Instead of sharing your Alibaba Cloud account's AccessKey pair, create Resource Access Management (RAM) users and grant each one only the permissions they need. Authorized RAM users can then manage ApsaraMQ for MQTT resources in the console and publish or subscribe to messages through SDKs and API operations.
ApsaraMQ for MQTT does not support cross-account authorization.
When to use RAM users
Different team members typically need different levels of access to ApsaraMQ for MQTT:
| Role | Typical permissions |
|---|---|
| Resource administrator | Create and manage instances, topics, and groups |
| Publisher | Send messages to specific topics |
| Subscriber | Consume messages from specific topics |
RAM lets the Alibaba Cloud account holder:
Create a separate RAM user for each team member instead of sharing the account's AccessKey pair
Grant fine-grained permissions at the instance, topic, or group level
Revoke permissions or delete RAM users at any time
All resource usage by RAM users is billed to the Alibaba Cloud account.
Prerequisites
Before you begin, make sure that you have:
An Alibaba Cloud account with ApsaraMQ for MQTT activated
Administrative access to the RAM console
Grant permissions to a RAM user
The workflow consists of three steps: create a RAM user, optionally create custom policies, and attach policies to the user.
Create a RAM user. Create a RAM user for each team member who needs access to ApsaraMQ for MQTT. See Create a RAM user.
(Optional) Create custom policies. If the system policies do not meet your requirements, create custom policies to define fine-grained access to specific instances, topics, or groups. See Create custom policies. For a full list of available actions and resources, see Policies.
Attach policies to the RAM user. Attach the appropriate system or custom policies to the RAM user. See Grant permissions to a RAM user.
Console access permissions
The Overview page in the ApsaraMQ for MQTT console displays the metadata of all your instances. To access it, grant the RAM user the following actions:
| Action | Required for |
|---|---|
mq:MqttMetaData | Viewing the Overview page and homepage, which display instance metadata |
mq:ListMqttInstance | Listing instances on the Overview page |
You can use a RAM user to access the Overview page and homepage only after the RAM user is granted the mq:MqttMetaData permission. Without this permission, errors are returned when accessing these pages. To view the list of instances, you must also grant the mq:ListMqttInstance permission after accessing the Overview page.
Access ApsaraMQ for MQTT as a RAM user
After creating a RAM user and granting it the appropriate permissions, share the logon credentials (username and password) or AccessKey pair with the team member. The RAM user can access ApsaraMQ for MQTT through two methods:
Log on to the console
Open the RAM User Logon page.
Enter the logon name of the RAM user in the Username field and click Next. Enter the password and click Log On.
NoteThe logon name uses the format
<$username>@<$AccountAlias>or<$username>@<$AccountAlias>.onaliyun.com, where<$AccountAlias>is the account alias. If no alias is set, the Alibaba Cloud account ID is used instead.On the RAM User Center page, click a service to access its console.
Call API operations
Specify the AccessKey ID and AccessKey secret of the RAM user in your code to authenticate API requests.