Alibaba Cloud offers Resource Access Management (RAM), which allows you to manage permissions for Message Queue for Apache RocketMQ. With RAM, you can avoid sharing the key of your Alibaba Cloud account (an AccessKey pair that contains an AccessKey ID and an AccessKey secret) with other users. Instead, you can grant them only the necessary permissions. This topic describes the permission policies of Message Queue for Apache RocketMQ in RAM.

In RAM, a permission policy is a collection of permissions described by using Policy structure and grammar, which can accurately describe the authorized resources, actions, and authorization conditions. Message Queue for Apache RocketMQ provides the following types of RAM policies:

System policies

Currently, Message Queue for Apache RocketMQ provides three system policies by default.

Policy name Description
AliyunMQFullAccess The permission to manage Message Queue for Apache RocketMQ. It is equivalent to the permission that the Alibaba Cloud account has. A RAM user granted this permission can send and subscribe to all messages and use all the features of the console.
AliyunMQPubOnlyAccess The publishing permission of Message Queue for Apache RocketMQ. A RAM user granted this permission can use all the resources of the Alibaba Cloud account to send messages through SDKs.
AliyunMQSubOnlyAccess The subscription permission of Message Queue for Apache RocketMQ. A RAM user granted this permission can use all the resources of the Alibaba Cloud account to subscribe to messages through SDKs.
AliyunMQReadOnlyAccess The read-only permission of Message Queue for Apache RocketMQ. A RAM user granted this permission can only read resource information by accessing the console or calling corresponding API operations.

Custom policies

With custom policies, you can grant fine-grained permissions to users.

In Message Queue for Apache RocketMQ, instances, topics, and groups are different types of resources, and the permissions granted for these resources are actions. The naming formats of topics and groups vary depending on whether an instance has a namespace. You can check whether the instance has a namespace on the Instances page of the Message Queue for Apache RocketMQ console.

The following table lists mappings between resources and actions in Message Queue for Apache RocketMQ.

Resource Naming format Action Remarks
With namespace Without namespace Action name Description
Instance acs:mq:*:*:{instanceId} acs:mq:*:*:{instanceId} mq:OnsInstanceBaseInfo Queries the basic information of a specified instance. Before granting permissions to a RAM user for topics and groups, you must grant the "mq:OnsInstanceBaseInfo" permission of the instance to which the topics and groups belong.
mq:OnsIntanceUpdate Updates an instance. None.
mq:OnsInstanceCreate Creates an instance. None.
mq:OnsIntanceDelete Deletes an instance (use with caution). None.
Topic acs:mq:*:*:{instanceId}%{topic} acs:mq:*:*:{topic} mq:PUB Publishes a message. Before granting permissions to a RAM user for topics, you must grant the "mq:OnsInstanceBaseInfo" permission of the instance to which the topics belong.
mq:SUB Subscribes to a message.
mq:OnsTopicCreate Creates a topic.
mq:OnsTopicDelete Deletes a topic.
mq:OnsTopicUpdateInfo Updates the note of a topic.
Group acs:mq:*:*:{instanceId}%{groupId} acs:mq:*:*:{groupId} mq:SUB Subscribes to a message. Before granting permissions to a RAM user for groups, you must grant the "mq:OnsInstanceBaseInfo" permission of the instance to which the groups belong.

What to do next

References