All Products
Search

This Product

    ApsaraMQ for MQTT:Grant permissions to RAM users

    Document Center

    ApsaraMQ for MQTT:Grant permissions to RAM users

    Last Updated:Aug 08, 2024

    To prevent risks caused by leaking the AccessKey pair of an Alibaba Cloud account, ApsaraMQ for MQTT allows you to grant permissions on topics to Resource Access Management (RAM) users. Only authorized RAM users can manage resources in the ApsaraMQ for MQTT console and publish and subscribe to messages by using SDKs and calling API operations.

    Note

    ApsaraMQ for MQTT does not support cross-account authorization.

    Scenarios

    Enterprise A has activated ApsaraMQ for MQTT. Employees of Enterprise A need to manage ApsaraMQ for MQTT resources, such as instances, topics, and groups. Each of the employees is assigned with different duties. For example, some employees need to create resources, some need to publish messages, and some others need to subscribe to messages. In this case, Enterprise A needs to grant different permissions to the employees.

    The following items describe the scenario:

    • For security reasons, Enterprise A does not want to disclose the AccessKey pair of its Alibaba Cloud account to employees. Instead, Enterprise A wants to create different RAM users for the employees and grant different permissions to the RAM users.

    • A RAM user can only use resources for which the user is authorized. Resource usage and costs are not separately calculated for the RAM user. All expenses are billed to the Alibaba Cloud account of Enterprise A.

    • Enterprise A can revoke the permissions granted to a RAM user and delete a RAM user at any time.

    In this scenario, Enterprise A can grant its employees fine-grained permissions on resources by using the Alibaba Cloud account.

    Procedure

    1. Create a RAM user by using the Alibaba Cloud account of Enterprise A.

      For more information, see Create a RAM user.

    2. (Optional) Create custom policies for the new RAM user by using the Alibaba Cloud account of Enterprise A.

      For more information, see Create custom policies.

      ApsaraMQ for MQTT allows you to grant permissions on instances, topics, and groups to RAM users. For more information, see Policies.

    3. Grant permissions to the RAM user by using the Alibaba Cloud account of Enterprise A.

      For more information, see Grant permissions to a RAM user.

    What to do next

    After you create a RAM user by using an Alibaba Cloud account, you can share the logon name and password or AccessKey pair of the RAM user with other users. The users can perform the following steps to log on to the Alibaba Cloud Management Console or call API operations by using the RAM user.

    • Log on to the Alibaba Cloud Management Console

      1. Open the page in your browser.

      2. In the Username field of the RAM User Logon page, enter the logon name of the RAM user and click Next. On the page that appears, enter the password. Then, click Log On.

        Note

        The logon name of the RAM user is in the <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com format. <$AccountAlias> indicates the alias of your Alibaba Cloud account. If no alias is specified, the ID of your Alibaba Cloud account is automatically used.

      3. On the RAM User Center page, click a service on which permissions are granted to access the console.

    • Use the AccessKey pair of the RAM user to call API operations

      Specify the AccessKey ID and AccessKey secret of the RAM user in the code.

    References

    What is RAM?