MNS allows an Alibaba Cloud account to grant permissions on resources to Resource Access Management (RAM) users. This prevents risks of exposing the AccessKey pair of the Alibaba Cloud account. Only authorized RAM users are allowed to manage resources in the MNS console, and publish and subscribe to messages by using SDKs or API operations.

Scenarios

Enterprise A purchases the MNS service. The employees of Enterprise A need to manage MNS resources, such as queues and topics. Employees with different roles require different permissions.

The following section describes specific scenarios:

  • For security reasons, Enterprise A does not want to disclose the AccessKey pair of its Alibaba Cloud account to employees. Instead, Enterprise A wants to create different RAM users for the employees and grant different permissions to the RAM users.
  • A RAM user can only use resources for which the user is authorized. Resource usage and costs are not separately calculated for the RAM user. All expenses are billed to the Alibaba Cloud account of Enterprise A.
  • Enterprise A can revoke the permissions granted to a RAM user and delete a RAM user at any time.

In this scenario, the Alibaba Cloud account of Enterprise A can grant its employees fine-grained permissions on resources.

Procedure

  1. Create a RAM user by using the Alibaba Cloud account of Enterprise A.
    For more information, see Create a RAM user.
  2. Optional. Create custom policies for the new RAM user by using the Alibaba Cloud account of Enterprise A.
    For more information, see Create a custom policy.

    MNS supports resource-level permission settings. For more information, see Custom policies.

  3. Grant permissions to the RAM user by using the Alibaba Cloud account of Enterprise A.
    For more information, see Grant permissions to a RAM user.

What to do next

After you create a RAM user by using an Alibaba Cloud account, you can distribute the RAM user name and password or AccessKey pair information of the RAM user to other employees. Other employees can log on to the console or call an API operation of the service as the RAM user based on the following steps:
  • Log on to the console.
    1. Open the RAM User Logon page in the browser.
    2. On the RAM User Logon page, enter the RAM user name and then click Next. Enter the password of the RAM user and then click Login.
      Note The RAM user name is in the format of <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com. <$AccountAlias> is the account alias. If an account alias is not set, the ID of the Alibaba Cloud account is used by default.
    3. On the homepage of the console, click an authorized service to access the console of this service.
  • Call an API operation with the AccessKey pair of the RAM user.

    Use the AccessKey ID and AccessKey secret of the RAM user in the code.