All Products
Search
Document Center

RAM sub-account authorization

Last Updated: Sep 13, 2019

MQ allows a cloud account (primary account) to authorize RAM users (sub-accounts) to use the topic resources of the cloud account. Authorized RAM users can manage resources in the MQ console and can publish or subscribe to messages by using SDKs.

For the basic concepts of RAM, see Terms of RAM.

For more information about authorization and related terms for user group authorization, see Authorize RAM users.

System authorization policies

MQ currently provides three default authorization policies.

Policy name Remarks Description
AliyunMQFullAccess Permission for managing MQ Equivalent to the permissions of the primary account, this policy provides the permission to send and receive all types of messages and the permission to operate all functions in the MQ console.
AliyunMQPubOnlyAccess Permission for publishing MQ messages RAM users with this permission can use all resources of the primary account to publish messages by using SDKs.
AliyunMQSubOnlyAccess Permission for subscribing to MQ messages RAM users with this permission can use all the resources of the primary account to subscribe to messages by using SDKs.

Custom authorization policies

In most cases, the preceding authorization policies provided by MQ are sufficient to meet the service requirements. However, if you have authorization requirements with finer granularity, you can create a custom policy for access control.

MQ resources

The following describes how to name MQ resources and relevant description.

MQ resources Naming format Remarks
With namespace Without namespace
Instance acs:mq:*:*:{instanceId} acs:mq:*:*:{instanceId} MQ instances must have the permission mq: OnsInstanceBaseInfo before they can authorize topics.
Topic acs:mq:*:*:{instanceId}%{topic} acs:mq:*:*:{topic} Before authorizing a topic, you must authorize the instance of the topic.

Mapping between MQ resources and actions.

When creating a custom authorization policy, you can select different resources and actions based on the specific product. The following lists the options for MQ resources and actions.

Resource Action Description
Instance mq:OnsInstanceBaseInfo This permission is used to query basic information of instances. You must authorize the permission mq:OnsInstanceBaseInfo of the instance to a RAM user before you can authorize the topic permissions to the user.
mq:OnsIntanceUpdate This permission is used to update the instance.
mq:OnsIntanceDelete This permission is used to delete the instance. Perform this operation with caution.
Topic mq:PUB This permission is used to publish messages.
mq:SUB This permission is used to subscribe to messages.

Examples of common policies

Example 1: Authorize the permissions of a topic under an instance

  • This policy is applicable to instances with namespaces.
  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Effect": "Allow",
  6. "Action": [
  7. "mq:PUB", //(Optional) Grant the permission for publishing messages.
  8. "mq:SUB", //(Optional) Grant the permission for subscribing to messages.
  9. "mq:OnsInstanceBaseInfo" //(Required) Query the basic information of the instance.
  10. ],
  11. "Resource": [
  12. "acs:mq:*:*:{instanceId}", //(Required) Grant the permission of an instance. Enter the ID of your instance in {instanceId}.
  13. "acs:mq:*:*:{instanceId}%{topic}", //(Required) Grant the permission of a topic in the instance. Enter the topic name in {topic}.
  14. ......
  15. ]
  16. }
  17. ]
  18. }
  • This policy is applicable to instances with no namespaces.
  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Effect": "Allow",
  6. "Action": [
  7. "mq:PUB", //(Optional) Grant the permission for publishing messages.
  8. "mq:SUB", //(Optional) Grant the permission for subscribing to messages.
  9. "mq:OnsInstanceBaseInfo" //(Required) Query the basic information of the instance.
  10. ],
  11. "Resource": [
  12. "acs:mq:*:*:{instanceId}", //(Required) Grant the permission of an instance. Enter the ID of your instance in {instanceId}.
  13. "acs:mq:*:*:{topic}", //(Required) Grant the permission of a topic in the instance. Enter the topic name in {topic}.
  14. ......
  15. ]
  16. }
  17. ]
  18. }

Example 2: Authorize all the permissions of an instance

To grant the permissions for operating all the resources in an instance, set the policy as follows.

  • This policy is only applicable to instances with namespaces.
  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Effect": "Allow",
  6. "Action": [
  7. "mq:*"
  8. ],
  9. "Resource": [
  10. "acs:mq:*:*:{instanceId}*" //Grant permissions of the instance. Enter the ID of your instance in {instanceId}.
  11. ]
  12. }
  13. ]
  14. }

Note: The sample policy is only applicable to instances having no namespaces.

For more information about how to create a custom policy, see (Optional) Create a custom policy.

When creating a custom policy, you need to reference to the RAM policy structure and syntax. For more information, see Policy structure and syntax.

For more information about RAM, see What is RAM.