Alibaba Cloud offers Resource Access Management (RAM) to manage permissions for Message Queue for MQTT. RAM allows you to avoid sharing the AccessKey pair, which includes an AccessKey ID and an AccessKey secret, of your Alibaba Cloud account with other users. Instead, you can grant users only the minimum required permissions. Before you call an Alibaba Cloud API as a RAM user, you must use an Alibaba Cloud account to create an authorization policy to grant permissions to the RAM user.

Mappings between resources and actions in Message Queue for MQTT

In Message Queue for MQTT, instances, topics, groups, and rules are different types of resources. In addition, permissions granted for these resources are actions.

Message Queue for MQTT API operations that can be authorized to RAM users

The following table lists the Message Queue for MQTT API operations that can be authorized to RAM users and the description of these API operations.

Note To access the Message Queue for MQTT API operations, you must obtain the permission to access the Message Queue for MQTT instance. The action for this permission is mq:MqttInstanceAccess.

For more information, see Permission policies.

API Resource name format Example Action
RevokeToken acs:mq:*:*:* acs:mq:*:*:*
  • mq:MqttInstanceAccess
  • mq:RevokeToken
QueryToken acs:mq:*:*:* acs:mq:*:*:*
  • mq:MqttInstanceAccess
  • mq:QueryToken
ApplyToken
  • Instance: acs:mq:*:*:instance/{mqttInstanceId}
  • Topic: acs:mq:*:*:topic/{mqttInstanceId}/{topic}
  • Instance: acs:mq:*:*:instance/post-cn-09k1noy****
  • Topic: acs:mq:*:*:topic/post-cn-09k1noy****/Topic_****
  • mq:MqttInstanceAccess
  • mq:ApplyToken
CreateGroupId
  • Instance: acs:mq:*:*:instance/{mqttInstanceId}
  • Group ID: acs:mq:*:*:groupId/{mqttInstanceId}/{gid}
  • Instance: acs:mq:*:*:instance/post-cn-09k1noy****
  • Group ID: acs:mq:*:*:groupId/post-cn-09k1noy****/GID_****
  • mq:MqttInstanceAccess
  • mq:CreateGroupId
DeleteGroupId
  • mq:MqttInstanceAccess
  • mq:DeleteGroupId
ListGroupId
  • mq:MqttInstanceAccess
  • mq:ListGroupId
CreateTopic
  • Instance: acs:mq:*:*:instance/{mqttInstanceId}
  • Topic: acs:mq:*:*:topic/{mqttInstanceId}/{topic}
  • Instance: acs:mq:*:*:instance/post-cn-09k1noy****
  • Topic: acs:mq:*:*:topic/post-cn-09k1noy****/Topic_****
  • mq:MqttInstanceAccess
  • mq:CreateMqttTopic
DeleteTopic
  • mq:MqttInstanceAccess
  • mq:DeleteMqttTopic
ListTopic
  • mq:MqttInstanceAccess
  • mq:ListMqttTopic
UpdateTopic
  • mq:MqttInstanceAccess
  • mq:UpdateMqttTopic
CreateMqttInboundRule
  • Instance: acs:mq:*:*:instance/{mqttInstanceId}
  • Rule: acs:mq:*:*:rule/{mqttInstanceId}/{ruleId}
  • Instance: acs:mq:*:*:instance/post-cn-09k1noy****
  • Rule: acs:mq:*:*:rule/post-cn-09k1noy****/111****
  • mq:MqttInstanceAccess
  • mq:CreateMqttInboundRule
DeleteMqttInboundRule
  • mq:MqttInstanceAccess
  • mq:DeleteMqttInboundRule
ListMqttInboundRuleInPage
  • mq:MqttInstanceAccess
  • mq:ListMqttInboundRule
UpdateMqttInboundRule
  • mq:MqttInstanceAccess
  • mq:UpdateMqttInboundRule
CreateMqttOutboundRule
  • mq:MqttInstanceAccess
  • mq:CreateMqttOutboundRule
DeleteMqttOutboundRule
  • mq:MqttInstanceAccess
  • mq:DeleteMqttOutboundRule
ListMqttOutboundRuleInPage
  • mq:MqttInstanceAccess
  • mq:ListMqttOutboundRule
UpdateMqttOutboundRule
  • mq:MqttInstanceAccess
  • mq:UpdateMqttOutboundRule
CreateClientStatusNotifyRule
  • mq:MqttInstanceAccess
  • mq:CreateClientStatusNotifyRule
DeleteClientStatusNotifyRule
  • mq:MqttInstanceAccess
  • mq:DeleteClientStatusNotifyRule
ListClientStatusNotifyRuleInPage
  • mq:MqttInstanceAccess
  • mq:ListClientStatusNotifyRule
UpdateClientStatusNotifyRule
  • mq:MqttInstanceAccess
  • mq:UpdateClientStatusNotifyRule