MNS uses Alibaba Cloud Resource Access Management (RAM) to manage permissions. When you use RAM, you do not need to share the AccessKey pair of your Alibaba Cloud account with other users. Instead, you can grant them only the minimal required permissions. An AccessKey pair includes an AccessKey ID and an AccessKey secret. This topic describes the RAM policies and provides examples for MNS.
Background information
In RAM, a policy is a set of permissions that are described with the policy syntax and structure. A policy can accurately describe the authorized resource set, action set, and authorization conditions. For more information, see Policy structure and syntax.
MNS supports the following types of RAM policies:
System policies are created by Alibaba Cloud. You can use these policies. However, you cannot modify these policies. The policy updates are maintained by Alibaba Cloud.
You can create, update, and delete custom policies and maintain version updates of the policies. You can edit custom policies and attach them to RAM users in the RAM console.
System policies
The following table describes the default permission policies that are provided for MNS.
Policy | Description |
AliyunMNSFullAccess | The permissions to manage MNS, which are equivalent to the permissions that the Alibaba Cloud account has. A RAM user to which this policy is attached can send and subscribe to all messages and use all the features of the console. |
AliyunMNSReadOnlyAccess | The read-only permissions on MNS. A RAM user to which this policy is attached can only read resource information in the console or by calling API operations. |
Custom policies
You can define custom policies to grant fine-grained permissions. The following table describes the actions and resources that can be used to define custom policies for MNS.
API operation | Action | Resource |
OpenService | mns:OpenService | acs:mns:$region:$accountid:/commonbuy/openservice |
ListQueue | mns:ListQueue | acs:mns:$region:$accountid:/queues |
CreateQueue | mns:CreateQueue | acs:mns:$region:$accountid:/queues/$queueName |
DeleteQueue | mns:DeleteQueue | acs:mns:$region:$accountid:/queues/$queueName |
SetQueueAttributes | mns:SetQueueAttributes | acs:mns:$region:$accountid:/queues/$queueName |
GetQueueAttributes | mns:GetQueueAttributes | acs:mns:$region:$accountid:/queues/$queueName |
SendMessage or BatchSendMessage | mns:SendMessage | acs:mns:$region:$accountid:/queues/$queueName/messages |
ReceiveMessage or BatchReceiveMessage | mns:ReceiveMessage | acs:mns:$region:$accountid:/queues/$queueName/messages |
DeleteMessage | mns:DeleteMessage | acs:mns:$region:$accountid:/queues/$queueName/messages |
PeekMessage or BatchPeekMessage | mns:PeekMessage | acs:mns:$region:$accountid:/queues/$queueName/messages |
ChangeMessageVisibility | mns:ChangeMessageVisibility | acs:mns:$region:$accountid:/queues/$queueName/messages |
ListTopic | mns:ListTopic | acs:mns:$region:$accountid:/topics |
CreateTopic | mns:CreateTopic | acs:mns:$region:$accountid:/topics/$topicName |
DeleteTopic | mns:DeleteTopic | acs:mns:$region:$accountid:/topics/$topicName |
SetTopicAttributes | mns:SetTopicAttributes | acs:mns:$region:$accountid:/topics/$topicName |
GetTopicAttributes | mns:GetTopicAttributes | acs:mns:$region:$accountid:/topics/$topicName |
ListSubscriptionByTopic | mns:ListSubscriptionByTopic | acs:mns:$region:$accountid:/topics/$topicName/subscriptions |
Subscribe | mns:Subscribe | acs:mns:$region:$accountid:/topics/$topicName/subscriptions/$subscriptionName |
Unsubscribe | mns:Unsubscribe | acs:mns:$region:$accountid:/topics/$topicName/subscriptions/$subscriptionName |
SetSubscriptionAttributes | mns:SetSubscriptionAttributes | acs:mns:$region:$accountid:/topics/$topicName/subscriptions/$subscriptionName |
GetSubscriptionAttributes | mns:GetSubscriptionAttributes | acs:mns:$region:$accountid:/topics/$topicName/subscriptions/$subscriptionName |
PublishMessage | mns:PublishMessage | acs:mns:$region:$accountid:/topics/$topicName/messages |
Examples of custom policies
Example 1: Allow access from specified CIDR blocks
The following example shows how to allow access from the 42.120.88.0/24 and 42.120.66.0/24 CIDR blocks to MNS.
{ "Version": "1", "Statement": [ { "Action": "mns:*", "Effect": "Allow", "Resource": "acs:mns:*:*:*", "Condition":{ "IpAddress": { "acs:SourceIp": ["42.120.88.0/24", "42.120.66.0/24"] } } } ] }
Example 2: Deny access from specified CIDR blocks
The following example shows how to deny access from any IP address in the 42.120.88.0/24 CIDR block to MNS:
{ "Version":"1", "Statement":[ { "Action":"mns:*", "Effect":"Deny", "Resource":"acs:mns:*:*:*", "Condition":{ "NotIpAddress":{ "acs:SourceIp":[ "42.120.88.0/24" ] } } } ] }
ImportantThe Deny rule has a higher priority than the Allow rule in RAM policies. If you perform an access operation that is specified in the Deny rule, the operation fails. In this example, if you use an IP address that is not included in the 42.120.88.0/24 CIDR block to access MNS, an error message is returned. This is because you are not authorized to access MNS.
Example 3: Authorize a RAM user to view MNS topics and queues
The following example shows how to authorize a RAM user to view MNS queues or topics, and parameters of each queue or topic:
{ "Version":"1", "Statement":[ { "Effect":"Allow", "Action":[ "mns:ListQueue", "mns:ListTopic", "mns:GetQueueAttributes", "mns:GetTopicAttributes" ], "Resource":"acs:mns:*:*:*" } ] }