Resource Access Management (RAM) lets you control access to your ApsaraMQ for MQTT resources without sharing the AccessKey pair of your Alibaba Cloud account with other users. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. You can create RAM users and grant each user only the permissions they need.
How access control works
ApsaraMQ for MQTT authorizes access through RAM policies. Each policy specifies which actions a RAM user can perform on which resources. There are four resource types:
| Resource type | Description | Naming format | Example |
|---|---|---|---|
| Instance | An MQTT broker instance | acs:mq:*:*:instance/{mqttInstanceId} | acs:mq:*:*:instance/post-cn-09k1noy**** |
| Topic | A message topic within an instance | acs:mq:*:*:topic/{mqttInstanceId}/{topic} | acs:mq:*:*:topic/post-cn-09k1noy**<b data-pending="uicontrol" id="pending_017209d0">/Topic_</b>** |
| Group | A client group within an instance | acs:mq:*:*:groupId/{mqttInstanceId}/{gid} | acs:mq:*:*:groupId/post-cn-09k1noy**<b data-pending="uicontrol" id="pending_7dfa6d2e">/GID_</b>** |
| Rule | A data routing rule within an instance | acs:mq:*:*:rule/{mqttInstanceId}/{ruleId} | acs:mq:*:*:rule/post-cn-09k1noy**<b data-pending="uicontrol" id="pending_34ea50ef">/111</b>** |
Two types of policies are available:
System policies -- Predefined by Alibaba Cloud. Ready to use, but not editable.
Custom policies -- Defined and maintained by you. You maintain the policy versions. Provide fine-grained, resource-level access control.
For details on policy syntax, see Policy structure and syntax. For the resource element format, see Resource.
Instance access prerequisite
Before you grant permissions on any topic, group, or rule, you must first grant the mq:MqttInstanceAccess action on the parent instance. Without instance-level access, the RAM user cannot reach the resources within that instance.
This prerequisite applies to all permission categories: console operations, API calls, and client publish/subscribe.
System policies
ApsaraMQ for MQTT provides four default system policies.
| Policy | Description |
|---|---|
| AliyunMQFullAccess | Full management access to all ApsaraMQ for MQTT operations in the console, equivalent to an Alibaba Cloud account. |
| AliyunMQPubOnlyAccess | Publish-only access. Allows publishing messages through SDKs to all resources under the Alibaba Cloud account. |
| AliyunMQSubOnlyAccess | Subscribe-only access. Allows subscribing to messages through SDKs from all resources under the Alibaba Cloud account. |
| AliyunMQReadOnlyAccess | Read-only access. Allows viewing resource information in the console or through API calls. |
ApsaraMQ for MQTT does not have its own independent system policies. These policies are shared with ApsaraMQ for RocketMQ -- attaching any of these policies to a RAM user grants access to both services.
AliyunMQFullAccess and AliyunMQReadOnlyAccess do not include permissions to view the instance list in the console. Grant mq:MqttInstanceAccess separately to enable instance list access. See Instance management actions.Custom policy actions
Custom policies let you specify exactly which actions a RAM user can perform on specific resources. The following sections list all available actions grouped by scope.
For sample custom policies, see Sample permission policies.
Client publish and subscribe actions
These actions control message publishing and subscribing through ApsaraMQ for MQTT SDKs.
Resource naming formats:
Topic:
acs:mq:*:*:topic/{mqttInstanceId}/{topic}Group ID:
acs:mq:*:*:groupId/{mqttInstanceId}/{gid}
| Action | Description |
|---|---|
| mq:PUB | Publish messages to a topic |
| mq:SUB | Subscribe to messages from a topic |
Client publish and subscribe permissions cannot be granted across Alibaba Cloud accounts.
Instance management actions
Resource naming format: acs:mq:*:*:instance/{mqttInstanceId}
| Action | Description |
|---|---|
| mq:MqttInstanceAccess | Query basic instance information. Required before granting any topic, group, or rule permissions. |
| mq:ListMqttInstance | List all instances |
| mq:UpdateMqttInstance | Modify instance information |
| mq:DeleteMqttInstance | Delete an instance |
| mq:UpdateMqttInstanceWarn | Update alert settings for an instance |
| mq:MqttMetaData | Access the Overview page and homepage in the ApsaraMQ for MQTT console |
After you grantmq:MqttMetaData, also grantmq:ListMqttInstanceso that the RAM user can view the instance list in the console.
Topic management actions
Resource naming format: acs:mq:*:*:topic/{mqttInstanceId}/{topic}
| Action | Description |
|---|---|
| mq:CreateMqttTopic | Create a topic |
| mq:DeleteMqttTopic | Delete a topic |
| mq:ListMqttTopic | List topics |
| mq:UpdateMqttTopic | Update a topic description |
| mq:QueryMqttClientByTopic | Query which clients subscribe to a topic |
| mq:QueryMqttMsgTransTrend | Query messaging statistics for a topic |
| mq:SendMqttMessageByConsole | Send a test message from the console |
Group management actions
Resource naming format: acs:mq:*:*:groupId/{mqttInstanceId}/{gid}
| Action | Description |
|---|---|
| mq:CreateMqttGroupId | Create a group |
| mq:DeleteMqttGroupId | Delete a group |
| mq:ListMqttGroupId | List groups |
| mq:QueryMqttClientByClientId | Query client information by client ID |
| mq:QueryMqttClientByGroupId | Query client information by group ID |
| mq:QueryMqttHistoryOnline | Query historical online connections by group ID |
| mq:QueryMqttTraceDevice | Trace a specific client |
| mq:QueryMqttDeviceTrace | Query details of a specific client |
Rule management actions
Resource naming format: acs:mq:*:*:rule/{mqttInstanceId}/{ruleId}
When you grant rule permissions, make sure the related instances, topics, and groups all belong to the same Alibaba Cloud account.
| Action | Description |
|---|---|
| mq:CreateMqttInboundRule | Create a data inbound rule |
| mq:DeleteMqttInboundRule | Delete a data inbound rule |
| mq:ListMqttInboundRule | List data inbound rules |
| mq:UpdateMqttInboundRule | Update a data inbound rule |
| mq:CreateMqttOutboundRule | Create a data outbound rule |
| mq:DeleteMqttOutboundRule | Delete a data outbound rule |
| mq:ListMqttOutboundRule | List data outbound rules |
| mq:UpdateMqttOutboundRule | Update a data outbound rule |
| mq:CreateClientStatusNotifyRule | Create a client status notification rule |
| mq:DeleteClientStatusNotifyRule | Delete a client status notification rule |
| mq:ListClientStatusNotifyRule | List client status notification rules |
| mq:UpdateClientStatusNotifyRule | Update a client status notification rule |
API operation permissions
Each API operation requires mq:MqttInstanceAccess plus one or more additional actions. For rule-related APIs, make sure the related instances, topics, and groups all belong to the same Alibaba Cloud account.
Token management
| API | Resource naming format | Required actions |
|---|---|---|
| ApplyToken | Instance: acs:mq:*:*:instance/{mqttInstanceId}, Topic: acs:mq:*:*:topic/{mqttInstanceId}/{topic} | mq:MqttInstanceAccess, mq:ApplyToken |
| RevokeToken | acs:mq:*:*:* | mq:MqttInstanceAccess, mq:RevokeToken |
| QueryToken | acs:mq:*:*:* | mq:MqttInstanceAccess, mq:QueryToken |
Message operations
| API | Required actions |
|---|---|
| SendMessage | mq:MqttInstanceAccess, mq:SendMessage |
Group operations
All group API operations use the following resource naming formats:
Instance:
acs:mq:*:*:instance/{mqttInstanceId}Group:
acs:mq:*:*:groupId/{mqttInstanceId}/{gid}
| API | Required actions |
|---|---|
| CreateGroupId | mq:MqttInstanceAccess, mq:CreateMqttGroupId |
| DeleteGroupId | mq:MqttInstanceAccess, mq:DeleteMqttGroupId |
| ListGroupId | mq:MqttInstanceAccess, mq:ListMqttGroupId |
| QuerySessionByClientId | mq:MqttInstanceAccess, mq:QuerySessionByClientId |
| BatchQuerySessionByClientIds | mq:MqttInstanceAccess, mq:BatchQuerySessionByClientIds |
Device credential operations
| API | Required actions |
|---|---|
| RegisterDeviceCredential | mq:MqttInstanceAccess, mq:RegisterDeviceCredential |
| GetDeviceCredential | mq:MqttInstanceAccess, mq:GetDeviceCredential |
| ListDeviceCredentialClientId | mq:MqttInstanceAccess, mq:ListDeviceCredentialClientId |
| UnRegisterDeviceCredential | mq:MqttInstanceAccess, mq:UnRegisterDeviceCredential |
| RefreshDeviceCredential | mq:MqttInstanceAccess, mq:RefreshDeviceCredential |
Message trace operations
| API | Resource naming format | Required actions |
|---|---|---|
| QueryMqttTraceDevice | -- | mq:MqttInstanceAccess, mq:QueryMqttDeviceTrace |
| QueryMqttTraceMessageOfClient | -- | mq:MqttInstanceAccess, mq:QueryMqttDeviceTrace |
| QueryMqttTraceMessagePublish | Instance: acs:mq:*:*:instance/{mqttInstanceId} | mq:MqttInstanceAccess, mq:QueryMqttPubTrace |
| QueryMqttTraceMessageSubscribe | -- | mq:MqttInstanceAccess, mq:QueryMqttSubTrace |
Custom authentication operations
| API | Required actions |
|---|---|
| AddCustomAuthIdentity | mq:MqttInstanceAccess, mq:AddCustomAuthIdentity |
| QueryCustomAuthIdentity | mq:MqttInstanceAccess, mq:QueryCustomAuthIdentity |
| UpdateCustomAuthIdentity | mq:MqttInstanceAccess, mq:UpdateCustomAuthIdentity |
| DeleteCustomAuthIdentity | mq:MqttInstanceAccess, mq:DeleteCustomAuthIdentity |
| AddCustomAuthPermission | mq:MqttInstanceAccess, mq:AddCustomAuthPermission |
| QueryCustomAuthPermission | mq:MqttInstanceAccess, mq:QueryCustomAuthPermission |
| UpdateCustomAuthPermission | mq:MqttInstanceAccess, mq:UpdateCustomAuthPermission |
| DeleteCustomAuthPermission | mq:MqttInstanceAccess, mq:DeleteCustomAuthPermission |
| AddCustomAuthConnectBlack | mq:MqttInstanceAccess, mq:DeleteCustomAuthConnectBlack |
| QueryCustomAuthConnectBlack | mq:MqttInstanceAccess, mq:QueryCustomAuthConnectBlack |
| DeleteCustomAuthConnectBlack | mq:MqttInstanceAccess, mq:AddCustomAuthConnectBlack |
Topic operations
All topic API operations use the following resource naming formats:
Instance:
acs:mq:*:*:instance/{mqttInstanceId}Topic:
acs:mq:*:*:topic/{mqttInstanceId}/{topic}
| API | Required actions |
|---|---|
| CreateTopic | mq:MqttInstanceAccess, mq:CreateMqttTopic |
| ListTopics | mq:MqttInstanceAccess, mq:SUB, mq:ListMqttTopic |
| DeleteTopic | mq:MqttInstanceAccess, mq:PUB, mq:DeleteMqttTopic |
| UpdateTopic | mq:MqttInstanceAccess, mq:UpdateMqttTopic |
Rule operations
All rule API operations use the following resource naming formats:
Instance:
acs:mq:*:*:instance/{mqttInstanceId}Rule:
acs:mq:*:*:rule/{mqttInstanceId}/{ruleId}
| API | Required actions |
|---|---|
| CreateMqttInboundRule | mq:MqttInstanceAccess, mq:CreateMqttInboundRule |
| ListMqttInboundRuleInPages | mq:MqttInstanceAccess, mq:ListMqttInboundRule |
| UpdateMqttInboundRule | mq:MqttInstanceAccess, mq:UpdateMqttInboundRule |
| DeleteMqttInboundRule | mq:MqttInstanceAccess, mq:DeleteMqttInboundRule |
| CreateMqttOutboundRule | mq:MqttInstanceAccess, mq:CreateMqttOutboundRule |
| ListMqttOutboundRuleInPages | mq:MqttInstanceAccess, mq:ListMqttOutboundRule |
| UpdateMqttOutboundRule | mq:MqttInstanceAccess, mq:UpdateMqttOutboundRule |
| DeleteMqttOutboundRule | mq:MqttInstanceAccess, mq:DeleteMqttOutboundRule |
| CreateClientStatusNotifyRule | mq:MqttInstanceAccess, mq:CreateClientStatusNotifyRule |
| ListClientStatusNotifyRuleInPages | mq:MqttInstanceAccess, mq:ListClientStatusNotifyRule |
| UpdateClientStatusNotifyRule | mq:MqttInstanceAccess, mq:UpdateClientStatusNotifyRule |
| DeleteClientStatusNotifyRule | mq:MqttInstanceAccess, mq:DeleteClientStatusNotifyRule |
Disaster recovery operations
| API | Required actions |
|---|---|
| DisasterDowngrade | mq:MqttInstanceAccess, mq:DisasterDowngrade |
| DisasterRecovery | mq:MqttInstanceAccess, mq:DisasterRecovery |
For the complete API reference, see List of operations by function.