Starting April 26, 2024, Resource Access Management (RAM) users must have the mq:MqttMetaData action granted before they can access the Overview page and homepage in the ApsaraMQ for MQTT console. This change applies only to console access and does not affect your running workloads or MQTT client connections.
Why this change was made
The Overview page aggregates metadata across all your ApsaraMQ for MQTT instances. Previously, any RAM user with basic console access could view this cross-instance data. The new mq:MqttMetaData action enforces finer-grained access control so that only explicitly authorized RAM users can view instance metadata.
What is affected
| Scope | Details |
|---|---|
| Affected pages | Overview page and homepage in the ApsaraMQ for MQTT console |
| Required action | mq:MqttMetaData |
| Symptom without authorization | An error message indicating the RAM user is not authorized |
| Business impact | None. Only console access is affected. Running workloads and MQTT client connections are not impacted. |
Note: To view the instance list, the RAM user also needs the mq:ListMqttInstance action.Grant the required permissions
To authorize a RAM user:
Identify the RAM users who need access to the ApsaraMQ for MQTT console.
Check the existing policies attached to each RAM user.
Add the
mq:MqttMetaDataaction to the RAM user's policy. To also allow viewing the instance list, addmq:ListMqttInstance. For complete policy definitions and examples, see Policies and Sample policies.Sign in as the RAM user and verify that the Overview page loads without errors.
Support
If you have questions, join DingTalk group 116015007918 to contact ApsaraMQ for MQTT technical support.