Permission policies and examples -

MNS uses Alibaba Cloud Resource Access Management (RAM) to manage permissions. When you use RAM, you do not need to share the AccessKey pair of your Alibaba Cloud account with other users. Instead, you can grant them only the minimal required permissions. An AccessKey pair includes an AccessKey ID and an AccessKey secret. This topic describes the RAM policies and provides examples for MNS.

Background information

In RAM, a policy is a set of permissions that are described with the policy syntax and structure. A policy can accurately describe the authorized resource set, action set, and authorization conditions. For more information, see Policy structure and syntax.

MNS supports the following types of RAM policies:

System policies
System policies are created by Alibaba Cloud. You can use these policies. However, you cannot modify these policies. The policy updates are maintained by Alibaba Cloud.
Custom policies
You can create, update, and delete custom policies and maintain version updates of the policies. You can edit custom policies and attach them to RAM users in the RAM console.

System policies

The following table describes the default permission policies that are provided for MNS.

Policy	Description
AliyunMNSFullAccess	The permissions to manage MNS, which are equivalent to the permissions that the Alibaba Cloud account has. A RAM user to which this policy is attached can send and subscribe to all messages and use all the features of the console.
AliyunMNSReadOnlyAccess	The read-only permissions on MNS. A RAM user to which this policy is attached can only read resource information in the console or by calling API operations.

Custom policies

You can define custom policies to grant fine-grained permissions. The following table describes the actions and resources that can be used to define custom policies for MNS.

API operation	Action	Resource
OpenService	mns:OpenService	acs:mns:$region:$accountid:/commonbuy/openservice
ListQueue	mns:ListQueue	acs:mns:$region:$accountid:/queues
CreateQueue	mns:CreateQueue	acs:mns:$region:$accountid:/queues/$queueName
DeleteQueue	mns:DeleteQueue	acs:mns:$region:$accountid:/queues/$queueName
SetQueueAttributes	mns:SetQueueAttributes	acs:mns:$region:$accountid:/queues/$queueName
GetQueueAttributes	mns:GetQueueAttributes	acs:mns:$region:$accountid:/queues/$queueName
SendMessage or BatchSendMessage	mns:SendMessage	acs:mns:$region:$accountid:/queues/$queueName/messages
ReceiveMessage or BatchReceiveMessage	mns:ReceiveMessage	acs:mns:$region:$accountid:/queues/$queueName/messages
DeleteMessage	mns:DeleteMessage	acs:mns:$region:$accountid:/queues/$queueName/messages
PeekMessage or BatchPeekMessage	mns:PeekMessage	acs:mns:$region:$accountid:/queues/$queueName/messages
ChangeMessageVisibility	mns:ChangeMessageVisibility	acs:mns:$region:$accountid:/queues/$queueName/messages
ListTopic	mns:ListTopic	acs:mns:$region:$accountid:/topics
CreateTopic	mns:CreateTopic	acs:mns:$region:$accountid:/topics/$topicName
DeleteTopic	mns:DeleteTopic	acs:mns:$region:$accountid:/topics/$topicName
SetTopicAttributes	mns:SetTopicAttributes	acs:mns:$region:$accountid:/topics/$topicName
GetTopicAttributes	mns:GetTopicAttributes	acs:mns:$region:$accountid:/topics/$topicName
ListSubscriptionByTopic	mns:ListSubscriptionByTopic	acs:mns:$region:$accountid:/topics/$topicName/subscriptions
Subscribe	mns:Subscribe	acs:mns:$region:$accountid:/topics/$topicName/subscriptions/$subscriptionName
Unsubscribe	mns:Unsubscribe	acs:mns:$region:$accountid:/topics/$topicName/subscriptions/$subscriptionName
SetSubscriptionAttributes	mns:SetSubscriptionAttributes	acs:mns:$region:$accountid:/topics/$topicName/subscriptions/$subscriptionName
GetSubscriptionAttributes	mns:GetSubscriptionAttributes	acs:mns:$region:$accountid:/topics/$topicName/subscriptions/$subscriptionName
PublishMessage	mns:PublishMessage	acs:mns:$region:$accountid:/topics/$topicName/messages

Examples of custom policies

Example 1: Allow access from specified CIDR blocks

The following example shows how to allow access from the 42.120.88.0/24 and 42.120.66.0/24 CIDR blocks to MNS.

{
    "Version": "1",
    "Statement": [
        {
            "Action": "mns:*",
            "Effect": "Allow",
            "Resource": "acs:mns:*:*:*",
            "Condition":{
                "IpAddress": {
                    "acs:SourceIp": ["42.120.88.0/24", "42.120.66.0/24"]
                }
            }
        }
    ]
}

Example 2: Deny access from specified CIDR blocks
The following example shows how to deny access from any IP address in the 42.120.88.0/24 CIDR block to MNS:
```
{
    "Version":"1",
    "Statement":[
        {
            "Action":"mns:*",
            "Effect":"Deny",
            "Resource":"acs:mns:*:*:*",
            "Condition":{
                "NotIpAddress":{
                    "acs:SourceIp":[
                        "42.120.88.0/24"
                    ]
                }
            }
        }
    ]
}          
```
Important
The Deny rule has a higher priority than the Allow rule in RAM policies. If you perform an access operation that is specified in the Deny rule, the operation fails. In this example, if you use an IP address that is not included in the 42.120.88.0/24 CIDR block to access MNS, an error message is returned. This is because you are not authorized to access MNS.

Example 3: Authorize a RAM user to view MNS topics and queues

The following example shows how to authorize a RAM user to view MNS queues or topics, and parameters of each queue or topic:

{
    "Version":"1",
    "Statement":[
        {
            "Effect":"Allow",
            "Action":[
                "mns:ListQueue",
                "mns:ListTopic",
                "mns:GetQueueAttributes",
                "mns:GetTopicAttributes"
            ],
            "Resource":"acs:mns:*:*:*"
        }
    ]
}