Activate ApsaraMQ for RocketMQ on the Alibaba Cloud official website before you send or consume messages. If your organization uses Resource Access Management (RAM) users, grant them the required permissions to access the console, call API operations, or use SDKs.
Prerequisites
Before you begin, make sure that you have:
An Alibaba Cloud account with real-name verification completed. For more information, see Sign up with Alibaba Cloud
Step 1: Activate ApsaraMQ for RocketMQ
Log on to the ApsaraMQ for RocketMQ console.
In the dialog box, click Activate Message Queue >>.
On the service activation page, select Message Queue (MQ) Terms of Service, and then click Activate Now.
Step 2: Grant permissions to a RAM user
Skip this step if you use only your Alibaba Cloud account (not RAM users) to access ApsaraMQ for RocketMQ.
Log on to the RAM console as an administrator and attach policies to the target RAM user.
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the target RAM user and click Add Permissions in the Actions column.
To grant permissions to multiple RAM users at once, select the users and click Add Permissions at the bottom of the page.
In the Grant Permission panel, configure the following parameters:
Resource Scope: Select the scope of the authorization.
Account: The authorization applies to all resources under the current Alibaba Cloud account.
ResourceGroup: The authorization applies only to resources in a specific resource group.
ImportantIf you select ResourceGroup, make sure the cloud service supports resource groups. For more information, see Services that work with Resource Group. For an example, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
Principal: The system selects the current RAM user by default. Verify that the correct user is selected.
Policy: Select one or more policies to attach. ApsaraMQ for RocketMQ supports both system policies and custom policies.
System policies are predefined by Alibaba Cloud and cannot be modified. Version updates of system policies are maintained by Alibaba Cloud. For a list of supported services, see Services that work with RAM.
NoteThe system flags high-risk policies such as
AdministratorAccessandAliyunRAMFullAccess. Avoid attaching these policies unless strictly necessary.Custom policies are user-defined. Create, update, or delete them based on your requirements. For more information, see Create a custom policy.
Click Grant permissions.
Click Close.
System policies for ApsaraMQ for RocketMQ
Choose a policy based on the level of access the RAM user needs.
Administration
| Policy name | Description |
|---|---|
AliyunMQFullAccess | Full management access, equivalent to Alibaba Cloud account-level permissions. Covers all console actions, message sending, and message subscription. |
AliyunMQReadOnlyAccess | Read-only access. Allows viewing resource information in the console or through API operations. Does not allow resource modifications. |
Application development
| Policy name | Description |
|---|---|
AliyunMQPubOnlyAccess | Send-only access. Allows sending messages through SDKs using all resources under the Alibaba Cloud account. |
AliyunMQSubOnlyAccess | Subscribe-only access. Allows subscribing to messages through SDKs using all resources under the Alibaba Cloud account. |
System policies grant broad permissions. For example, AliyunMQFullAccess covers all ApsaraMQ for RocketMQ resources. For fine-grained access control on specific resource types -- such as restricting a RAM user to managing only topics in the console -- use custom policies instead. For more information, see Custom policies for ApsaraMQ for RocketMQ.
Recommended policy per role
Assign the most restrictive policy that meets the RAM user's needs:
| Role | Recommended policy | Access scope |
|---|---|---|
| Developers who only send messages | AliyunMQPubOnlyAccess | SDK message sending |
| Developers who only consume messages | AliyunMQSubOnlyAccess | SDK message subscription |
| Operations staff who monitor resources | AliyunMQReadOnlyAccess | Console and API read-only |
| Administrators who manage the full service | AliyunMQFullAccess | All console actions, sending, and subscription |
If none of the system policies match your requirements, create a custom policy that targets specific resources and actions.
What to do next
Go to the ApsaraMQ for RocketMQ console to create resources. For more information, see Create resources.