All Products
Search

This Product

    :Policies

    Document Center

    :Policies

    Last Updated:Mar 15, 2024

    Alibaba Cloud provides the Resource Access Management (RAM) service for you to manage permissions on ApsaraMQ for MQTT. If you use RAM, you do not need to share the AccessKey pair of your Alibaba Cloud account with other users. You can grant the users only the required permissions. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. This topic describes the policies provided for ApsaraMQ for MQTT in RAM.

    In RAM, a policy is a collection of permissions that are described by using syntax. For more information, see Policy structure and syntax. A policy can accurately describe the authorized resource sets, action sets, and authorization conditions. ApsaraMQ for MQTT provides the following types of RAM policies:

    • System policies: System policies are created and updated by Alibaba Cloud. You can use system policies but cannot modify them.

    • Custom policies: You can create, update, and delete custom policies. You need to maintain the versions of custom policies.

    System policies

    ApsaraMQ for MQTT provides four default system policies.

    Important

    ApsaraMQ for MQTT does not support independent system policies. When you attach the following system policies to RAM users, the policies take effect in both ApsaraMQ for MQTT and ApsaraMQ for RocketMQ.

    Policy

    Description

    AliyunMQFullAccess

    The permissions to manage ApsaraMQ for MQTT. A RAM user to which this policy is attached can manage all features the same way you use an Alibaba Cloud account to manage resources in the ApsaraMQ for MQTT console.

    AliyunMQPubOnlyAccess

    The permissions to send messages in ApsaraMQ for MQTT. A RAM user to which this policy is attached can use all resources of the Alibaba Cloud account to send messages by using SDKs.

    AliyunMQSubOnlyAccess

    The permissions to subscribe to messages in ApsaraMQ for MQTT. A RAM user to which this policy is attached can use all resources of the Alibaba Cloud account to subscribe to messages by using SDKs.

    AliyunMQReadOnlyAccess

    The read-only permissions on ApsaraMQ for MQTT. A RAM user to which this policy is attached can only read resource information in the ApsaraMQ for MQTT console or by calling API operations.

    Custom policies

    Custom policies allow you to grant fine-grained permissions to users.

    The following section describes the mappings between resources and actions in ApsaraMQ for MQTT.

    In ApsaraMQ for MQTT, resources are instances, topics, and groups. Actions are the permissions that are granted on the resources. The naming formats of topics and groups vary based on whether the corresponding ApsaraMQ for MQTT instance contains a namespace. You can view whether an instance contains a namespace on the Instance Details page in the ApsaraMQ for MQTT console.

    The possible values and corresponding rules of resources and actions in ApsaraMQ for MQTT can be divided into the following categories: console, API operation, and ApsaraMQ for MQTT client. Actions in the ApsaraMQ for MQTT console can be divided into the following categories based on resource types: instance, topic, and group.

    Note

    For example, if you want to access resources and call API operations in ApsaraMQ for MQTT, you must obtain the mq:MqttInstanceAccess permission. After you are granted the permission, you can access ApsaraMQ for MQTT instances.

    Permissions to publish and subscribe to messages on ApsaraMQ for MQTT clients

    The naming formats of topics and groups on which permissions to publish and subscribe to messages are granted vary based on whether the corresponding ApsaraMQ for MQTT instance contains a namespace.

    • An instance that contains a namespace

      • Topic: acs:mq:*:*:{storeInstanceId}%{topic}

      • Group ID: acs:mq:*:*:{mqttInstanceId}%{groupid}

      Important

      In the naming format of topics, storeInstanceId is the ID of the persistent instance that is bound to the ApsaraMQ for MQTT instance. You can obtain the ID of the bound persistent instance on the Instance Details page in the ApsaraMQ for MQTT console.

    • An instance that does not contain a namespace

      • Topic: acs:mq:*:*:{topic}

      • Group: acs:mq:*:*:{groupid}

    Action

    Description

    Remarks

    mq:PUB

    Publishes messages.

    Before you grant a RAM user permissions on a topic, you must grant the RAM user the mq:MqttInstanceAccess permission on the instance to which the topic belongs.

    mq:SUB

    Subscribes to messages.

    Permissions to manage instances in the console

    The naming format of an ApsaraMQ for MQTT instance is acs:mq:*:*:{mqttInstanceId}, regardless of whether the instance contains a namespace. The following table describes the related actions.

    Action

    Description

    Remarks

    mq:MqttInstanceAccess

    Queries the basic information about a specific instance.

    Before you grant a RAM user permissions on a topic or a group, you must grant the user the mq:MqttInstanceAccess permission on the instance to which the topic or group belongs.

    mq:DeleteMqttInstance

    Deletes an instance.

    None.

    mq:UpdateMqttInstance

    Modifies instance information.

    None.

    mq:BindMqttInstance

    Binds a persistent instance.

    If you want to bind a persistent instance to an ApsaraMQ for MQTT instance, you must obtain permissions to manage the persistent instance and the ApsaraMQ for MQTT instance. For information about how to grant permissions on a persistent instance, refer to the policies of the corresponding service.

    mq:ListMqttInstance

    Queries the list of instances.

    None.

    mq:UpdateMqttInstanceWarn

    Updates the alert information about a specific instance.

    None.

    Permissions to manage topics in the console

    The naming format of a topic varies based on whether the corresponding ApsaraMQ for MQTT instance contains a namespace.

    • An instance that contains a namespace: acs:mq:*:*:{storeInstanceId}%{topic}

      Important

      In the format, storeInstanceId is the ID of the persistent instance that is bound to the ApsaraMQ for MQTT instance. You can obtain the ID of the persistent instance on the Instance Details page in the ApsaraMQ for MQTT console.

    • An instance that does not contain a namespace: acs:mq:*:*:{topic}

    Action

    Description

    Remarks

    mq:QueryMqttClientByTopic

    Queries ApsaraMQ for MQTT clients that subscribe to a specific topic.

    Before you grant a RAM user permissions on a topic or a group, you must grant the user the mq:MqttInstanceAccess permission on the instance to which the topic or group belongs.

    mq:QueryMqttMsgTransTrend

    Queries messaging statistics based on a specific topic.

    mq:SendMqttMessageByConsole

    Tests the message sending feature in the console.

    Permissions to manage groups in the console

    The naming format of a group varies based on whether the corresponding ApsaraMQ for MQTT instance contains a namespace.

    • An instance that contains a namespace: acs:mq:*:*:{mqttInstanceId}%{groupId}

      Important

      If an ApsaraMQ for MQTT instance contains a namespace, the ID of a group on the instance must be prefixed by the ID of the instance.

    • An instance that does not contain a namespace: acs:mq:*:*:{groupId}

    Action

    Description

    Remarks

    mq:CreateMqttGroupId

    Creates a group.

    Before you grant a RAM user permissions on a topic or a group, you must grant the user the mq:MqttInstanceAccess permission on the instance to which the topic or group belongs.

    mq:ListMqttGroupId

    Queries the list of groups.

    mq:QueryMqttClientByClientId

    Queries ApsaraMQ for MQTT client information based on a specific client ID.

    mq:QueryMqttClientByGroupId

    Queries ApsaraMQ for MQTT client information based on a specific group ID.

    mq:QueryMqttHistoryOnline

    Queries the information about historical connected ApsaraMQ for MQTT clients based on a specific group ID.

    mq:DeleteMqttGroupId

    Deletes a group.

    mq:QueryMqttDeviceTrace

    Queries the trace of an ApsaraMQ for MQTT client.

    mq:QueryMqttDeviceTrace

    Queries the information about a specific ApsaraMQ for MQTT client.

    Permissions to call API operations

    API

    Resource naming format (no namespace contained in the instance)

    Resource naming format (a namespace contained in the instance)

    Action

    RevokeToken

    • Instance: acs:mq:*:*:{mqttInstanceId}

    • Topic: acs:mq:*:*:{topic}

    • Group: acs:mq:*:*:{groupId}

    • Instance: acs:mq:*:*:{mqttInstanceId}

    • Topic: acs:mq:*:*:{storeInstanceId}%{topic}

    • Group: acs:mq:*:*:{mqttInstanceId}%{groupId}

    • mq:MqttInstanceAccess

    • mq:RevokeToken

    QueryToken

    • mq:MqttInstanceAccess

    • mq:QueryToken

    ApplyToken

    • mq:MqttInstanceAccess

    • mq:ApplyToken

    CreateGroupId

    • mq:MqttInstanceAccess

    • mq:CreateGroupId

    DeleteGroupId

    • mq:MqttInstanceAccess

    • mq:DeleteGroupId

    ListGroupId

    • mq:MqttInstanceAccess

    • mq:ListGroupId

    Note

    For more information about API operations, see API overview.

    References