Message Queue for Apache RocketMQ allows an Alibaba Cloud account to authorize Resource Access Management (RAM) users to use the topic resources, which prevents risks caused by exposing the AccessKey pair of the Alibaba Cloud account. Only authorized RAM users are allowed to manage resources in the Message Queue for Apache RocketMQ console and deliver and subscribe to messages through SDKs and API operations.

Scenarios

Enterprise A has purchased Message Queue for Apache RocketMQ and its employees need to perform operations on the resources of this service, such as instances, topics, and groups. Different employees are responsible for different jobs, including creating resources, delivering messages, and subscribing to messages. Employees with different roles require different permissions.

The scenario is described as follows:

  • For security reasons, enterprise A does not want to disclose the AccessKey pair of its Alibaba Cloud account to employees. Instead, enterprise A prefers to create different RAM users for the employees and grant different permissions to these users.
  • A RAM user can only use resources under authorization. Resource usage and costs are not calculated separately for that RAM user. All expenses are billed to the Alibaba Cloud account of enterprise A.
  • Enterprise A can revoke the permissions granted to RAM users and delete RAM users at any time.

In this scenario, the Alibaba Cloud account of enterprise A can allow fine-grained separation of permissions on resources to be operated by employees.

Procedure

  1. Create a RAM user by using the Alibaba Cloud account of enterprise A.
    For more information, see Create a RAM user.
  2. Optional: Create custom policies for the RAM user as needed.

    For more information, see Create a custom policy.

    Currently, Message Queue for Apache RocketMQ supports permission setting for instances, topics, and groups. For more information, see Permission policies.

  3. Grant permissions to the RAM user with the Alibaba Cloud account of enterprise A.
    For more information, see Grant permissions to a RAM user.

What to do next

After creating RAM users with an Alibaba Cloud account, you can distribute the logon names and passwords of the RAM users or AccessKey pair information to other employees. Other employees can log on to the console or call an API operation as a RAM user through the following steps.

  • Log on to the console.
    1. Open a browser and access the RAM user logon page at https://signin.aliyun.com/login.htm.
    2. On the RAM User Logon page, enter the RAM user name, click Next, enter the RAM user password, and then click Log on.
      Note The RAM user name is in the format of <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com. In the format, <$AccountAlias> is the account alias. If no account alias is set, the value defaults to the ID of the Alibaba Cloud account.
    3. On the RAM Users page, click products with permissions to access the console.
  • Call an API operation with the RAM user's AccessKey pair.

    Use the AccessKey ID and AccessKey secret of the RAM user in the code.

References