All Products
Search

This Product

    ApsaraMQ for RabbitMQ:Step 1: (Optional) Grant permissions to RAM users

    Document Center

    ApsaraMQ for RabbitMQ:Step 1: (Optional) Grant permissions to RAM users

    Last Updated:Jan 05, 2024

    By default, Resource Access Management (RAM) users do not have the permissions to perform operations on ApsaraMQ for RabbitMQ resources. If you access ApsaraMQ for RabbitMQ as a RAM user, you must be granted the required permissions by an Alibaba Cloud account before you can manage resources and send and receive messages in the ApsaraMQ for RabbitMQ console.

    Background information

    This operation is applicable only for RAM users. If you access ApsaraMQ for RabbitMQ by using an Alibaba Cloud account, you have full permissions on ApsaraMQ for RabbitMQ resources and no authorization is required.

    The following section describes how to view account roles:

    Log on to the ApsaraMQ for RabbitMQ console. The basic information about the account is displayed in the upper-right corner of the page. If Main Account is displayed under Account ID, the account is an Alibaba Cloud account and no authorization is required. If RAM User is displayed, the account is a RAM user and authorization is required.

    Permission policies of ApsaraMQ for RabbitMQ

    ApsaraMQ for RabbitMQ provides the following system policies. You can grant the related permissions to a RAM user based on the permission scope.

    Policy

    Description

    AliyunAMQPFullAccess

    The management permissions on your ApsaraMQ for RabbitMQ resources. If you use this policy to grant permissions to RAM users, the RAM users are granted the permissions that are equivalent to the permissions of an Alibaba Cloud account. This indicates that the RAM users are granted the permissions to manage all ApsaraMQ for RabbitMQ resources of the Alibaba Cloud account, and to send and receive messages by using SDKs.

    AliyunAMQPReadOnlyAccess

    The read-only permissions on your ApsaraMQ for RabbitMQ resources. If you use this policy to grant permissions to RAM users, the RAM users can query the data of all ApsaraMQ for RabbitMQ resources of the Alibaba Cloud account.

    In addition to system permission policies, you can also create custom permission policies to grant RAM users permissions on specific resources. For more information, see Custom permission policies.

    (Required for RAM users) Grant permissions to a RAM user

    1. Log on to the RAM console with an Alibaba Cloud account or a RAM user who has administrative rights.

    2. On the Users page, find the required RAM user and click Add Permissions in the Actions column.

    3. In the Add Permissions panel, grant permissions to the RAM user.

      1. Set the Authorized Scope parameter to Alibaba Cloud Account.

      2. The Principal parameter is automatically set to the RAM user that you want to authorize. You do not need to configure the parameter.

      3. Set the Select Policy parameter to System Policy or Custom Policy based on your business requirements and attach policies to the RAM user.

        Note

        You can attach a maximum of five policies to a RAM user at a time. If you want to attach more than five policies to a RAM user, perform the operation multiple times.

    4. Click OK.

    5. Click Complete.

    What to do next

    Step 2: Create resources

    Step 3: Use SDKs to send and receive messages

    References

    System permission policies are created and maintained by Alibaba Cloud. You can use system permission policies to perform coarse-grained permission control on RAM users. You cannot modify system permission policies. For more information, see Create custom policies.

    For information about custom permission policies supported by ApsaraMQ for RabbitMQ, see RAM policies.