edit-icon download-icon

Grant permissions to sub-accounts

Last Updated: Oct 16, 2018

Overview

As a centralized access management service provided by Alibaba Cloud, RAM (Resource Access Management) focuses on user identity and authorization management. Its application scenarios cover enterprise sub-account and authorization management, temporary authorization management for mobile apps, and resource interoperation and authorization management between organizations. For more information about RAM, see Resource Access Management.

With RAM, which is fully integrated with MQ, you can impose secure access control on Topic resources of MQ in terms of Topic creation and deletion, message publishing and subscription.

MQ console, meanwhile, still keeps authorization management. You can manage authorization either on RAM or on MQ. The processing logic for the two consoles goes as follows:

  • Sub-account authorized: if it is authorized by either or both RAM and MQ.
  • Sub-account unauthorized: if it is authorized by neither console.

Note: When the system judges, the authorization configuration of RAM is checked before that of MQ. We recommend you manage authorization on RAM.

RAM terms

This topic explains some key terms to help you understand how to use the access control function of MQ. For more information, see RAM Concepts.

Alibaba Cloud account (primary account)

An Alibaba Cloud account is the basic entity for judging the ownership of Alibaba Cloud resources and billing for resource consumption. To use Alibaba Cloud services, register an Alibaba Cloud account first. An Alibaba Cloud account is billed for all the resources under the account and has full permissions for these resources.

By default, the resources can only be accessed by the resource owner. Explicit authorization from the owner is required for other users to access the resources. From the perspective of permission management, an Alibaba Cloud account is the equivalent of root or administrator of an operating system, so it’s often called root account or main account (primary account).

RAM users (sub-accounts)

RAM allows creating multiple RAM users (for employees, systems, or applications of an enterprise) under an Alibaba Cloud account. RAM users have no resources and are not billed individually. The Alibaba Cloud account controls its sub-accounts and pays for the services they consume. RAM users belong to an Alibaba Cloud account and are visible only under this account. They’re not independent Alibaba Cloud accounts. RAM users can log on to the console or use APIs to operate on resources under an Alibaba Cloud account only after being authorized by the Alibaba Cloud account.

Resource

Resources are an abstraction of the objects or entities that a cloud service presents for interaction with users. Topic is the only form of resources for MQ.

Each resource has a global Alibaba Cloud Resource Name (ARN) in the format of:

acs:<service-name>:<region>:<account-id>:<resource-relative-id>

Where:

  • acs: short for Alibaba Cloud Service, is the public cloud platform of Alibaba Cloud.
  • service-name: is the name of the service. The service name of MQ is mq.
  • region: is the region information, and can be replaced with a wildcard character “*“.

    Note: MQ authorization is temporarily unavailable, so you must use “*“.

  • account-id: is an ID of Alibaba Cloud account, such as 1234567890123456.

  • resource-relative-id: is the specific name of the Topic resource.

Example: The ARN acs:mq:*:1234567890123456:TopicA indicates that:

  • It’s a MQ resource.
  • The resource owner is 1234567890123456.
  • The resource name is TopicA.

Action

Action defines permission controls related to the resource. MQ defines three actions:

Action Description
PUB The publishing permission, including permission to create Producers on the MQ Console, and to send messages through SDK.
SUB The subscription permission, including permission to create Consumers on the MQ Console, and to subscribe to messages through SDK.
* Includes PUB and SUB actions.

MQ allows a cloud account (primary account) to authorize RAM users (sub-accounts) to use Topic resources. Authorized RAM users can manage resources on the MQ console, and publish or subscribe to messages through SDK.

Authorization policies

System default policies

MQ currently supports three authorization policies. To view them, do as follows:

  1. Log on to the RAM console, and choose Policies > System Policy.
  2. Enter MQ in the Policy Name or Description search box and click Search to view the three supported authorization policies.

The specific descriptions on the three authorization policies are as follows:

AliyunMQFullAccess: the administration permission of MQ. With this permission, a RAM user is not only authorized to handle all resources of the primary account, but also to manage resources on the MQ console on behalf of the primary account, such as creating or deleting Topics, Producers or Consumers. Note that any resource created by the RAM user is eventually owned by the primary account.

AliyunMQPubOnlyAccess: the publishing permission of MQ. With this permission, a RAM user is authorized to publish any resource of the primary account, including creating Producers on the MQ console and sending messages through SDK, except deleting Producers.

AliyunMQSubOnlyAccess: the subscription permission of MQ. With this permission, a RAM user is authorized to subscribe to any resource of the primary account, including creating Consumers on the MQ console and subscribing to messages through SDK, except deleting Consumers.

Tips:

You can combine AliyunMQPubOnlyAccess with AliyunMQSubOnlyAccess policies to grant RAM users the permission to publish and subscribe to any resource of the primary account.

Unlike the AliyunMQFullAccess policy, this policy combination does not grant RAM users the administration permission of MQ. Therefore, it does not cover the permission to create or delete Topics.

Custom policies

Most of the time, the three authorization policies provided by MQ are sufficient to meet the business requirements. However, if you have authorization requirements with finer granularity, you can create a custom policy for access control.

For instructions, see Create a custom policy.

Here’s an example of a custom policy:

  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Action": "mq:PUB",
  6. "Resource": [
  7. "acs:mq:*:*:TopicA",
  8. "acs:mq:*:*:TopicB"
  9. ],
  10. "Effect": "Allow"
  11. }
  12. ]
  13. }

In this example:

  • Resource name: TopicA and TopicB;
  • Permission: the publishing permission, including the permission to create Producers and to send messages through SDK.

RAM user authorization

For instructions on how to create a RAM user, see Create a RAM user. For more information about basic authorization operations and the concept of the user group authorization, see Attach policies to a RAM user.

Authorization

To authorize a RAM user with the primary account, do as follows:

  1. Log on to the RAM console with the primary account.
  2. Click Users in the left-side navigation pane.
  3. Locate the user to be authorized (you can search for the user by the user name/display name), and click Authorize in the Actions column to enter Edit User-Level Authorization.
  4. Add the desired authorization policy (you can search for the policy by keyword) and click OK.
    • Select the required policy in Available Authorization Policy Names on the left and click the right arrow (which means “authorize”) to add it to Selected Authorization Policy Name.
    • Likewise, click the left arrow to remove a policy from the Selected Authorization Policy Name on the right.

Verification

RAM users can log on to the MQ console for verification. After logging on to the MQ console, you can view all authorized Topic resources on the Topics page.

The logon steps are as follows:

  1. Log on to the RAM console.
  2. Locate and click Message Queue in the left-side product list of the RAM console to go to the MQ console. Alternatively, you can directly log on to the MQ console.

A guide to sub-accounts

Sub-accounts (RAM users) can log on to the MQ console to view the Topics to which you have been granted permission, create Producers and Consumers, and publish and subscribe to messages through SDK.

Note: After a RAM sub-account is authorized with a Topic, do not use the corresponding Producer ID and Consumer ID of the Topic directly, Otherwise there will be connecting errors. You must use RAM sub accounts to log on to the MQ console, and then create Producer ID and Consumer ID for the authorized Topics.

Steps:

  1. Log on to the RAM console.

  2. Locate and click Message Queue in the left-side product list of the RAM console to enter the MQ console. Alternatively, in the RAM sub-account log status, directly click to enter the MQ console.

  3. Click Topics in the left-side navigation pane to locate the authorized Topic, click Create Producer in the Actions column to create a Producer ID or click Create Consumer to create a Consumer ID.

    Note: Producer ID and Consumer ID created by RAM sub-accounts are separated from each other, and cannot be mixed with those created by other RAM sub-accounts or the primary account.

  4. Use the created Producer ID and CID to receive and send messages through SDK.

Note: Before receiving and sending messages through SDK, you must be authenticated with AccessKey and SecretKey of the RAM sub-account. For more information about AccessKey, see the “Create an AccessKey” section in Create a RAM User.

Thank you! We've received your feedback.