Resource Access Management (RAM) lets you create separate user accounts for team members and grant each account only the permissions it needs. Instead of sharing your Alibaba Cloud account's AccessKey pair, which risks credential exposure, assign RAM users fine-grained access to ApsaraMQ for RocketMQ resources such as instances, topics, and groups. Only authorized RAM users can manage resources in the ApsaraMQ for RocketMQ console and publish and subscribe to messages by using SDKs and API operations.
Benefits:
Role-based access control. Grant developers permission to publish and subscribe to messages, while restricting operators to resource creation and management.
Centralized billing. RAM user activity is billed to the parent Alibaba Cloud account, with no separate cost tracking.
Instant revocation. Remove permissions or delete a RAM user at any time.
Prerequisites
Before you begin, make sure that you have:
An Alibaba Cloud account with ApsaraMQ for RocketMQ activated
Permissions to manage RAM users on the Alibaba Cloud account
For background on RAM, see What is RAM?.
Procedure
Step 1: Create a RAM user
Create a RAM user for each team member who needs access to ApsaraMQ for RocketMQ.
For detailed instructions, see Create a RAM user.
Step 2 (Optional): Create custom policies
Create custom policies to define fine-grained permissions for instances, topics, and groups.
See Create custom policies for general instructions, and Custom policies for ApsaraMQ for RocketMQ for policy examples specific to this product.
Step 3: Attach policies to the RAM user
Attach custom policies to the RAM user.
For step-by-step instructions, see Grant permissions to a RAM user.
Use RAM user credentials
After you create a RAM user and assign permissions, share the credentials with the team member. The RAM user can access ApsaraMQ for RocketMQ through the console or API.
Log on to the console
Open the RAM User Logon page.
Enter the logon name of the RAM user, click Next, enter the password, and then click Login.
Note The logon name uses the format<$username>@<$AccountAlias>or<$username>@<$AccountAlias>.onaliyun.com.<$AccountAlias>is the account alias. If no account alias is set, the Alibaba Cloud account ID is used instead.In the Alibaba Cloud console, search for ApsaraMQ for RocketMQ in the top search bar to open the product console.
Call API operations
Include the RAM user's AccessKey ID and AccessKey secret in your API requests. To create an AccessKey pair for the RAM user, see Create an AccessKey pair.
Best practices
Apply least-privilege access. Grant only the minimum permissions required for each task. Avoid granting full administrative access unless necessary.
Use separate RAM users per person. Do not share RAM user credentials between team members. This provides accurate audit trails and makes it easy to revoke access for a specific person.