All Products
Search
Document Center

ApsaraMQ for RabbitMQ:Grant permissions to RAM users

Last Updated:Feb 06, 2024

Resource Access Management (RAM) allows you to separately manage the permissions of Alibaba Cloud accounts and their RAM users. You can grant different permissions to different RAM users to prevent security risks caused by the disclosure of the AccessKey pair of your Alibaba Cloud account.

Background information

Enterprise A has activated ApsaraMQ for RabbitMQ and wants to grant employees permissions on ApsaraMQ for RabbitMQ resources, such as instances, queues, virtual hosts (vhosts), and exchanges. Employees with different duties require different permissions. The following items describe the requirements of Enterprise A:

  • For security purposes, Enterprise A does not want to disclose the AccessKey pair of its Alibaba Cloud account to employees. Instead, Enterprise A prefers to create different RAM users for employees and grant different permissions to the RAM users.

  • RAM users can manage resources only after the required permissions are granted. Resource usage and costs are not calculated separately for each RAM user. All expenses are billed to the Alibaba Cloud account of Enterprise A.

  • Enterprise A can revoke the permissions that are granted to RAM users and delete RAM users at any time.

Step 1: Create a RAM user

Enterprise A uses its Alibaba Cloud account to log on to the RAM console and create RAM users.

Procedure

  1. Log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, click Create User.

  4. In the User Account Information section of the Create User page, configure the following parameters:

    • Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).

    • Display Name: The display name can be up to 128 characters in length.

    • Tag: Click the edit icon and enter a tag key and a tag value. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.

    Note

    You can click Add User to create multiple RAM users at a time.

  5. In the Access Mode section, select an access mode and configure the required parameters.

    To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This way, the RAM user for an individual is separated from the RAM user for a program.

    • Console Access

      If the RAM user represents an individual, we recommend that you select Console Access for the RAM user. This way, the RAM user can use a username and password to access Alibaba Cloud. If you select Console Access, you must configure the following parameters:

      • Set Console Password: You can select Automatically Regenerate Default Password or Reset Custom Password. If you select Reset Custom Password, you must specify a password. The password must meet the complexity requirements. For more information, see Configure a password policy for RAM users.

      • Password Reset: specifies whether the RAM user is required to reset the password upon the next logon.

      • Enable MAF: specifies whether to enable multi-factor authentication (MFA) for the RAM user. After you enable MFA, you must bind an MFA device to the RAM user or allow the RAM user to bind an MFA device. For more information, see Bind an MFA device to a RAM user.

    • OpenAPI Access

      If the RAM user represents a program, we recommend that you select OpenAPI Access for the RAM user. This way, the RAM user can use an AccessKey pair to access Alibaba Cloud. If you select OpenAPI Access, the system automatically generates an AccessKey ID and AccessKey secret for the RAM user. For more information, see Obtain an AccessKey pair.

      Important

      An AccessKey secret for a RAM user is displayed only after you click Create AccessKey. You cannot query the AccessKey secret in subsequent operations. Therefore, you must back up your AccessKey secret.

  6. Click OK.

  7. Complete security verification as prompted.

Step 2: Grant permissions to the RAM user

Enterprise A grants different permissions to different RAM users.

  1. Log on to the RAM console with an Alibaba Cloud account or a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, find the required RAM user and click Add Permissions in the Actions column.

  4. In the Add Permissions panel, grant permissions to the RAM user.

    1. Configure the Authorized Scope parameter.

      • Alibaba Cloud Account: The authorization takes effect on all resources within the Alibaba Cloud account.

      • Specific Resource Group: The authorization takes effect in a specific resource group.

        Note

        If you select Specific Resource Group for the Authorized Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.

    2. Configure the Principal parameter.

      The principal is the RAM user to whom you want to grant permissions.

    3. Configure the Select Policy parameter.

      A policy contains a set of permissions. Policies can be classified into system policies and custom policies:

      • System policies: policies that are created and updated by Alibaba Cloud. You can only use these policies. You can enter a keyword of a system policy that you want to add in the search field to search for the system policy. For information about policies that are supported by ApsaraMQ for RabbitMQ, see RAM policies.

      • Custom policies: policies that are managed and updated based on your business requirements. You can create, update, and delete custom policies. You can enter a keyword of a created custom policy in the search field to search for the policy. If you did not create a custom policy, you can click Create Policy to go to the Create Policy page and then create a custom policy on the JSON tab. For more information, see Create custom policies and RAM policies.

      Note

      You can attach up to five policies to a RAM user at a time. If you want to attach more than five policies to a RAM user, perform the operation multiple times.

    4. Find the policy that you want to add and click the policy. On the right of the panel, the selected policy is displayed. Then, click OK.

  5. In the Add Permissions panel, view the authorization information and click Complete.

What to do next

After Enterprise A grants permissions to a RAM user, the employee who uses the RAM user can use one of the following methods to access ApsaraMQ for RabbitMQ:

  • ApsaraMQ for RabbitMQ console

    1. Open the RAM User Logon page in a browser.

    2. On the RAM User Logon page, enter the name of the RAM user, click Next, enter the password, and then click Log On.

      Note

      The name of a RAM user is in the <$username>@<$AccountAlias> format or the <$username>@<$AccountAlias>.onaliyun.com format. <$AccountAlias> specifies the account alias. If no account alias is specified, the ID of the Alibaba Cloud account is used.

  • API operation

    Specify the AccessKey ID and AccessKey secret of the RAM user in the code to initiate a request to access ApsaraMQ for RabbitMQ.