Alibaba Cloud Resource Access Management (RAM) provides permission management for message queue for MQTT. With RAM, you can avoid sharing the key of your Alibaba Cloud account (an AccessKey pair that contains an AccessKey ID and an AccessKey secret) with other users. Instead, you can grant them only the necessary permissions. Before calling an Alibaba Cloud API as a RAM user, you must use your Alibaba Cloud account to create an authorization policy to grant permissions to the RAM user.

Message Queue for MQTTThe mapping between the Resource and Action

In Message Queue for MQTTinstances, topics, groups, and rules are different types of resources, and the permissions granted for these resources are actions.

Authorizable Message Queue for MQTTOpenAPI

The following table lists the Message Queue for MQTTauthorized APIs and their descriptions.

Note For access Message Queue for MQTTthe OpenAPI, you must have access Message Queue for MQTTthe permission of the instance, that is, mq:MqttInstanceAccess.

For more information, see Permission.

API operation Resource naming format (no namespace for instances) Resource naming format (instances have namespaces) Description
RevokeToken
  • Example: acs:mq:*:*:{mqttInstanceId}
  • Topic:acs:mq:*:*:{topic}
  • Group ID:acs:mq:*:*:{groupId}
  • Example: acs:mq:*:*:{mqttInstanceId}
  • Topic:acs:mq:*:*:{storeInstanceId}%{topic}
  • Group ID:acs:mq:*:*:{mqttInstanceId}%{groupId}
Notice Here's storeInstanceid refers to you Message Queue for MQTTthe ID of the persistent instance bound to the instance. You can go to Message Queue for MQTTof the console instance details page to get the ID of the bound persistent instance.
  • mq:MqttInstanceAccess
  • mq:RevokeToken
QueryToken
  • mq:MqttInstanceAccess
  • mq:QueryToken
ApplyToken
  • mq:MqttInstanceAccess
  • mq:ApplyToken
CreateGroupId
  • mq:MqttInstanceAccess
  • mq:CreateGroupId
DeleteGroupId
  • mq:MqttInstanceAccess
  • mq:DeleteGroupId
ListGroupId
  • mq:MqttInstanceAccess
  • mq:ListGroupId