This topic describes the common permission policies in Message Queue for Apache RocketMQ.

Background information

Before reading this topic, we recommend that you view Permission policies of Message Queue for Apache RocketMQ supported in Resource Access Management (RAM).

To directly copy the sample code, delete the comments ("//" and the text description that follows).

Example 1: Grant permissions for a topic and a group in an instance.

  • For instances with namespaces
        {
            "Version":"1",
            "Statement":[
                {    // Grant permissions for an instance. Before granting permissions for topics and groups, grant permissions for the corresponding instance (applicable to instances with namespaces).
                    "Effect":"Allow",
                    "Action":[
                        "mq:OnsInstanceBaseInfo"
                    ],
                    "Resource":[
                        "acs:mq:*:*:{instanceId}"
                    ]
                },
                {    // Grant the permissions to publish and subscribe to messages for a topic.
                    "Effect":"Allow",
                    "Action":[
                        "mq:PUB",    
                        "mq:SUB"
                    ],
                    "Resource":[
                        "acs:mq:*:*:{instanceId}%{topic}"
                    ]
                },
                {    // Grant permissions for a group.
                    "Effect":"Allow",
                    "Action":[
                        "mq:SUB"
                    ],
                    "Resource":[
                        "acs:mq:*:*:{instanceId}%{groupId}"
                    ]
                }
            ]
        }                    
  • For instances without namespace
    {
        "Version":"1",
        "Statement":[
            {    // Grant permissions for an instance. Before granting permissions for topics and groups, grant permissions for the corresponding instance (applicable to instances without namespaces)
                "Effect":"Allow",
                "Action":[
                    "mq:OnsInstanceBaseInfo"
                ],
                "Resource":[
                    "acs:mq:*:*:{instanceId}"
                ]
            },
            {    // Grant the permissions to publish and subscribe to messages for a topic.
                "Effect":"Allow",
                "Action":[
                    "mq:PUB",    
                    "mq:SUB"
                ],
                "Resource":[
                    "acs:mq:*:*:{topic}"
                ]
            },
            {    // Grant permissions for a group.
                "Effect":"Allow",
                "Action":[
                    "mq:SUB"
                ],
                "Resource":[
                    "acs:mq:*:*:{groupId}"
                ]
            }
        ]
    }                    

Example 2: Grant permissions for an entire instance (only applicable to instances with namespaces)

To grant the permissions for operating all the resources in an instance, set the policy as follows:

{   // Only applicable to instances with namespaces.
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "mq:*"
            ],
            "Resource": [
                "acs:mq:*:*:{instanceId}*" //Grant permissions for the instance. Enter the ID of your instance in {instanceId}.
            ]
        }
    ]
}