Alibaba Cloud Resource Access Management (RAM) provides permission management for message queue for MQTT. With RAM, you can avoid sharing the key of your Alibaba Cloud account (an AccessKey pair that contains an AccessKey ID and an AccessKey secret) with other users. Instead, you can grant them only the necessary permissions. Before calling an Alibaba Cloud API as a RAM user, you must use your Alibaba Cloud account to create an authorization policy to grant permissions to the RAM user.

Message Queue for MQTT The mapping between the Resource and Action

In Message Queue for MQTT, instances, topics, groups, and rules are different types of resources. Permissions granted for these resources are actions.

Authorizable Message Queue for MQTT OpenAPI

The following table lists the Message Queue for MQTT authorized APIs and their descriptions.

Note For access Message Queue for MQTT the OpenAPI, you must have access Message Queue for MQTT the permission of the instance, that is, mq:MqttInstanceAccess.

For more information, see Permission.

API operation Resource naming format (no namespace for instances) Resource naming format (instances have namespaces) Description
RevokeToken
  • Example: acs:mq:*:*:{mqttInstanceId}
  • Topic:acs:mq:*:*:{topic}
  • Group ID:acs:mq:*:*:{groupId}
  • Example: acs:mq:*:*:{mqttInstanceId}
  • Topic:acs:mq:*:*:{storeInstanceId}%{topic}
  • Group ID:acs:mq:*:*:{mqttInstanceId}%{groupId}
Notice Here's storeInstanceid refers to you Message Queue for MQTT the ID of the persistent instance bound to the instance. You can go to Message Queue for MQTT of the console instance details page to get the ID of the bound persistent instance.
  • mq:MqttInstanceAccess
  • mq:RevokeToken
QueryToken
  • mq:MqttInstanceAccess
  • mq:QueryToken
ApplyToken
  • mq:MqttInstanceAccess
  • mq:ApplyToken
CreateGroupId
  • mq:MqttInstanceAccess
  • mq:CreateGroupId
DeleteGroupId
  • mq:MqttInstanceAccess
  • mq:DeleteGroupId
ListGroupId
  • mq:MqttInstanceAccess
  • mq:ListGroupId