MNS uses Alibaba Cloud Resource Access Management (RAM) to manage permissions. When you use RAM, you do not need to share the AccessKey pair of your Alibaba Cloud account with other users. Instead, you can grant them only the minimal required permissions. An AccessKey pair includes an AccessKey ID and an AccessKey secret. This topic describes the RAM policies and provides examples for MNS.

Background information

In RAM, a policy is a set of permissions that are described with the policy syntax and structure. A policy can accurately describe the authorized resource set, action set, and authorization conditions. For more information, see Policy structure and syntax.

EventBridge supports the following types of RAM policies:

  • System policies

    System policies are created by Alibaba Cloud. You can use these policies. However, you cannot modify these policies. The policy updates are maintained by Alibaba Cloud.

  • Custom policies

    You can create, update, and delete custom policies and maintain version updates of the policies. You can edit custom policies and attach them to RAM users in the RAM console.

System policies

The following table describes the default permission policies that are provided for MNS.

Policy Description
AliyunMNSFullAccess The permissions to manage MNS, which are equivalent to the permissions that the Alibaba Cloud account has. A RAM user to which this policy is attached can send and subscribe to all messages and use all the features of the console.
AliyunMNSReadOnlyAccess The read-only permissions on MNS. A RAM user to which this policy is attached can only read resource information in the console or by calling API operations.

Custom policies

You can define custom policies to grant fine-grained permissions. The following table describes the actions and resources that can be used to define custom policies for MNS.

API operation Action Resource
OpenService mns:OpenService acs:mns:$region:$accountid:/commonbuy/openservice
ListQueue mns:ListQueue acs:mns:$region:$accountid:/queues
CreateQueue mns:CreateQueue acs:mns:$region:$accountid:/queues/$queueName
DeleteQueue mns:DeleteQueue acs:mns:$region:$accountid:/queues/$queueName
SetQueueAttributes mns:SetQueueAttributes acs:mns:$region:$accountid:/queues/$queueName
GetQueueAttributes mns:GetQueueAttributes acs:mns:$region:$accountid:/queues/$queueName
SendMessage or BatchSendMessage mns:SendMessage acs:mns:$region:$accountid:/queues/$queueName/messages
ReceiveMessage or BatchReceiveMessage mns:ReceiveMessage acs:mns:$region:$accountid:/queues/$queueName/messages
DeleteMessage mns:DeleteMessage acs:mns:$region:$accountid:/queues/$queueName/messages
PeekMessage or BatchPeekMessage mns:PeekMessage acs:mns:$region:$accountid:/queues/$queueName/messages
ChangeMessageVisibility mns:ChangeMessageVisibility acs:mns:$region:$accountid:/queues/$queueName/messsages
ListTopic mns:ListTopic acs:mns:$region:$accountid:/topics
CreateTopic mns:CreateTopic acs:mns:$region:$accountid:/topics/$topicName
DeleteTopic mns:DeleteTopic acs:mns:$region:$accountid:/topics/$topicName
SetTopicAttributes mns:SetTopicAttributes acs:mns:$region:$accountid:/topics/$topicName
GetTopicAttributes mns:GetTopicAttributes acs:mns:$region:$accountid:/topics/$topicName
ListSubscriptionByTopic mns:ListSubscriptionByTopic acs:mns:$region:$accountid:/topics/$topicName/subscriptions
Subscribe mns:Subscribe acs:mns:$region:$accountid:/topics/$topicName/subscriptions/$subscriptionName
Unsubscribe mns:Unsubscribe acs:mns:$region:$accountid:/topics/$topicName/subscriptions/$subscriptionName
SetSubscriptionAttributes mns:SetSubscriptionAttributes acs:mns:$region:$accountid:/topics/$topicName/subscriptions/$subscriptionName
GetSubscriptionAttributes mns:GetSubscriptionAttributes acs:mns:$region:$accountid:/topics/$topicName/subscriptions/$subscriptionName
PublishMessage mns:PublishMessage acs:mns:$region:$accountid:/topics/$topicName/messages

Examples of custom policies

  • Example 1: Allow access from specified CIDR blocks

    The following example shows how to allow access from the 42.120.88.0/24 and 42.120.66.0/24 CIDR blocks to MNS.

    {
        "Version": "1",
        "Statement": [
            {
                "Action": "mns:*",
                "Effect": "Allow",
                "Resource": "acs:mns:*:*:*",
                "Condition":{
                    "IpAddress": {
                        "acs:SourceIp": ["42.120.88.0/24", "42.120.66.0/24"]
                    }
                }
            }
        ]
    }            
  • Example 2: Deny access from specified CIDR blocks

    The following example shows how to deny access from any IP address in the 42.120.88.0/24 CIDR block to MNS:

    {
        "Version":"1",
        "Statement":[
            {
                "Action":"mns:*",
                "Effect":"Deny",
                "Resource":"acs:mns:*:*:*",
                "Condition":{
                    "NotIpAddress":{
                        "acs:SourceIp":[
                            "42.120.88.0/24"
                        ]
                    }
                }
            }
        ]
    }          
    Notice The Deny rule has a higher priority than the Allow rule in RAM policies. If you perform an access operation that is specified in the Deny rule, the operation fails. In this example, if you use an IP address that is not included in the 42.120.88.0/24 CIDR block to access MNS, an error message is returned. This is because you are not authorized to access MNS.
  • Example 3: Authorize a RAM user to view MNS topics and queues

    The following example shows how to authorize a RAM user to view MNS queues or topics, and parameters of each queue or topic:

    {
        "Version":"1",
        "Statement":[
            {
                "Effect":"Allow",
                "Action":[
                    "mns:ListQueue",
                    "mns:ListTopic",
                    "mns:GetQueueAttributes",
                    "mns:GetTopicAttributes"
                ],
                "Resource":"acs:mns:*:*:*"
            }
        ]
    }