This topic describes the common permission policies in Message Queue for MQTT.

Precautions

Before reading this topic, we recommend that you view Permission policy of Message Queue for MQTT supported in Resource Access Management (RAM).

To directly copy the sample code, delete the comments ("//" and the text description that follows). In this example, the {mqttinstanceId}, {storeinstanceId}, {topic}, and {groupId} must be replaced with your actual resource information. For example,{groupId} is replaced with GID_xxx.

Notice Here's {storeInstanceid} refers to you Message Queue for MQTTthe ID of the persistent instance bound to the instance. You can go to Message Queue for MQTTof the console instance details page to get the ID of the bound persistent instance.

Example 1: Grant permissions for a topic and a group in an instance.

  • This policy is applicable to instances with namespaces.
    {
        "Version":"1",
        "Statement":[
            {// Grant permissions for an instance. Before granting permissions for topics and groups, grant permissions for the corresponding instance (applicable to instances with namespaces)
                "Effect":"Allow",
                "Action":[
                    "mq:MqttInstanceAccess"
                ],
                "Resource":[
                    "acs:mq:*:*:{mqttInstanceId}"
                ]
            },
            {// Grant the permissions to publish and subscribe to messages for a Topic
                "Effect":"Allow",
                "Action":[
                     "mq:PUB",
                     "mq:SUB"
                    ],
                "Resource":[
                    "acs:mq:*:*:{storeInstanceId}%{topic}"
                ]
            },
            {// Grant permissions to a Group
                "Effect":"Allow",
                "Action":[
                    "mq:SUB"
                ],
                "Resource":[
                    "acs:mq:*:*:{mqttInstanceId}%{groupId}"
                ]
            }
        ]
     }
  • This policy is applicable to instances with no namespaces.
    {
        "Version": "1",
        "Statement": [
            {// Grant permissions for an instance. Before granting permissions for topics and groups, grant permissions for the corresponding instance (applicable to instances without namespaces)
                "Effect": "Allow",
                "Action": [
                    "mq:MqttInstanceAccess"
                ],
                "Resource": [
                    "acs:mq:*:*:{mqttInstanceId}"
                ]
            },
            {    // Grant the permissions to publish and subscribe to messages for a topic.
                "Effect":"Allow",
                "Action":[
                    "mq:PUB",
                    "mq:SUB"
                ],
                "Resource": [
                    "acs:mq:*:*:{topic}"
                ]
            },
            {    // Grant permissions for a group.
                "Effect":"Allow",
                "Action":[
                    "mq:SUB"
                ],
                "Resource": [
                    "acs:mq:*:*:{groupId}"
                ]
            }
        ]
    }

Example 2: Grant permissions for an entire instance (only applicable to instances with namespaces)

To grant the permissions for operating all the resources in an instance, set the policy as follows:

{   // Only applicable to instances with namespaces.
    "Version": "1", 
    "Statement": [
        {
            "Effect": "Allow", 
            "Action": [
                "mq:*"
            ], 
            "Resource": [
                "acs:mq:*:*:{mqttInstanceId}*" //Grant permission for the instance. Replace {mqttInstanceId} with the ID of your instance.
            ]
        }
    ]
}