by consumers.
BasicCancel	amqp:BasicCancel	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*	Cancels a subscription.
BasicPublish	amqp:BasicPublish	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName/messages/*	Publishes a message to a topic.
BasicConsume	amqp:BasicConsume	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*	Starts a consumer.
BasicAck	amqp:BasicAck	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*	Acknowledges one or more messages.
BasicNack	amqp:BasicNack	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*	Negatively acknowledges one or more messages.
BasicReject	amqp:BasicReject	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*	Rejects a message.
BasicGet	amqp:BasicGet	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*	Queries messages in a queue.

Permission description for console API operations and features

Console API operation or feature	Action	Resource	Description
ListInstances	amqp:ListInstance	acs:amqp:$region:$accountid:/instances/*	Queries the list of instances.
CreateInstance	amqp:CreateInstance	acs:amqp:$region:$accountid:/instances/*	Creates an instance. The policy of this API operation supports the following fields. For more information, see Condition. amqp:InstanceType: the instance edition. Valid values: professional: Professional Edition. enterprise: Enterprise Edition. vip: Enterprise Platinum Edition. amqp:SupportEIP: specifies whether elastic IP addresses (EIPs) are supported. Valid values: True False
DeleteInstance	amqp:DeleteInstance	acs:amqp:$region:$accountid:/instances/$instanceId	Deletes an instance.
GetInstance	amqp:GetInstance	acs:amqp:$region:$accountid:/instances/$instanceId	Queries the details of an instance.
ListVhost	amqp:ListVhost	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/*	Queries the list of vhosts.
CreateVhost	amqp:CreateVhost	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/*	Creates a vhost.
DeleteVhost	amqp:DeleteVhost	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName	Deletes a vhost. To perform this operation, you must also grant permissions on the GetInstance operation to the Resource Access Management (RAM) user.
DeleteVhost	amqp:GetInstance	acs:amqp:$region:$accountid:/instances/$instanceId
ListExchange	amqp:ListExchange	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*	Queries the list of exchanges. To perform this operation, you must also grant permissions on the GetInstance operation to the RAM user.
ListExchange	amqp:GetInstance	acs:amqp:$region:$accountid:/instances/$instanceId
CreateExchange	amqp:CreateExchange	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*	Creates an exchange.
DeleteExchange	amqp:DeleteExchange	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName	Deletes an exchange.
ListQueue	amqp:ListQueue	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*	Queries the list of queues. To perform this operation, you must also grant permissions on the GetInstance operation to the RAM user.
ListQueue	amqp:GetInstance	acs:amqp:$region:$accountid:/instances/$instanceId
CreateQueue	amqp:CreateQueue	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*	Creates a queue.
DeleteQueue	amqp:DeleteQueue	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName	Deletes a queue.
QueuePurge	amqp:QueuePurge	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*	Clears messages in a queue.
ListStaticAccounts	amqp:ListStaticAccounts	acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/*	Queries a pair of static username and password. To perform this operation, you must also grant permissions on the GetInstance operation to the RAM user.
ListStaticAccounts	amqp:GetInstance	acs:amqp:$region:$accountid:/instances/$instanceId
FetchStaticAccount	amqp:FetchStaticAccount	acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/*	Creates a pair of static username and password. To perform this operation, you must also grant permissions on the GetInstance operation to the RAM user.
FetchStaticAccount	amqp:GetInstance	acs:amqp:$region:$accountid:/instances/$instanceId
DeleteStaticAccount	amqp:DeleteStaticAccount	acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/*	Deletes a pair of static username and password.
Message query by queue	amqp:BasicGet	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*	Queries messages by queue.
Message query by message ID	amqp:BasicGet	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*	Queries messages by message ID.
Message resending	amqp:BasicGet amqp:BasicPublish	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*	Resends messages.
Message sending	amqp:BasicPublish	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*	Sends messages.

Sample custom policies

Important

When you create a custom policy, you must specify the following parameter values based on your actual situation:

$region: the ID of the region where the resource resides. For more information, see Endpoints.
$accountid: the ID of the Alibaba Cloud Account to which the authorized object belongs.
$instanceId: the ID of the ApsaraMQ for RabbitMQ instance.
$vhostName: the vhost name.
$queueName: the queue name.
$exchangeName: the exchange name.

Example 1: A policy that can be used to grant a RAM user permissions to publish and subscribe to messages on in a vhost

{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "amqp:GetInstance",
                "amqp:ListVhost",
                "amqp:GetVhost"
            ],
            "Resource":[
                "acs:amqp:*:*:/instances/$instanceId",
                "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName",
                "acs:amqp:*:*:/instances/$instanceId/vhosts/*"
            ],
            "Effect":"Allow"
        },
        {
            "Action":[
                "amqp:ListExchange",
                "amqp:CreateExchange",
                "amqp:DeleteExchange",
                "amqp:ListQueue",
                "amqp:DeleteQueue",
                "amqp:CreateQueue",
                "amqp:BasicRecover",
                "amqp:BasicCancel",
                "amqp:BasicPublish",
                "amqp:BasicConsume",
                "amqp:BasicAck",
                "amqp:BasicNack",
                "amqp:BasicReject",
                "amqp:QueuePurge",
                "amqp:BasicGet",
                "amqp:GetExchange"
            ],
            "Resource":"acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*",
            "Effect":"Allow"
        },
        {
            "Action":[
                "amqp:ListStaticAccounts",
                "amqp:FetchStaticAccount",
                "amqp:DeleteStaticAccount"
            ],
            "Resource":"acs:amqp:*:*:/instances/$instanceId/staticAccount/*",
            "Effect":"Allow"
        }
    ]
}

Example 2: A policy that can be used to grant a RAM user permissions to publish messages

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "amqp:GetInstance"
            ],
            "Resource": [
                "acs:amqp:*:*:/instances/$instanceId",
                "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "amqp:CreateExchange",
                "amqp:CreateQueue",
                "amqp:BasicRecover",
                "amqp:BasicPublish",
                "amqp:BasicAck",
                "amqp:BasicNack"
            ],
            "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*",
            "Effect": "Allow"
        }
    ]
}

Example 3: A policy that can be used to grant a RAM user permissions to subscribe to messages

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "amqp:GetInstance",
                "amqp:GetVhost"
            ],
            "Resource": [
                "acs:amqp:*:*:/instances/$instanceId",
                "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "amqp:CreateExchange",
                "amqp:CreateQueue",
                "amqp:BasicRecover",
                "amqp:BasicCancel",
                "amqp:BasicConsume",
                "amqp:BasicAck",
                "amqp:BasicNack",
                "amqp:BasicReject",
                "amqp:QueuePurge",
                "amqp:BasicGet"
            ],
            "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*",
            "Effect": "Allow"
        }
    ]
}

Example 4: A policy that can be used to grant a RAM user permissions to publish and subscribe to messages

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "amqp:GetInstance",
                "amqp:GetVhost"
            ],
            "Resource": [
                "acs:amqp:*:*:/instances/$instanceId",
                "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "amqp:ListExchange",
                "amqp:CreateExchange",
                "amqp:DeleteExchange",
                "amqp:ListQueue",
                "amqp:DeleteQueue",
                "amqp:CreateQueue",
                "amqp:BasicRecover",
                "amqp:BasicCancel",
                "amqp:BasicPublish",
                "amqp:BasicConsume",
                "amqp:BasicAck",
                "amqp:BasicNack",
                "amqp:BasicReject",
                "amqp:QueuePurge",
                "amqp:BasicGet"
            ],
            "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*",
            "Effect": "Allow"
        }
    ]
}

Example 5: A policy that can be used to grant a RAM user permissions to manage usernames and passwords

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "amqp:ListStaticAccounts",
                "amqp:FetchStaticAccount",
                "amqp:DeleteStaticAccount"
            ],
            "Resource": "acs:amqp:*:*:/instances/$instanceId/staticAccount/*"
        },
        {
            "Effect": "Allow",
            "Action": "amqp:GetInstance",
            "Resource": "acs:amqp:*:*:/instances/$instanceId"
        }
    ],
    "Version": "1"
}

Example 6: A policy that can be used to grant a RAM user permissions to create instances

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "amqp:CreateInstance",
            "Resource": "acs:amqp:*:$accountid:/instances/*",
        }
    ]
}

Example 7: A policy that can be used to grant a RAM user permissions to create Enterprise Platinum Edition instances that do not support EIPs

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "amqp:CreateInstance",
            "Resource": "acs:amqp:*:$accountid:/instances/*",
            "Condition": {
                "StringEquals": {
                    "amqp:InstanceType": [
                        "vip"
                    ],
                    "amqp:SupportEIP": [
                        "false"
                    ]
                }
            }
        }
    ]
}

Example 8: A policy that can be used to grant a RAM user permissions to perform all operations on an instance

{
    "Version": "1",
    "Statement": [
        {
            "Action": "amqp:ListInstance",
            "Resource": "acs:amqp:*:*:/instances/*",
            "Effect": "Allow"
        },
        {
            "Action": "amqp:*",
            "Resource": [
                "acs:amqp:*:*:/instances/$instanceId",
                "acs:amqp:*:*:/instances/$instanceId/vhosts/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "amqp:ListStaticAccounts",
                "amqp:FetchStaticAccount",
                "amqp:DeleteStaticAccount"
            ],
            "Resource": "acs:amqp:*:*:/instances/$instanceId/staticAccount/*",
            "Effect": "Allow"
        }
    ]
}