Alibaba Cloud provides the Resource Access Management (RAM) service for you to manage permissions for Message Queue for MQTT. RAM allows you to avoid sharing the AccessKey pair of your Alibaba Cloud account with other users. You can grant users only the minimum required permissions. The AccessKey pair includes an AccessKey ID and an AccessKey secret. This topic describes the policies of Message Queue for MQTT in RAM.

Policy types

In RAM, a policy is a collection of permissions described by using the syntax structure. A policy can accurately describe the authorized resource sets, action sets, and authorization conditions. Message Queue for MQTT provides the following types of RAM policies.

  • System policies: policies that are created by Alibaba Cloud. You can use these policies, but cannot modify them. Alibaba Cloud maintains the version updates of the policies.
  • Custom policies: policies that you can create, update, and delete. You maintain the version updates of these policies.

System policies

Message Queue for MQTT provides four system policies by default.

Notice Message Queue for MQTT does not support independent system policies. When you grant the following system policies to RAM users, these policies take effect for both Message Queue for MQTT and Message Queue for Apache RocketMQ.
Policy Description
AliyunMQFullAccess The permission to manage Message Queue for MQTT. It is equivalent to the permission that the Alibaba Cloud account has. A RAM user granted this permission can send and subscribe to all messages and use all the features of the console.
AliyunMQPubOnlyAccess The permission of Message Queue for MQTT to publish messages. A RAM user granted this permission can use all the resources of the Alibaba Cloud account to send messages by using Message Queue for MQTT SDK.
AliyunMQSubOnlyAccess The permission of Message Queue for MQTT to subscribe to messages. A RAM user granted this permission can use all the resources of the Alibaba Cloud account to subscribe to messages by using Message Queue for MQTT SDK.
AliyunMQReadOnlyAccess The read-only permission of Message Queue for MQTT. A RAM user granted this permission can only read resource information by accessing the console or calling related API operations.

Custom policies

Custom policies allow you to grant fine-grained permissions to users.

The following section describes the mappings between resources and actions in Message Queue for MQTT.

In Message Queue for MQTT, instances, topics, groups, and rules are different types of resources. Permissions granted for these resources are actions.

The possible values and corresponding rules of resources and actions in Message Queue for MQTT can be divided into three categories: console, API, and Message Queue for MQTT client. Resource-related operations in the console are divided into four categories based on resource types: instance, topic, group, and rule.

Note To access the resources of a Message Queue for MQTT instance and call the API to perform operations on the instance, you must obtain access permissions on the Message Queue for MQTT instance, and the corresponding action is mq:MqttInstanceAccess.

For more information about the example of a custom policy, see Sample permission policies.

Permissions of the Message Queue for MQTT client to publish and subscribe to messages

The permissions to publish and subscribe to messages involve the resource naming formats of topics and group IDs.
  • Topic: acs:mq:*:*:topic/{mqttInstanceId}/{topic}
  • Group ID: acs:mq:*:*:groupId/{mqttInstanceId}/{gid}
Action Description Remarks
mq:PUB Publishes a message. Before you grant permissions on topics and groups to a RAM user, you must grant the user the mq:MqttInstanceAccess permission on the instance to which the topics and groups belong.
mq:SUB Subscribe to topics
Note The permissions of the Message Queue for MQTT client to send and subscribe to messages cannot be authorized across Alibaba Cloud accounts.

Permissions to manage instances in the console

The resource naming format of a Message Queue for MQTT instance is acs:mq:*:*:instance/{mqttInstanceId}.

Action Description Remarks
mq:MqttInstanceAccess Queries the basic information of a specified instance. Before you grant permissions on topics and groups to a RAM user, you must grant the user the mq:MqttInstanceAccess permission on the instance to which the topics and groups belong.
mq:DeleteMqttInstance Deletes an instance. None
mq:UpdateMqttInstance Modifies instance information. None
mq:ListMqttInstance Queries instances. None
mq:UpdateMqttInstanceWarn Updates the alert information of a specified instance. None

Permissions to manage topics in the console

The resource naming format of a topic is acs:mq:*:*:topic/{mqttInstanceId}/{topic}.

Action Description Remarks
mq:QueryMqttClientByTopic Queries the Message Queue for MQTT clients that subscribe to a specified topic. Before you grant permissions on topics and groups to a RAM user, you must grant the user the mq:MqttInstanceAccess permission on the instance to which the topics and groups belong.
mq:QueryMqttMsgTransTrend Queries messaging statistics based on a specified topic.
mq:SendMqttMessageByConsole Tests the message sending feature in the console.
mq:CreateMqttTopic Creates a topic.
mq:DeleteMqttTopic Deletes a topic.
mq:ListMqttTopic Queries a topic.
mq:UpdateMqttTopic Updates the remarks of a topic.

Permissions to manage group IDs in the console

The resource naming format of a group ID is acs:mq:*:*:groupId/{mqttInstanceId}/{gid}.

Action Description Remarks
mq:CreateGroupId Creates a group ID. Before you grant permissions on topics and groups to a RAM user, you must grant the user the mq:MqttInstanceAccess permission on the instance to which the topics and groups belong.
mq:ListGroupId Queries group IDs.
mq:QueryMqttClientByClientId Queries Message Queue for MQTT client information based on a specified client ID.
mq:QueryMqttClientByGroupId Queries Message Queue for MQTT client information based on a specified group ID.
mq:QueryMqttHistoryOnline Queries the information about historical connected Message Queue for MQTT clients based on a specified group ID.
mq:DeleteGroupId Deletes a group ID.
mq:QueryMqttDeviceTrace Queries traces of a Message Queue for MQTT client.
mq:QueryMqttDeviceTrace Queries the information about a specified Message Queue for MQTT client.

Permissions to manage rules in the console

The resource naming format of a rule is acs:mq:*:*:rule/{mqttInstanceId}/{ruleId}.

When you grant permissions on a rule, make sure that the related instances, topics, and group IDs belong to the same Alibaba Cloud account.

Action Description Remarks
mq:CreateMqttInboundRule Creates a data inbound rule. Before you grant permissions on rules to a RAM user, you must grant the user the mq:MqttInstanceAccess permission on the instance where the rules are located.
mq:DeleteMqttInboundRule Deletes a data inbound rule.
mq:ListMqttInboundRule Queries a data inbound rule.
mq:UpdateMqttInboundRule Updates a data inbound rule.
mq:CreateMqttOutboundRule Creates a data outbound rule.
mq:DeleteMqttOutboundRule Deletes a data outbound rule.
mq:ListMqttOutboundRule Queries a data outbound rule.
mq:UpdateMqttOutboundRule Updates a data outbound rule.
mq:CreateClientStatusNotifyRule Creates a rule for client status notification.
mq:DeleteClientStatusNotifyRule Deletes a rule for client status notification.
mq:ListClientStatusNotifyRule Queries a rule for client status notification.
mq:UpdateClientStatusNotifyRule Updates a rule for client status notification.

Permissions to call the API

Before you grant the permissions to call the API to perform operations on rules, make sure that the related instances, topics, and group IDs belong to the same Alibaba Cloud account.

API Resource naming format Resource naming example Action
RevokeToken * *
  • mq:MqttInstanceAccess
  • mq:RevokeToken
QueryToken * *
  • mq:MqttInstanceAccess
  • mq:QueryToken
ApplyToken
  • Instance: acs:mq:*:*:instance/{mqttInstanceId}
  • Topic: acs:mq:*:*:topic/{mqttInstanceId}/{topic}
  • Instance: acs:mq:*:*:instance/post-cn-09k1noy****
  • Topic: acs:mq:*:*:topic/post-cn-09k1noy****/Topic_****
  • mq:MqttInstanceAccess
  • mq:ApplyToken
CreateGroupId
  • Instance: acs:mq:*:*:instance/{mqttInstanceId}
  • Group ID: acs:mq:*:*:groupId/{mqttInstanceId}/{gid}
  • Instance: acs:mq:*:*:instance/post-cn-09k1noy****
  • Group ID: acs:mq:*:*:groupId/post-cn-09k1noy****/GID_****
  • mq:MqttInstanceAccess
  • mq:CreateGroupId
DeleteGroupId
  • mq:MqttInstanceAccess
  • mq:DeleteGroupId
ListGroupId
  • mq:MqttInstanceAccess
  • mq:ListGroupId
CreateTopic
  • Instance: acs:mq:*:*:instance/{mqttInstanceId}
  • Topic: acs:mq:*:*:topic/{mqttInstanceId}/{topic}
  • Instance: acs:mq:*:*:instance/post-cn-09k1noy****
  • Topic: acs:mq:*:*:topic/post-cn-09k1noy****/Topic_****
  • mq:MqttInstanceAccess
  • mq:CreateMqttTopic
DeleteTopic
  • mq:MqttInstanceAccess
  • mq:DeleteMqttTopic
ListTopic
  • mq:MqttInstanceAccess
  • mq:ListMqttTopic
UpdateTopic
  • mq:MqttInstanceAccess
  • mq:UpdateMqttTopic
CreateMqttInboundRule
  • Instance: acs:mq:*:*:instance/{mqttInstanceId}
  • Rule: acs:mq:*:*:rule/{mqttInstanceId}/{ruleId}
  • Instance: acs:mq:*:*:instance/post-cn-09k1noy****
  • Rule: acs:mq:*:*:rule/post-cn-09k1noy****/111****
  • mq:MqttInstanceAccess
  • mq:CreateMqttInboundRule
DeleteMqttInboundRule
  • mq:MqttInstanceAccess
  • mq:DeleteMqttInboundRule
ListMqttInboundRuleInPage
  • mq:MqttInstanceAccess
  • mq:ListMqttInboundRule
UpdateMqttInboundRule
  • mq:MqttInstanceAccess
  • mq:UpdateMqttInboundRule
CreateMqttOutboundRule
  • mq:MqttInstanceAccess
  • mq:CreateMqttOutboundRule
DeleteMqttOutboundRule
  • mq:MqttInstanceAccess
  • mq:DeleteMqttOutboundRule
ListMqttOutboundRuleInPage
  • mq:MqttInstanceAccess
  • mq:ListMqttOutboundRule
UpdateMqttOutboundRule
  • mq:MqttInstanceAccess
  • mq:UpdateMqttOutboundRule
CreateClientStatusNotifyRule
  • mq:MqttInstanceAccess
  • mq:CreateClientStatusNotifyRule
DeleteClientStatusNotifyRule
  • mq:MqttInstanceAccess
  • mq:DeleteClientStatusNotifyRule
ListClientStatusNotifyRuleInPage
  • mq:MqttInstanceAccess
  • mq:ListClientStatusNotifyRule
UpdateClientStatusNotifyRule
  • mq:MqttInstanceAccess
  • mq:UpdateClientStatusNotifyRule
Note For more information about the API, see List of operations by function.

References