ApsaraMQ for RocketMQ allows an Alibaba Cloud account to authorize Resource Access Management (RAM) users to use topic resources. This prevents the risks caused by the potential disclosure of the AccessKey pair of the Alibaba Cloud account. Only authorized RAM users are allowed to manage resources in the ApsaraMQ for RocketMQ console and publish and subscribe to messages by using SDKs and API operations.
Scenarios
Enterprise A has purchased ApsaraMQ for RocketMQ, and its employees need to perform operations on ApsaraMQ forRocketMQ resources, such as instances, topics, and groups. Different employees are responsible for different jobs, including creating resources, publishing messages, and subscribing to messages. Employees with different roles require different permissions.
The following section introduces specific scenarios:
- For security reasons, Enterprise A does not want to disclose the AccessKey pair of its Alibaba Cloud account to employees. Instead, Enterprise A wants to create different RAM users for the employees and grant different permissions to the RAM users.
- A RAM user can only use resources for which the user is authorized. Resource usage and costs are not separately calculated for the RAM user. All expenses are billed to the Alibaba Cloud account of Enterprise A.
- Enterprise A can revoke the permissions granted to a RAM user and delete a RAM user at any time.
In this scenario, the Alibaba Cloud account of Enterprise A can grant its employees fine-grained permissions on resources.
Procedure
- Create a RAM user by using the Alibaba Cloud account of Enterprise A.For more information, see Create a RAM user.
- Optional:Create custom policies for the new RAM user by using the Alibaba Cloud account of Enterprise A.
For more information, see Create custom policies.
ApsaraMQ for RocketMQ supports permission settings for instances, topics, and groups. For more information, see Custom policies for ApsaraMQ for RocketMQ.
- Grant permissions to the RAM user by using the Alibaba Cloud account of Enterprise A.For more information, see Grant permissions to a RAM user.
What to do next
After you create a RAM user by using an Alibaba Cloud account, you can send the RAM user name and password or AccessKey pair information of the RAM user to other employees. Other employees can perform the following steps to log on to the console or call an API operation as a RAM user:
- Log on to the console.
- Open the RAM User Logon page in the browser.
- On the RAM User Logon page, enter the logon name of the RAM user, click Next, enter the password, and then click Login.Note The logon name of the RAM user is in the format of
<$username>@<$AccountAlias>
or<$username>@<$AccountAlias>.onaliyun.com
.<$AccountAlias>
is the account alias. If no account alias is set, the ID of the Alibaba Cloud account is used. - At the top of the Alibaba Cloud Management Console homepage, enter ApsaraMQ forRocketMQ in the search box. Click the search result to open the ApsaraMQ for RocketMQ console.
- Call an API operation as a RAM user.
In the code that you use to call the API operation, include the AccessKey ID and AccessKey secret of the RAM user. For more information, see Create an AccessKey pair.