By default, RAM users do not have permissions to manage ApsaraMQ for RocketMQ resources. If you use a RAM user, you must obtain permissions before you can manage ApsaraMQ for RocketMQ resources by using the console or calling API operations.
Background information
This operation is applicable for only RAM users. If your account is an Alibaba Cloud account, you have all permissions on ApsaraMQ for RocketMQ, and no authorization is required.
The following describes how to view account roles:
Log on to the Alibaba Cloud Management Console. The basic information about the account is displayed in the upper-right corner of the page. If Main Account is displayed under Account ID, the account is an Alibaba Cloud account and no authorization is required. If RAM User is displayed, the account is a RAM user and authorization is required.
(Required for RAM users) Grant permissions to a RAM user
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose .
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Grant Permission panel, grant permissions to the RAM user.
Configure the Resource Scope parameter.
Account: The authorization takes effect on the current Alibaba Cloud account.
Resource Group: The authorization takes effect on a specific resource group.
If you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
Configure the Principal parameter.
The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.
Configure the Policy parameter.
A policy contains a set of permissions. Policies can be classified into system policies and custom policies. You can select multiple policies at a time.
System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.
The system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.
Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.
Click Grant permissions.
Click Close.
ApsaraMQ for RocketMQ provides the following system policies. You can grant related permissions to a RAM user based on the permission scope.
Policy name | Description |
Policy name | Description |
AliyunMQFullAccess | The permissions to manage ApsaraMQ for RocketMQ. These permissions are equivalent to the permissions that the Alibaba Cloud account has. A RAM user to which this policy is attached can send and receive all messages and manage all the features of the console and OpenAPI Explorer. |
AliyunMQReadOnlyAccess | The permissions that allow users of ApsaraMQ for RocketMQ to only read the information about resources. RAM users to whom this policy is attached have the permissions to only read the information about the resources of an Alibaba Cloud account by using the console or calling API operations. |
In addition to using system policies, you can also create custom permission policies to grant RAM users permissions on specified resources. For more information, see Custom policies for ApsaraMQ for RocketMQ.
