You can use Resource Access Management (RAM) to manage permissions on Message Queue for RabbitMQ resources and SDK-based message delivery and reception. RAM allows you to grant users only the minimum required permissions to avoid security risks caused by disclose of the AccessKey pair of your Alibaba Cloud account. The AccessKey pair consists of an AccessKey ID and an AccessKey secret.

RAM policies

In RAM, policies are a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. For more information, see Policy structure and syntax.

In RAM, a policy is a resource entity. Message Queue for RabbitMQ supports the following types of policies:

  • System policies: System policies are created and updated by Alibaba Cloud. You cannot modify the system policies. These policies apply to coarse-grained control of RAM user permissions.
  • Custom policies: You can create, update, and delete custom policies and maintain policy versions. These policies apply to fine-grained control of RAM user permissions.

System policies

The following table describes the system policies supported by Message Queue for RabbitMQ.

Policy Description
AliyunAMQPFullAccess The management permissions of Message Queue for RabbitMQ. The RAM user who has been attached with this policy has the permissions equivalent to those of the Alibaba Cloud account. This means that the RAM user has all permissions to manage resources and receive and send messages by using an SDK.
AliyunAMQPReadOnlyAccess The read-only permissions of Message Queue for RabbitMQ. The RAM user who has been attached with this policy has only the read-only permissions on all resources of the Alibaba Cloud account.

Examples of system policies

The system policy AliyunAMQPFullAccess is used as an example. The RAM user who has been attached with this policy has the permissions equivalent to those of the Alibaba Cloud account. This means that the RAM user has all permissions to manage resources and receive and send messages by using an SDK. Policy content:

{
    "Version": "1",
    "Statement": [
        {
            "Action": "amqp:*",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Custom policies

This section describes the custom policies supported by Message Queue for RabbitMQ.

Notice To manage resources such as exchanges and queues, you must obtain the read permissions (amqp:GetVhost) on the vhosts where these resources reside.
Policy Action Description Resource
ListInstances amqp:ListInstance Queries instances. acs:amqp:$region:$accountid:/instances/*
CreateInstance amqp:CreateInstance Creates an instance. acs:amqp:$region:$accountid:/instances/*
DeleteInstance amqp:DeleteInstance Deletes an instance. acs:amqp:$region:$accountid:/instances/$instanceId
GetInstance amqp:GetInstance Queries instance information. acs:amqp:$region:$accountid:/instances/$instanceId
ListVhost amqp:ListVhost Queries vhosts. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/*
CreateVhost amqp:CreateVhost Creates a vhost. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/*
DeleteVhost amqp:DeleteVhost Deletes a vhost. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName
GetVhost amqp:GetVhost Queries vhost information. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName
ListExchange amqp:ListExchange Queries exchanges. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*
CreateExchange amqp:CreateExchange Creates an exchange. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*
DeleteExchange amqp:DeleteExchange Deletes an exchange. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName
GetExchange amqp:GetExchange Queries exchange information. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName
exchange.declare (passive=false) amqp:CreateExchange Declares an exchange and checks whether the exchange exists.
  • If the specified exchange does not exist, create an exchange. A message that indicates the declaration is successful is returned.
  • If the specified exchange already exists, check whether the information about the exchange is correct. If the information is correct, a message that indicates the declaration is successful is returned. Otherwise, an error is reported.
acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*
exchange.declare (passive=true) amqp:GetExchange Declares an exchange and checks whether the exchange exists.
  • If the specified exchange does not exist, an error is reported.
  • If the specified exchange exists, a message that indicates the declaration is successful is returned.
acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName
exchange.bind amqp:GetExchange (source exchange) Binds a source exchange to a destination exchange. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName (source exchange)
amqp:CreateExchange (destination exchange) acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* (destination exchange)
exchange.unbind amqp:GetExchange (source exchange) Unbinds a source exchange from a destination exchange. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName (source exchange)
amqp:CreateExchange (destination exchange) acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* (destination exchange)
ListQueue amqp:ListQueue Queries queues. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
CreateQueue amqp:CreateQueue Creates a queue. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
DeleteQueue amqp:DeleteQueue Deletes a queue. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName
GetQueue amqp:GetQueue Queries queue information. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName
queue.declare (passive=false) amqp:CreateQueue Declares a queue and checks whether the queue exists.
  • If the specified queue does not exist, create a queue.
  • If the specified queue exists, check whether the information about the queue is correct. If the information is correct, a message that indicates the declaration is successful is returned. Otherwise, an error is reported.
acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
queue.declare (passive=true) amqp:CreateQueue Declares a queue and checks whether the queue exists.
  • If the specified queue does not exist, an error is reported.
  • If the specified queue exists, a message that indicates the declaration is successful is returned.
acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName
queue.declare (Dead-letter exchange configured) amqp:CreateQueue Declares a queue for which a dead-letter exchange is configured. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
amqp:GetQueue acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/queues/$queueName
amqp:CreateExchange (Dead-letter exchange) acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName (Dead-letter exchange)
queue.bind amqp:CreateQueue Binds a queue to an exchange. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
amqp:GetExchange acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName
queue.unbind amqp:CreateQueue Unbinds a queue from an exchange. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
amqp:GetExchange acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName
BasicRecover amqp:BasicRecover Re-delivers the messages that are not acknowledged by consumers. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
BasicCancel amqp:BasicCancel Cancels subscription. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/messages/*
BasicPublish amqp:BasicPublish Publishes a message. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName/messages/*
BasicConsume amqp:BasicConsume Starts a consumer. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
BasicAck amqp:BasicAck Acknowledges one or more messages. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
BasicNack amqp:BasicNack Negatively acknowledges one or more messages. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
BasicReject amqp:BasicReject Rejects a message. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
QueuePurge amqp:QueuePurge Clears all messages in a queue. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
BasicGet amqp:BasicGet Provides direct access to messages in a queue. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
ListStaticAccounts amqp:ListStaticAccounts Queries static usernames and passwords. acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/*
FetchStaticAccount amqp:FetchStaticAccount Creates a username/password pair. acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/*
DeleteStaticAccount amqp:DeleteStaticAccount Deletes a username/password pair. acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/*

Examples of custom policies

  • Example 1: Message publishing
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "amqp:GetVhost"
                ],
                "Resource": [
                    "acs:amqp:*:*:/instances/amqp-cn-09k1o***",
                    "acs:amqp:*:*:/instances/amqp-cn-09k1o***/vhosts/testVhost"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "amqp:CreateExchange",
                    "amqp:GetExchange",
                    "amqp:CreateQueue",
                    "amqp:GetQueue",
                    "amqp:BasicRecover",
                    "amqp:BasicPublish",
                    "amqp:BasicAck",
                    "amqp:BasicNack"
                ],
                "Resource": "acs:amqp:*:*:/instances/amqp-cn-09k1o***/vhosts/testVhost/*",
                "Effect": "Allow"
            }
        ]
    }
  • Example 2: Message subscription
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "amqp:GetVhost"
                ],
                "Resource": [
                    "acs:amqp:*:*:/instances/amqp-cn-09k1o***",
                    "acs:amqp:*:*:/instances/amqp-cn-09k1o***/vhosts/testVhost"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "amqp:CreateExchange",
                    "amqp:GetExchange",
                    "amqp:GetQueue",
                    "amqp:CreateQueue",
                    "amqp:BasicRecover",
                    "amqp:BasicCancel",
                    "amqp:BasicConsume",
                    "amqp:BasicAck",
                    "amqp:BasicNack",
                    "amqp:BasicReject",
                    "amqp:QueuePurge",
                    "amqp:BasicGet"
                ],
                "Resource": "acs:amqp:*:*:/instances/amqp-cn-09k1o***/vhosts/testVhost/*",
                "Effect": "Allow"
            }
        ]
    }
  • Example 3: Message publishing and subscription
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "amqp:GetInstance",
                    "amqp:GetVhost"
                ],
                "Resource": [
                    "acs:amqp:*:*:/instances/amqp-cn-09k1o***",
                    "acs:amqp:*:*:/instances/amqp-cn-09k1o***/vhosts/testVhost"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "amqp:ListExchange",
                    "amqp:CreateExchange",
                    "amqp:DeleteExchange",
                    "amqp:GetExchange",
                    "amqp:ListQueue",
                    "amqp:DeleteQueue",
                    "amqp:GetQueue",
                    "amqp:CreateQueue",
                    "amqp:BasicRecover",
                    "amqp:BasicCancel",
                    "amqp:BasicPublish",
                    "amqp:BasicConsume",
                    "amqp:BasicAck",
                    "amqp:BasicNack",
                    "amqp:BasicReject",
                    "amqp:QueuePurge",
                    "amqp:BasicGet"
                ],
                "Resource": "acs:amqp:*:*:/instances/amqp-cn-09k1o***/vhosts/testVhost/*",
                "Effect": "Allow"
            }
        ]
    }
  • Example 4: Management of usernames and passwords
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "amqp:ListStaticAccounts",
                    "amqp:FetchStaticAccount",
                    "amqp:DeleteStaticAccount"
                ],
                "Resource": "acs:amqp:*:*:/instances/amqp-cn-09k1o***/staticAccount/*"
            },
            {
                "Effect": "Allow",
                "Action": "amqp:GetInstance",
                "Resource": "acs:amqp:*:*:/instances/amqp-cn-09k1o***"
            }
        ],
        "Version": "1"
    }