This topic describes the common permission policies in Message Queue for MQTT.

Remarks

Before you read this topic, we recommend that you view Permission policies of Message Queue for MQTT supported in Resource Access Management (RAM).

To directly copy the sample code, delete the annotations ("//" and the text description that follows). Replace the values in the following examples with your actual resource information:
  • post-cn-09k1noy****: Replace it with your instance ID.
  • Topic_****: Replace it with your topic.
  • GID_****: Replace it with your group ID.
  • Rule****: Replace it with your rule ID.

Example 1: Grant the message sending and receiving permissions to an MQTT client

Note The message sending and receiving permissions of the MQTT client does not support cross-Alibaba-Cloud-account authorization.
{
    "Version":"1",
    "Statement":[
        {    //Before you grant the message sending and receiving permissions, grant the corresponding instance permission.
            "Effect":"Allow",
            "Action":[
                "mq:MqttInstanceAccess"
            ],
            "Resource":[
                "instance/post-cn-09k1noy****"
            ]
        },
        {    //Grant the permissions to publish and subscribe to messages for a topic.
            "Effect":"Allow",
            "Action":[
                  "mq:PUB",
                  "mq:SUB"
                ],
            "Resource":[
                "topic/post-cn-09k1noy****/Topic_****"
            ]
        },
        {    //Grant permissions for a group.
            "Effect":"Allow",
            "Action":[
                "mq:SUB"
            ],
            "Resource":[
                "groupId/post-cn-09k1noy****/GID_****"
            ]
        }
    ]
 }

Example 2: Grant the permission to send messages for a topic in the console

{
    "Version":"1",
    "Statement":[
        {    //Before you grant the permission to send messages for a topic in the console, grant the permission for the corresponding instance.
            "Effect":"Allow",
            "Action":[
                "mq:MqttInstanceAccess"
            ],
            "Resource":[
                "instance/post-cn-09k1noy****"
            ]
        },
        {    //Grant the permission to send messages for a topic in the console.
            "Effect":"Allow",
            "Action":[
                  "mq:SendMqttMessageByConsole"
                ],
            "Resource":[
                "topic/post-cn-09k1noy****/Topic_****"
            ]
        }
    ]
 }

Example 3: Grant the OpenAPI permission of applying for a token

{
    "Version":"1",
    "Statement":[
        {    //Before you grant the OpenAPI permission of applying for a token, grant the permission for the corresponding instance.
            "Effect":"Allow",
            "Action":[
                "mq:MqttInstanceAccess"
            ],
            "Resource":[
                "instance/post-cn-09k1noy****"
            ]
        },
        {    //Grant the OpenAPI permission of applying for a token.
            "Effect":"Allow",
            "Action":[
                  "mq:ApplyToken"
                ],
            "Resource":[
                "topic/post-cn-09k1noy****/Topic_****"
            ]
        }
    ]
 }

Example 4: Grant all OpenAPI permissions for a data outbound rule

When you grant permissions for a rule, ensure that the related instances, topics, and group IDs belong to the same Alibaba Cloud account.

{
    "Version":"1",
    "Statement":[
        {    //Before you grant all OpenAPI permissions for a data outbound rule, grant the permission for the corresponding instance.
            "Effect":"Allow",
            "Action":[
                "mq:MqttInstanceAccess"
            ],
            "Resource":[
                "instance/post-cn-09k1noy****"
            ]
        },
        {    //Grant all OpenAPI permissions for a data outbound rule.
            "Effect":"Allow",
            "Action":[
                  "mq:CreateMqttOutboundRule",
                  "mq:DeleteMqttOutboundRule",
                  "mq:ListMqttOutboundRule",
                  "mq:UpdateMqttOutboundRule"
                ],
            "Resource":[
                "rule/post-cn-09k1noy****/Rule****"
            ]
        }
    ]
 }