Message Queue for MQTT supports granting permissions to Resource Access Management (RAM) users at the topic level using an Alibaba Cloud account (primary account) to prevent security risks caused by exposing the AccessKey of your primary account. Only authorized RAM users are allowed to manage resources on the MQTT console and publish and subscribe to messages through SDKs and API operations.

Note Currently, Message Queue for MQTT does not support authorization across Alibaba Cloud accounts.

Scenarios

Company A purchases Message Queue for MQTT and the employees of Company A need to perform operations on the resources of this service, such as instances, topics, and groups. For example, different employees are responsible for different jobs, including creating resources, publishing messages, and subscribing to messages. Employees with different roles require different permissions.

The scenario is described in detail, as follows:
  • For security and trust purposes, Company A wants to create RAM users for its employees, instead of directly giving them the AccessKey of the Alibaba Cloud account.
  • A RAM user can only use resources under authorization. Resource usage and costs are not calculated separately for that RAM user account. All expenses are billed to the Alibaba Cloud account of Company A.
  • Company A can revoke the permissions of RAM users at any time, or delete the RAM user accounts it creates at any time.

In this scenario, the Alibaba Cloud account of Company A can allow fine-grained separation of permissions on resources that need to be operated by employees.

Procedure

  1. Create a RAM user by using the Alibaba Cloud account of Company A.

    For more information, see Create a RAM user.

  2. (Optional) Create custom policies for the RAM user as needed.

    For more information, see Create a custom policy.

    Currently, Message Queue for MQTT supports setting permissions at the instance, topic, and group level. For more information, see Permission policy.

  3. Grant permissions to the RAM user with the Alibaba Cloud account of Company A.

    For more information, see Grant permissions to a RAM user.

Next steps

After creating RAM users with an Alibaba Cloud account (primary account), you can distribute the logon names and passwords of the RAM user accounts or AccessKey information to other employees. Other employees can log on to the console or call an API operation with a RAM user account through the following steps.

  • Log on to the console
    1. Open the RAM user logon portal in the browser.
    2. On the RAM user logon page, enter the RAM user name and click Next, enter the RAM user password, and then click Log on.
      Note The RAM user name is in the format of <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com. <$AccountAlias> is the account alias. If no account alias is set, the value defaults to the ID of the Alibaba Cloud account (primary account).
    3. On the RAM User Center page, click products with permissions to access the console.
  • Call an API operation with the RAM user's AccessKey

    Use the AccessKey ID and AccessKey Secret of the RAM user in the code.

More information

What is RAM?