Copy these sample RAM policies to grant fine-grained access to ApsaraMQ for MQTT instances, topics, groups, and API operations. Replace the placeholders with your resource information, and attach each policy to a RAM user.
Prerequisites
Before you begin, make sure that you have:
An understanding of RAM policies for ApsaraMQ for MQTT
Familiarity with the Resource element format
Actions and resource types
Each policy statement maps an Action to a Resource. The following table lists the available actions and resource ARN formats.
| Action | Description | Resource ARN format |
|---|---|---|
mq:MqttInstanceAccess | Access an MQTT instance | acs:mq:*:*:instance/<instance-id> |
mq:MqttMetaData | Access the console Overview page and homepage | acs:mq:*:<account-id>:* |
mq:ListMqttInstance | List MQTT instances | acs:mq:*:<account-id>:instance/<instance-id> |
mq:PUB | Publish messages to a topic | acs:mq:*:*:topic/<instance-id>/<topic-name> |
mq:SUB | Subscribe to a topic or group | acs:mq:*:*:topic/<instance-id>/<topic-name> or acs:mq:*:*:groupId/<instance-id>/<group-id> |
mq:SendMqttMessageByConsole | Publish messages from the console | acs:mq:*:*:topic/<instance-id>/<topic-name> |
mq:ApplyToken | Request an authentication token through the API | acs:mq:*:*:topic/<instance-id>/<topic-name> |
mq:CreateMqttOutboundRule | Create a data outbound rule | acs:mq:*:*:rule/<instance-id>/<rule-id> |
mq:DeleteMqttOutboundRule | Delete a data outbound rule | acs:mq:*:*:rule/<instance-id>/<rule-id> |
mq:ListMqttOutboundRule | List data outbound rules | acs:mq:*:*:rule/<instance-id>/<rule-id> |
mq:UpdateMqttOutboundRule | Update a data outbound rule | acs:mq:*:*:rule/<instance-id>/<rule-id> |
mq:* | All actions (full access) | acs:mq:*:*:*/<instance-id>/* |
Placeholder values
Replace these placeholders with your actual values before you apply a policy.
| Placeholder | Description | Example |
|---|---|---|
<instance-id> | MQTT instance ID | post-cn-09k1noy**** |
<account-id> | Alibaba Cloud account ID | 198126978280**** |
<topic-name> | Topic name | Topic_**** |
<group-id> | Group ID | GID_**** |
<rule-id> | Data outbound rule ID | Rule**** |
Console access
Grant a RAM user access to the ApsaraMQ for MQTT console, including the Overview page, homepage, and instance list.
This policy contains three statements:
Instance access -- required before you grant any other permissions.
Console metadata -- loads the Overview page and homepage.
Instance listing -- displays instances in the instance list.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "mq:MqttInstanceAccess",
"Resource": "acs:mq:*:*:instance/<instance-id>"
},
{
"Effect": "Allow",
"Action": "mq:MqttMetaData",
"Resource": "acs:mq:*:<account-id>:*"
},
{
"Effect": "Allow",
"Action": "mq:ListMqttInstance",
"Resource": "acs:mq:*:<account-id>:instance/<instance-id>"
}
]
}Publish and subscribe through an MQTT client
Grant a RAM user permissions to publish and subscribe to messages on a topic through an ApsaraMQ for MQTT client.
Cross-account publish and subscribe permissions are not supported. The RAM user and the MQTT instance must belong to the same Alibaba Cloud account.
This policy contains three statements:
Instance access -- required before you grant any other permissions.
Topic publish and subscribe -- publishes and receives messages on a specific topic.
Group subscribe -- subscribes by using a specific group ID.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mq:MqttInstanceAccess"
],
"Resource": [
"acs:mq:*:*:instance/<instance-id>"
]
},
{
"Effect": "Allow",
"Action": [
"mq:PUB",
"mq:SUB"
],
"Resource": [
"acs:mq:*:*:topic/<instance-id>/<topic-name>"
]
},
{
"Effect": "Allow",
"Action": [
"mq:SUB"
],
"Resource": [
"acs:mq:*:*:groupId/<instance-id>/<group-id>"
]
}
]
}Publish messages from the console
Grant a RAM user permissions to publish messages to a specific topic from the ApsaraMQ for MQTT console.
This policy contains two statements:
Instance access -- required before you grant any other permissions.
Console publish -- sends messages to a topic through the console.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mq:MqttInstanceAccess"
],
"Resource": [
"acs:mq:*:*:instance/<instance-id>"
]
},
{
"Effect": "Allow",
"Action": [
"mq:SendMqttMessageByConsole"
],
"Resource": [
"acs:mq:*:*:topic/<instance-id>/<topic-name>"
]
}
]
}Request a token through the API
Grant a RAM user permissions to call the ApplyToken API operation to request an authentication token.
This policy contains two statements:
Instance access -- required before you grant any other permissions.
Token request -- calls the ApplyToken operation for a specific topic.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mq:MqttInstanceAccess"
],
"Resource": [
"acs:mq:*:*:instance/<instance-id>"
]
},
{
"Effect": "Allow",
"Action": [
"mq:ApplyToken"
],
"Resource": [
"acs:mq:*:*:topic/<instance-id>/<topic-name>"
]
}
]
}Manage data outbound rules
Grant a RAM user full CRUD permissions on data outbound rules: create, list, update, and delete.
The instance, topic, and group referenced in the outbound rules must all belong to the same Alibaba Cloud account.
This policy contains two statements:
Instance access -- required before you grant any other permissions.
Outbound rule management -- grants create, list, update, and delete operations on data outbound rules.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mq:MqttInstanceAccess"
],
"Resource": [
"acs:mq:*:*:instance/<instance-id>"
]
},
{
"Effect": "Allow",
"Action": [
"mq:CreateMqttOutboundRule",
"mq:DeleteMqttOutboundRule",
"mq:ListMqttOutboundRule",
"mq:UpdateMqttOutboundRule"
],
"Resource": [
"acs:mq:*:*:rule/<instance-id>/<rule-id>"
]
}
]
}Full access to an instance
Grant a RAM user all permissions on a specific ApsaraMQ for MQTT instance, including console access, publish and subscribe, API operations, and rule management.
This policy contains four statements:
Instance access -- grants access to the instance.
Console metadata -- loads the console Overview page and homepage.
Instance listing -- displays the instance in the list.
Wildcard all actions -- grants all operations on all resource types under the instance.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "mq:MqttInstanceAccess",
"Resource": "acs:mq:*:*:instance/<instance-id>"
},
{
"Effect": "Allow",
"Action": "mq:MqttMetaData",
"Resource": "acs:mq:*:*:*"
},
{
"Effect": "Allow",
"Action": "mq:ListMqttInstance",
"Resource": "acs:mq:*:*:instance/<instance-id>"
},
{
"Effect": "Allow",
"Action": "mq:*",
"Resource": "acs:mq:*:*:*/<instance-id>/*"
}
]
}