What are the RAM policies provided by ApsaraMQ for RabbitMQ? -

Resource Access Management (RAM) is used to manage resources in ApsaraMQ for RabbitMQ and permissions on sending and receiving messages by using SDKs. If you use RAM to manage permissions on your resources, you do not need to share the AccessKey ID or AccessKey secret of your Alibaba Cloud account with other users. You can grant the RAM users of your Alibaba Cloud account the minimum required permissions.

RAM policies

In RAM, a policy includes a set of permissions that are specified based on the policy structure and syntax. Each policy specifies the resources on which permissions are granted, the operations that can be performed or cannot be performed on specific resources, and the conditions that are required for the policy to take effect. For information about the structure and syntax of policies, see Policy structure and syntax.

In RAM, a policy is a resource entity. ApsaraMQ for RabbitMQ supports the following types of policies:

System policy: System policies are created and maintained by Alibaba Cloud. You can use system policies to perform coarse-grained permission control on RAM users. You cannot modify system policies.
Custom policy: You can create, update, and delete custom policies. You can use custom policies to perform fine-grained permission control on RAM users. You need to manage the versions of custom policies.

System policies

The following table describes the system policies supported by ApsaraMQ for RabbitMQ.

Policy	Description
AliyunAMQPFullAccess	The management permissions on your ApsaraMQ for RabbitMQ resources. If you use this policy to grant permissions to RAM users, the RAM users are granted the permissions that are equivalent to the permissions of an Alibaba Cloud account. This means that the RAM users are granted the permissions to manage all ApsaraMQ for RabbitMQ resources of the Alibaba Cloud account, and to send and receive messages by using SDKs.
AliyunAMQPReadOnlyAccess	The read-only permissions on your ApsaraMQ for RabbitMQ resources. If you use this policy to grant permissions to RAM users, the RAM users can query the data of all ApsaraMQ for RabbitMQ resources of the Alibaba Cloud account.

Sample system policy

In the following example, the system policy AliyunAMQPFullAccess is granted to RAM users. RAM users who are granted permissions by using this policy can manage all ApsaraMQ for RabbitMQ resources of the Alibaba Cloud account, and send and receive messages by using SDKs. The following code displays the policy content:

{
    "Version": "1",
    "Statement": [
        {
            "Action": "amqp:*",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Custom policies

The following table describes the custom policies supported by ApsaraMQ for RabbitMQ.

Important

To allow RAM users to manage resources such as exchanges and queues, you must grant the RAM users read permissions specified by the amqp:GetVhost action on the virtual hosts (vhosts) in which the resources reside.

API	Action	Description	Format
ListInstances	amqp:ListInstance	Queries the list of instances.	acs:amqp:$region:$accountid:/instances/*
CreateInstance	amqp:CreateInstance	Creates an instance. The policy of this API operation supports the following fields. For more information, see Condition . amqp:InstanceType: the instance edition. Valid values: professional: Professional Edition enterprise: Enterprise Edition vip: Enterprise Platinum Edition amqp:SupportEIP: specifies whether elastic IP addresses (EIPs) are supported. Valid values: True False	acs:amqp:$region:$accountid:/instances/*
DeleteInstance	amqp:DeleteInstance	Deletes an instance.	acs:amqp:$region:$accountid:/instances/$instanceId
GetInstance	amqp:GetInstance	Queries the details of an instance.	acs:amqp:$region:$accountid:/instances/$instanceId
ListVhost	amqp:ListVhost	Queries the list of vhosts.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/*
CreateVhost	amqp:CreateVhost	Creates a vhost.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/*
DeleteVhost	amqp:DeleteVhost	Deletes a vhost.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName
GetVhost	amqp:GetVhost	Queries the details of a vhost.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName
ListExchange	amqp:ListExchange	Queries the list of exchanges.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*
CreateExchange	amqp:CreateExchange	Creates an exchange.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*
DeleteExchange	amqp:DeleteExchange	Deletes an exchange.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName
GetExchange	amqp:GetExchange	Queries the details of an exchange.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName
exchange.declare (passive=false)	amqp:CreateExchange	Declares an exchange and checks whether the exchange exists. If the specified exchange does not exist, the system creates an exchange and returns a message that indicates the declaration is successful. If the specified exchange exists, the system checks whether the information about the exchange is correct. If the information is correct, the system returns a message that indicates that the declaration is successful. If the information is incorrect, the system returns an error.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*
exchange.declare (passive=true)	amqp:GetExchange	Declares an exchange and checks whether the exchange exists. If the specified exchange does not exist, the system returns an error. If the specified exchange exists, the system returns a message that indicates the declaration is successful.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName
exchange.bind	amqp:GetExchange (source exchange)	Binds a source exchange to a destination exchange.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName (source exchange)
exchange.bind	amqp:CreateExchange (destination exchange)	Binds a source exchange to a destination exchange.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* (destination exchange)
exchange.unbind	amqp:GetExchange (source exchange)	Unbinds a source exchange from a destination exchange.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName (source exchange)
exchange.unbind	amqp:CreateExchange (destination exchange)	Unbinds a source exchange from a destination exchange.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* (destination exchange)
ListQueue	amqp:ListQueue	Queries the list of queues.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
CreateQueue	amqp:CreateQueue	Creates a queue.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
DeleteQueue	amqp:DeleteQueue	Deletes a queue.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName
GetQueue	amqp:GetQueue	Queries the details of a queue.	acs:amqp:$region:$accountid:/vhosts/$vhostName/queues/$queueName
queue.declare (passive=false)	amqp:CreateQueue	Declares a queue and checks whether the queue exists. If the specified queue does not exist, the system creates a queue. If the specified queue exists, the system checks whether the information about the queue is correct. If the information is correct, the system returns a message that indicates that the declaration is successful. If the information is incorrect, the system returns an error.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
queue.declare (passive=true)	amqp:CreateQueue	Declares a queue and checks whether the queue exists. If the specified queue does not exist, the system returns an error. If the specified queue exists, the system returns a message that indicates that the declaration is successful.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName
queue.declare (dead-letter exchange configured)	amqp:CreateQueue	Declares a queue for which a dead-letter exchange is configured.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
	amqp:GetQueue		acs:amqp:$region:$accountid:/vhosts/$vhostName/queues/$queueName
	amqp:CreateExchange (dead-letter exchange)		acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName (dead-letter exchange)
queue.bind	amqp:CreateQueue	Binds a queue to an exchange.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
queue.bind	amqp:GetExchange	Binds a queue to an exchange.	acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName
queue.unbind	amqp:CreateQueue	Unbinds a queue from an exchange.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
queue.unbind	amqp:GetExchange	Unbinds a queue from an exchange.	acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName
BasicRecover	amqp:BasicRecover	Redelivers the messages that are not acknowledged by consumers.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
BasicCancel	amqp:BasicCancel	Cancels a subscription.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
BasicPublish	amqp:BasicPublish	Publishes a message.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName/messages/*
BasicConsume	amqp:BasicConsume	Starts a consumer.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
BasicAck	amqp:BasicAck	Acknowledges one or more messages.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
BasicNack	amqp:BasicNack	Negatively acknowledges one or more messages.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
BasicReject	amqp:BasicReject	Rejects a message.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
QueuePurge	amqp:QueuePurge	Clears all messages in a queue.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
BasicGet	amqp:BasicGet	Queries messages in a queue.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
ListStaticAccounts	amqp:ListStaticAccounts	Queries static usernames and passwords.	acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/*
FetchStaticAccount	amqp:FetchStaticAccount	Create a pair of username and password	acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/*
DeleteStaticAccount	amqp:DeleteStaticAccount	Deletes a pair of username and password.	acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/*

Sample custom policies

Important

When you create a custom policy, you must specify the following parameter values based on your actual situation:

$region: the ID of the region where the resource resides. For more information, see Endpoints.
$accountid: the ID of the Alibaba Cloud account to which the authorized object belongs.
$instanceId: the ID of the ApsaraMQ for RabbitMQ instance.
$vhostName: the vhost name.
$queueName: the queue name.
$exchangeName: the exchange name.

Example 1: A policy that can be used to grant a RAM user permissions to publish and subscribe to messages on on a vhost

{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "amqp:GetInstance",
                "amqp:GetVhost",
                "amqp:ListVhost"
            ],
            "Resource":[
                "acs:amqp:*:*:/instances/$instanceId",
                "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName",
                "acs:amqp:*:*:/instances/$instanceId/vhosts/*"
            ],
            "Effect":"Allow"
        },
        {
            "Action":[
                "amqp:ListExchange",
                "amqp:CreateExchange",
                "amqp:DeleteExchange",
                "amqp:GetExchange",
                "amqp:ListQueue",
                "amqp:DeleteQueue",
                "amqp:GetQueue",
                "amqp:CreateQueue",
                "amqp:BasicRecover",
                "amqp:BasicCancel",
                "amqp:BasicPublish",
                "amqp:BasicConsume",
                "amqp:BasicAck",
                "amqp:BasicNack",
                "amqp:BasicReject",
                "amqp:QueuePurge",
                "amqp:BasicGet"
            ],
            "Resource":"acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*",
            "Effect":"Allow"
        },
        {
            "Action":[
                "amqp:ListStaticAccounts",
                "amqp:FetchStaticAccount",
                "amqp:DeleteStaticAccount"
            ],
            "Resource":"acs:amqp:*:*:/instances/$instanceId/staticAccount/*",
            "Effect":"Allow"
        }
    ]
}

Example 2: A policy that can be used to grant a RAM user permissions to publish messages

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "amqp:GetInstance",
                "amqp:GetVhost"
            ],
            "Resource": [
                "acs:amqp:*:*:/instances/$instanceId",
                "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "amqp:CreateExchange",
                "amqp:GetExchange",
                "amqp:CreateQueue",
                "amqp:GetQueue",
                "amqp:BasicRecover",
                "amqp:BasicPublish",
                "amqp:BasicAck",
                "amqp:BasicNack"
            ],
            "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*",
            "Effect": "Allow"
        }
    ]
}

Example 3: A policy that can be used to grant a RAM user permissions to subscribe to messages

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "amqp:GetInstance",
                "amqp:GetVhost"
            ],
            "Resource": [
                "acs:amqp:*:*:/instances/$instanceId",
                "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "amqp:CreateExchange",
                "amqp:GetExchange",
                "amqp:GetQueue",
                "amqp:CreateQueue",
                "amqp:BasicRecover",
                "amqp:BasicCancel",
                "amqp:BasicConsume",
                "amqp:BasicAck",
                "amqp:BasicNack",
                "amqp:BasicReject",
                "amqp:QueuePurge",
                "amqp:BasicGet"
            ],
            "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*",
            "Effect": "Allow"
        }
    ]
}

Example 4: A policy that can be used to grant a RAM user permissions to publish and subscribe to messages

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "amqp:GetInstance",
                "amqp:GetVhost"
            ],
            "Resource": [
                "acs:amqp:*:*:/instances/$instanceId",
                "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "amqp:ListExchange",
                "amqp:CreateExchange",
                "amqp:DeleteExchange",
                "amqp:GetExchange",
                "amqp:ListQueue",
                "amqp:DeleteQueue",
                "amqp:GetQueue",
                "amqp:CreateQueue",
                "amqp:BasicRecover",
                "amqp:BasicCancel",
                "amqp:BasicPublish",
                "amqp:BasicConsume",
                "amqp:BasicAck",
                "amqp:BasicNack",
                "amqp:BasicReject",
                "amqp:QueuePurge",
                "amqp:BasicGet"
            ],
            "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*",
            "Effect": "Allow"
        }
    ]
}

Example 5: A policy that can be used to grant a RAM user permissions to manage usernames and passwords

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "amqp:ListStaticAccounts",
                "amqp:FetchStaticAccount",
                "amqp:DeleteStaticAccount"
            ],
            "Resource": "acs:amqp:*:*:/instances/$instanceId/staticAccount/*"
        },
        {
            "Effect": "Allow",
            "Action": "amqp:GetInstance",
            "Resource": "acs:amqp:*:*:/instances/$instanceId"
        }
    ],
    "Version": "1"
}

Example 6: A policy that can be used to grant a RAM user permissions to create instances

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "amqp:CreateInstance",
            "Resource": "acs:amqp:*:$accountid:/instances/*",
        }
    ]
}

Example 7: A policy that can be used to grant a RAM user permissions to create Enterprise Platinum Edition instances that do not support EIPs

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "amqp:CreateInstance",
            "Resource": "acs:amqp:*:$accountid:/instances/*",
            "Condition": {
                "StringEquals": {
                    "amqp:InstanceType": [
                        "vip"
                    ],
                    "amqp:SupportEIP": [
                        "false"
                    ]
                }
            }
        }
    ]
}