This topic provides sample policies that are used to grant permissions on ApsaraMQ for MQTT.
Usage notes
Before you read this topic, we recommend that you view permission policies provided by ApsaraMQ for MQTT in Resource Access Management (RAM).
If you want to directly use the sample code, delete the two forward slashes (//) and the text description that follows after you copy the code. Replace the following values in the sample policies with your actual resource information:
post-cn-09k1noy****: Replace it with your instance ID.
Topic_****: Replace it with your topic name.
GID_****: Replace it with your group ID.
Rule****: Replace it with your rule ID.
Sample policy 1: Grant a RAM user permissions on sending and receiving messages in an ApsaraMQ for MQTT client
You cannot grant a RAM user permissions on sending and receiving messages in an ApsaraMQ for MQTT client across Alibaba Cloud accounts.
{
"Version":"1",
"Statement":[
{ // Before you grant a RAM user permissions on sending and receiving messages in an ApsaraMQ for MQTT client, grant the RAM user permissions on the corresponding instance.
"Effect":"Allow",
"Action":[
"mq:MqttInstanceAccess"
],
"Resource":[
"acs:mq:*:*:instance/post-cn-09k1noy****"
]
},
{ // Grant the RAM user permissions on sending and receiving messages in a topic.
"Effect":"Allow",
"Action":[
"mq:PUB",
"mq:SUB"
],
"Resource":[
"acs:mq:*:*:topic/post-cn-09k1noy****/Topic_****"
]
},
{ // Grant the RAM user permissions on receiving messages in a group.
"Effect":"Allow",
"Action":[
"mq:SUB"
],
"Resource":[
"acs:mq:*:*:groupId/post-cn-09k1noy****/GID_****"
]
}
]
}
Sample policy 2: Grant a RAM user permissions on sending messages in a topic by using the console
{
"Version":"1",
"Statement":[
{ // Before you grant a RAM user permissions on sending messages in a topic by using the console, grant the RAM user permissions on the corresponding instance.
"Effect":"Allow",
"Action":[
"mq:MqttInstanceAccess"
],
"Resource":[
"acs:mq:*:*:instance/post-cn-09k1noy****"
]
},
{ // Grant the RAM user permissions on sending messages in a topic by using the console.
"Effect":"Allow",
"Action":[
"mq:SendMqttMessageByConsole"
],
"Resource":[
"acs:mq:*:*:topic/post-cn-09k1noy****/Topic_****"
]
}
]
}Sample policy 3: Grant a RAM user permissions on calling API operations to apply for a token
{
"Version":"1",
"Statement":[
{ // Before you grant a RAM user permissions on calling API operations to apply for a token, grant the RAM user permissions on the corresponding instance.
"Effect":"Allow",
"Action":[
"mq:MqttInstanceAccess"
],
"Resource":[
"acs:mq:*:*:instance/post-cn-09k1noy****"
]
},
{ // Grant the RAM user permissions on calling API operations to apply for a token.
"Effect":"Allow",
"Action":[
"mq:ApplyToken"
],
"Resource":[
"acs:mq:*:*:topic/post-cn-09k1noy****/Topic_****"
]
}
]
}Sample policy 4: Grant a RAM user permissions on calling all API operations used to manage data outbound rules
Before you grant a RAM user permissions on calling all API operations used to manage data outbound rules, make sure that the instance, topic, and group are created in the same Alibaba Cloud account.
{
"Version":"1",
"Statement":[
{ // Before you grant a RAM user permissions on calling all API operations used to manage data outbound rules, grant the RAM user permissions on the corresponding instance.
"Effect":"Allow",
"Action":[
"mq:MqttInstanceAccess"
],
"Resource":[
"acs:mq:*:*:instance/post-cn-09k1noy****"
]
},
{ // Grant the RAM user permissions on calling all API operations used to manage data outbound rules.
"Effect":"Allow",
"Action":[
"mq:CreateMqttOutboundRule",
"mq:DeleteMqttOutboundRule",
"mq:ListMqttOutboundRule",
"mq:UpdateMqttOutboundRule"
],
"Resource":[
"acs:mq:*:*:rule/post-cn-09k1noy****/Rule****"
]
}
]
}