Example permission policies - - Alibaba Cloud Documentation Center

This topic describes the common permission policies in ApsaraMQ for MQTT.

Precautions

Before reading this topic, we recommend that you view Permission of ApsaraMQ for MQTT supported in Resource Access Management (RAM).

To directly copy the sample code, delete the comments ("//" and the text description that follows). In this example, the {mqttinstanceId}, {storeinstanceId}, {topic}, and {groupId} must be replaced with your actual resource information. For example,{groupId} is replaced with GID_xxx.

Important Here's {storeInstanceid} refers to you ApsaraMQ for MQTT the ID of the persistent instance bound to the instance. You can go to ApsaraMQ for MQTT of the console instance details page to get the ID of the bound persistent instance.

Example 1: Grant permissions for a topic and a group in an instance.

This policy is applicable to instances with namespaces.

{
    "Version":"1",
    "Statement":[
        {// Grant permissions for an instance. Before granting permissions for topics and groups, grant permissions for the corresponding instance (applicable to instances with namespaces)
            "Effect":"Allow",
            "Action":[
                "mq:MqttInstanceAccess"
            ],
            "Resource":[
                "acs:mq:*:*:{mqttInstanceId}"
            ]
        },
        {// Grant the permissions to publish and subscribe to messages for a Topic
            "Effect":"Allow",
            "Action":[
                 "mq:PUB",
                 "mq:SUB"
                ],
            "Resource":[
                "acs:mq:*:*:{storeInstanceId}%{topic}"
            ]
        },
        {// Grant permissions to a Group
            "Effect":"Allow",
            "Action":[
                "mq:SUB"
            ],
            "Resource":[
                "acs:mq:*:*:{mqttInstanceId}%{groupId}"
            ]
        }
    ]
 }

This policy is applicable to instances with no namespaces.

{
    "Version": "1",
    "Statement": [
        {// Grant permissions for an instance. Before granting permissions for topics and groups, grant permissions for the corresponding instance (applicable to instances without namespaces)
            "Effect": "Allow",
            "Action": [
                "mq:MqttInstanceAccess"
            ],
            "Resource": [
                "acs:mq:*:*:{mqttInstanceId}"
            ]
        },
        {    // Grant the permissions to publish and subscribe to messages for a topic.
            "Effect":"Allow",
            "Action":[
                "mq:PUB",
                "mq:SUB"
            ],
            "Resource": [
                "acs:mq:*:*:{topic}"
            ]
        },
        {    // Grant permissions for a group.
            "Effect":"Allow",
            "Action":[
                "mq:SUB"
            ],
            "Resource": [
                "acs:mq:*:*:{groupId}"
            ]
        }
    ]
}

Example 2: Grant permissions for an entire instance (only applicable to instances with namespaces)

To grant the permissions for operating all the resources in an instance, set the policy as follows:

{   // Only applicable to instances with namespaces.
    "Version": "1", 
    "Statement": [
        {
            "Effect": "Allow", 
            "Action": [
                "mq:*"
            ], 
            "Resource": [
                "acs:mq:*:*:{mqttInstanceId}*" //Grant permission for the instance. Replace {mqttInstanceId} with the ID of your instance.
            ]
        }
    ]
}