Alibaba Cloud offers Resource Access Management (RAM), which allows you to manage permissions for Message Queue for MQTT. RAM allows you to avoid sharing the key of your Alibaba Cloud account (an AccessKey pair consisting of an AccessKey ID and an AccessKey secret) with other users. Instead, you can grant them only the minimum required permissions. This topic describes the permission policies of Message Queue for MQTT in RAM.

Policy categories

In RAM, a policy is a collection of permissions described by using the syntax structure. A policy can accurately describe the authorized resource sets, action sets, and authorization conditions. Message Queue for MQTT provides the following types of RAM policies.

  • System policies: Policies that are created by Alibaba Cloud. You can use but not modify these policies. Version updates of the policies are maintained by Alibaba Cloud.
  • Custom policies: Policies that you can create, update, and delete. You are responsible for maintaining the version updates of these policies.

System policies

Message Queue for MQTT provides three types of system policies by default.

Notice Message Queue for MQTT does not support independent system permission policies. When you grant the following system permission policies to RAM users, these policies take effect for both Message Queue for MQTT and Message Queue for Apache RocketMQ.
Policy name Description
AliyunMQFullAccess The permission to manage Message Queue for MQTT. It is equivalent to the permission that the Alibaba Cloud account has. A RAM user granted this permission can send and subscribe to all messages and use all the features of the console.
AliyunMQPubOnlyAccess The publishing permission of Message Queue for MQTT. A RAM user granted this permission can use all the resources of the Alibaba Cloud account to send messages by using SDKs.
AliyunMQSubOnlyAccess The subscription permission of Message Queue for MQTT. A RAM user granted this permission can use all the resources of the Alibaba Cloud account to subscribe to messages by using SDKs.
AliyunMQReadOnlyAccess The read-only permission of Message Queue for MQTT. A RAM user granted this permission can only read resource information by accessing the console or calling corresponding API operations.

Custom policies

Custom policies allow you to grant fine-grained permissions to users.

The following section describes the mappings between resources and actions in Message Queue for MQTT.

In Message Queue for MQTT, instances, topics, groups, and rules are different types of resources. In addition, permissions granted for these resources are actions.

The possible values and corresponding rules of resources and actions in Message Queue for MQTT can be divided into three categories: console, OpenAPI, and Message Queue for MQTT client. Resource-related operations in the console are divided into four categories by resource type: instance, topic, group, and rule.

Note To access the resources and OpenAPI of a Message Queue for MQTT instance, you must obtain the permissions for the Message Queue for MQTT instance, and the corresponding action is mq:MqttInstanceAccess.

For more information about the example of a custom policy, see Sample permission policies.

Permission to publish and subscribe to messages by an MQTT client

The permission to publish and subscribe to messages involves the resource naming format of topics and group IDs.
  • Topic: topic/{mqttInstanceId}/{topic}
  • Group ID: groupId/{mqttInstanceId}/{gid}
Action Description Remarks
mq:PUB Publishes a message. Before you grant permissions to a RAM user for topics and groups, you must grant the "mq:MqttInstanceAccess" permission of the instance to which the topics and groups belong.
mq:SUB Subscribes to a message.
Note The MQTT client does not have the permission to publish and subscribe to messages. Grant permissions to another Alibaba Cloud account.

Instance operation permissions in the console

The resource naming format of a Message Queue for MQTT instance is instance/{mqttInstanceId}.

Action Description Remarks
mq:MqttInstanceAccess Queries the basic information of a specified instance. Before you grant permissions to a RAM user for topics and groups, you must grant the "mq:MqttInstanceAccess" permission of the instance to which the topics and groups belong.
mq:DeleteMqttInstance Deletes an instance. None
mq:UpdateMqttInstance Updates instance information. None
mq:ListMqttInstance Queries the list of instances. None
mq:UpdateMqttInstanceWarn Updates the alert information of a specified instance. None

Group ID operation permissions in the console

The resource naming format of a group ID is groupId/{mqttInstanceId}/{gid}.

Action Description Remarks
mq:CreateGroupId Creates a group ID. Before you grant permissions to a RAM user for topics and groups, you must grant the "mq:MqttInstanceAccess" permission of the instance to which the topics and groups belong.
mq:ListGroupId Queries the list of group IDs.
mq:QueryMqttClientByClientId Queries client information by client ID.
mq:QueryMqttClientByGroupId Queries client information by group ID.
mq:QueryMqttHistoryOnline Queries historical client online information by group ID.
mq:DeleteGroupId Deletes a group ID.
mq:QueryMqttDeviceTrace Queries device traces.
mq:QueryMqttDeviceTrace Queries messages related to a device.

References