edit-icon download-icon

RAM operations

Last Updated: Mar 31, 2017

Create RAM User

  1. Log on to the Alibaba Cloud console, then click Resource Access Management from the left-side navigation bar to open the RAM console.

    mns_createramuser_pic1

  2. Click Users on the RAM console.

  3. Click New user on the User Management page.

  4. Input a login name and other details, tick on Automatically generate an Access key for this User, then click OK.

    mns_createramuser_pic2

  5. Click Save Access Key Information to download the AK file.

    mns_createramuser_pic3

Create RAM Policy

  1. Click through policies > custom policy > New Authorization Policy on the RAM console.

  2. Select Blank Template in the pop-up dialog.

  3. Edit the policy and fill in the Remarks, then click New Authorization Policy.

    mns_createrampolicy_pic1

A sample policy for Message Service:

  1. {
  2.       "Statement": [
  3.       {
  4.         "Action": "mns:*",
  5.         "Effect": "Allow",
  6.         "Resource": "acs:mns:*:*:*"
  7.         }
  8.        ],
  9.        "Version": "1"
  10.    }

Please refer to the RAM document for more instructions of the policy format.

Authorize RAM User With Policy

  1. Click Users on the left-side bar on the RAM console.

  2. Find the RAM user, click Authorization in the right action list.

  3. Find the policy in pop-up dialog, and select it to right list, then click OK.

    mns_authorizeramuser_pic

  4. Test to access MNS by RAM user. Here is python SDK for example:

    1. Download the latest version of Python SDK.
    2. Set sample.cfg Config file with AK() and the endpoint.
    3. Run $python sample.py.
    4. The RAM user can access the Message Service if there is no error.

Policy Samples

Sample 1: Add limitation on source IP for accessing Message Service.

Message Service allows access from 42.120.88.0/24 and 42.120.66.0/24.

  1. {
  2. "Statement": [
  3.   {
  4. "Action": "mns:*",
  5. "Effect": "Allow",
  6. "Resource": "acs:mns:*:*:*"
  7.   }
  8.   ],
  9.   "Version": "1",
  10. "Condition":{
  11. "IpAddress": {
  12. "acs:SourceIp": ["42.120.88.0/24", "42.120.66.0/24"]
  13. }
  14. }
  15. }

Sample2: Deny the source IP.

Message Service denies any operations which are not from source IP 42.120.88.0/24.

  1. {
  2. "Statement": [
  3. {
  4. "Action": "mns:*",
  5. "Effect": "Deny",
  6. "Resource": "acs:mns:*:*:*"
  7. }
  8.   ],
  9.   "Version": "1",
  10. "Condition":{
  11. "NotIpAddress": {
  12. "acs:SourceIp": ["42.120.88.0/24"]
  13. }
  14. }
  15. }

Sample3: Readonly for RAM user.

Only query queue/topic operations are allowed.

  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Effect": "Allow",
  6. "Action": [
  7. "mns:ListQueue",
  8. "mns:ListTopic",
  9. "mns:GetQueueAttributes",
  10. "mns:GetTopicAttributes"
  11. ],
  12. "Resource": "acs:mns:*:*:*"
  13. }
  14. ]
  15. }

APIs to Policy Action Mapping

Message Service API Policy Action Resource
ListQueue mns:ListQueue acs:mns:$region:$accountid:/queues
CreateQueue mns:CreateQueue acs:mns:$region:$accountid:/queues/$queueName
DeleteQueue mns:DeleteQueue acs:mns:$region:$accountid:/queues/$queueName
SetQueueAttributes mns:SetQueueAttributes acs:mns:$region:$accountid:/queues/$queueName
GetQueueAttributes mns:GetQueueAttributes acs:mns:$region:$accountid:/queues/$queueName
SendMessage/BatchSendMessage mns:SendMessage acs:mns:$region:$accountid:/queues/$queueName/messages
ReceiveMessage/BatchReceiveMessage mns:ReceiveMessage acs:mns:$region:$accountid:/queues/$queueName/messages
DeleteMessage mns:DeleteMessage acs:mns:$region:$accountid:/queues/$queueName/messages
PeekMessage/BatchPeekMessage mns:PeekMessage acs:mns:$region:$accountid:/queues/$queueName/messages
ChangeMessageVisibility mns:ChangeMessageVisibility acs:mns:$region:$accountid:/queues/$queueName/messsages
ListTopic mns:ListTopic acs:mns:$region:$accountid:/topics
CreateTopic mns:CreateTopic acs:mns:$region:$accountid:/topics/$topicName
DeleteTopic mns:DeleteTopic acs:mns:$region:$accountid:/topics/$topicName
SetTopicAttributes mns:SetTopicAttributes acs:mns:$region:$accountid:/topics/$topicName
GetTopicAttributes mns:GetTopicAttributes acs:mns:$region:$accountid:/topics/$topicName
ListSubscriptionByTopic mns:ListSubscriptionByTopic acs:mns:$region:$accountid:/topics/$topicName/subscriptions
Subscribe mns:Subscribe acs:mns:$region:$accountid:/topics/$topicName/subscriptions/$subscriptionName
Unsubscribe mns:Unsubscribe acs:mns:$region:$accountid:/topics/$topicName/subscriptions/$subscriptionName
SetSubscriptionAttributes mns:SetSubscriptionAttributes acs:mns:$region:$accountid:/topics/$topicName/subscriptions/$subscriptionName
GetSubscriptionAttributes mns:GetSubscriptionAttributes acs:mns:$region:$accountid:/topics/$topicName/subscriptions/$subscriptionName
PublishMessage mns:PublishMessage acs:mns:$region:$accountid:/topics/$topicName/messages
Thank you! We've received your feedback.