ApsaraMQ for MQTT uses service-linked roles to access other Alibaba Cloud services on your behalf. Each role is automatically created when you first use the feature that requires it and grants only the minimum permissions necessary.
A service-linked role is a type of Resource Access Management (RAM) role predefined by an Alibaba Cloud service. You cannot modify the permissions of a service-linked role, and only the linked service can assume it. For more information, see Service-linked roles.
Roles and permissions
ApsaraMQ for MQTT creates the following service-linked roles:
| Role | Access policy | Created when you | Purpose |
|---|---|---|---|
| AliyunServiceRoleForMqttCoreRuleEngine | AliyunServiceRolePolicyForMqttCoreRuleEngine | First configure a rules engine | Accesses Elastic Compute Service (ECS), PrivateLink, virtual private cloud (VPC), and ApsaraMQ for Kafka to forward messages to ApsaraMQ for Kafka |
| AliyunServiceRoleForMqttTunnel | AliyunServiceRolePolicyForMqttTunnel | First enable HTTP authentication | Accesses ECS, PrivateLink, and VPC to support HTTP authentication |
AliyunServiceRolePolicyForMqttCoreRuleEngine
This policy is attached to the AliyunServiceRoleForMqttCoreRuleEngine role. It grants the following permissions:
| Service | Permissions | Purpose |
|---|---|---|
| ApsaraMQ for Kafka | List instances and topics | Discover Kafka instances and topics for message forwarding |
| PrivateLink | Create, list, update, and delete VPC endpoints; manage endpoint zones and security groups | Establish private connectivity between ApsaraMQ for MQTT and downstream services |
| VPC | Describe vSwitches; create VPC endpoints | Access VPC networking resources for private connectivity |
| ECS | Create, describe, authorize, revoke, and delete security groups | Manage network access rules for message forwarding |
| RAM | Delete this service-linked role | Allow the service to clean up its own role (scoped to core-rule-engine.mqtt.aliyuncs.com) |
{
"Version": "1",
"Statement": [
{
"Action": [
"alikafka:ListInstance",
"alikafka:ListTopic"
],
"Resource": "acs:alikafka:*:*:*",
"Effect": "Allow"
},
{
"Action": [
"privatelink:UpdateVpcEndpointAttribute",
"privatelink:DeleteVpcEndpoint",
"privatelink:CreateVpcEndpoint",
"privatelink:ListVpcEndpoints",
"privatelink:GetVpcEndpointAttribute",
"privatelink:ListVpcEndpointServicesByEndUser",
"privatelink:ListVpcEndpointZones",
"privatelink:ListVpcEndpointSecurityGroups",
"privatelink:AddZoneToVpcEndpoint",
"privatelink:RemoveZoneFromVpcEndpoint"
],
"Resource": "acs:privatelink:*:*:*",
"Effect": "Allow"
},
{
"Action": [
"privatelink:CreateVpcEndpoint",
"vpc:DescribeVSwitches",
"ecs:CreateSecurityGroup"
],
"Resource": "acs:vpc:*:*:*",
"Effect": "Allow"
},
{
"Action": [
"privatelink:CreateVpcEndpoint",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroups",
"ecs:CreateSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:DeleteSecurityGroup",
"ecs:RevokeSecurityGroup"
],
"Resource": "acs:ecs:*:*:*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "core-rule-engine.mqtt.aliyuncs.com"
}
}
}
]
}AliyunServiceRolePolicyForMqttTunnel
This policy is attached to the AliyunServiceRoleForMqttTunnel role. It grants the following permissions:
| Service | Permissions | Purpose |
|---|---|---|
| PrivateLink | Create, list, update, and delete VPC endpoints; manage endpoint zones and security groups | Establish private connectivity for HTTP authentication |
| VPC | Describe vSwitches; create VPC endpoints | Access VPC networking resources for private connectivity |
| ECS | Create, describe, authorize, revoke, and delete security groups | Manage network access rules for HTTP authentication |
| RAM | Delete this service-linked role | Allow the service to clean up its own role (scoped to ep-tunnel.mqtt.aliyuncs.com) |
{
"Version": "1",
"Statement": [
{
"Action": [
"privatelink:UpdateVpcEndpointAttribute",
"privatelink:DeleteVpcEndpoint",
"privatelink:CreateVpcEndpoint",
"privatelink:ListVpcEndpoints",
"privatelink:GetVpcEndpointAttribute",
"privatelink:ListVpcEndpointServicesByEndUser",
"privatelink:ListVpcEndpointZones",
"privatelink:ListVpcEndpointSecurityGroups",
"privatelink:AddZoneToVpcEndpoint",
"privatelink:RemoveZoneFromVpcEndpoint"
],
"Resource": "acs:privatelink:*:*:*",
"Effect": "Allow"
},
{
"Action": [
"privatelink:CreateVpcEndpoint",
"vpc:DescribeVSwitches",
"ecs:CreateSecurityGroup"
],
"Resource": "acs:vpc:*:*:*",
"Effect": "Allow"
},
{
"Action": [
"privatelink:CreateVpcEndpoint",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroups",
"ecs:CreateSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:DeleteSecurityGroup",
"ecs:RevokeSecurityGroup"
],
"Resource": "acs:ecs:*:*:*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "ep-tunnel.mqtt.aliyuncs.com"
}
}
}
]
}View a service-linked role
After a service-linked role is created, you can view its details on the Roles page in the RAM console:
Basic Information: The role details page displays the role name, creation time, ARN, and remarks.
Access policy: Click the Permission Management tab, then click the policy name to view the policy document.
NoteThe access policy for a service-linked role appears only on the role details page, not on the Policies page in the RAM console.
Trust policy: Click the Trust Policy tab to view the trust policy document. The
Servicefield identifies the Alibaba Cloud service that can assume the role.
For more information, see View a RAM role.
Delete a service-linked role
After you delete a service-linked role, features that depend on the role stop working. Proceed with caution.
Before you delete a service-linked role, remove all dependent resources under your Alibaba Cloud account:
| Role | Delete these resources first |
|---|---|
| AliyunServiceRoleForMqttCoreRuleEngine | All rules engines |
| AliyunServiceRoleForMqttTunnel | All HTTP authentication configurations |
Delete a service-linked role if you do not use Security Center for a long time or you need to log off your Alibaba Cloud account. For steps, see Delete a RAM role in the RAM console.