If system policies do not meet your requirements, you can create custom policies to achieve least privilege. Custom policies provide fine-grained permission control and improve resource security. This topic describes scenarios and provides examples of custom policies for ApsaraMQ for RabbitMQ.
What is a custom policy?
Resource Access Management (RAM) policies are classified into system policies and custom policies. You need to maintain custom policies.
After you create a custom policy, you need to attach it to a RAM user, a user group, or a RAM role so that the permissions specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, you must detach the RAM policy from the principal before you can delete the RAM policy.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.
References
Custom authorization policies
ApsaraMQ for RabbitMQ supports the following custom policies.
Client API permissions
Client API | Action | Resource | Description |
exchange.declare (passive=false) | amqp:CreateExchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* | Declares an exchange and checks whether the exchange exists.
|
exchange.declare (passive=true) | amqp:GetExchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName | Declares an exchange and checks whether the exchange exists.
|
exchange.bind | amqp:GetExchange (source exchange) | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName (source exchange) | Binds a source exchange to a destination exchange. |
amqp:CreateExchange (destination exchange) | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* (destination exchange) | ||
exchange.unbind | amqp:GetExchange (source exchange) | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName (source exchange) | Unbinds a source exchange from a destination exchange. |
amqp:CreateExchange (destination exchange) | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* (destination exchange) | ||
queue.declare (passive=false) | amqp:CreateQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | Declares a queue and checks whether the queue exists.
|
queue.declare (passive=true) | amqp:GetQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName | Declares a queue and checks whether the queue exists.
|
queue.declare (with dead-letter exchange) | amqp:CreateQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | Declares a queue that is bound to a dead-letter exchange. |
amqp:GetQueue | acs:amqp:$region:$accountid:/vhosts/$vhostName/queues/$queueName | ||
amqp:CreateExchange (dead-letter exchange) | acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName (dead-letter exchange) | ||
queue.bind | amqp:CreateQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | Binds a queue to an exchange. |
amqp:GetExchange | acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName | ||
queue.unbind | amqp:CreateQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | Unbinds a queue from an exchange. |
amqp:GetExchange | acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName | ||
BasicRecover | amqp:BasicRecover | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | Redelivers messages that are not acknowledged (Ack) by a consumer. |
BasicCancel | amqp:BasicCancel | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | Cancels a subscription. |
BasicPublish | amqp:BasicPublish | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName/messages/* | Publishes a message. |
BasicConsume | amqp:BasicConsume | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | Starts a consumer. |
BasicAck | amqp:BasicAck | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | Acknowledges one or more messages. |
BasicNack | amqp:BasicNack | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | Rejects one or more messages. |
BasicReject | amqp:BasicReject | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | Rejects a message. |
BasicGet | amqp:BasicGet | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | Directly accesses messages in a queue. |
Console OpenAPI and feature permissions
Console OpenAPI/Feature | Action | Resource | Description |
ListInstances | amqp:ListInstance | acs:amqp:$region:$accountid:/instances/* | Queries the list of instances. |
CreateInstance | amqp:CreateInstance | acs:amqp:$region:$accountid:/instances/* | Creates an instance. The policy for the CreateInstance API operation supports the following condition keys. For more information, see Condition.
|
DeleteInstance | amqp:DeleteInstance | acs:amqp:$region:$accountid:/instances/$instanceId | Deletes an instance. |
GetInstance | amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | Views an instance. |
ListVhost | amqp:ListVhost | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/* | Queries the list of vhosts. |
CreateVhost | amqp:CreateVhost | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/* | Creates a vhost. |
DeleteVhost | amqp:DeleteVhost | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName | Deletes a vhost. This operation also requires the amqp:GetInstance API permission. |
amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | ||
ListExchange | amqp:ListExchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* | Queries the list of exchanges. This operation also requires the amqp:GetInstance API permission. |
amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | ||
CreateExchange | amqp:CreateExchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* | Creates an exchange. |
DeleteExchange | amqp:DeleteExchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName | Deletes an exchange. |
ListQueue | amqp:ListQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | Queries the list of queues. This operation also requires the amqp:GetInstance API permission. |
amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | ||
CreateQueue | amqp:CreateQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | Creates a queue. |
DeleteQueue | amqp:DeleteQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName | Deletes a queue. |
QueuePurge | amqp:QueuePurge | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | Purges a queue. |
ListStaticAccounts | amqp:ListStaticAccounts | acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/* | Views the username and password. This operation also requires the amqp:GetInstance API permission. |
amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | ||
FetchStaticAccount | amqp:FetchStaticAccount | acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/* | Creates a username and password. This operation also requires the amqp:GetInstance API permission. |
amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | ||
DeleteStaticAccount | amqp:DeleteStaticAccount | acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/* | Deletes the username and password. |
Query messages by queue | amqp:BasicGet | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | Accesses messages in a queue. |
Query messages by message ID | amqp:BasicGet | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | Accesses messages in a queue. |
Resend messages |
| acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | Resends messages. |
Send messages | amqp:BasicPublish | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | Sends messages. |
Sample custom policies
When you create a custom policy, replace the parameter variables in the following examples with your actual values.
$region: The ID of the region where the resource resides. For more information, see Endpoints.
$accountid: The ID of the Alibaba Cloud account of the authorization object.
$instanceId: The ID of the ApsaraMQ for RabbitMQ instance.
$vhostName: The name of the vhost.
$queueName: The name of the queue.
$exchangeName: The name of the exchange.
Example 1: Grant permissions to send and receive messages in a vhost
{ "Version":"1", "Statement":[ { "Action":[ "amqp:GetInstance", "amqp:ListVhost", "amqp:GetVhost" ], "Resource":[ "acs:amqp:*:*:/instances/$instanceId", "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName", "acs:amqp:*:*:/instances/$instanceId/vhosts/*" ], "Effect":"Allow" }, { "Action":[ "amqp:ListExchange", "amqp:CreateExchange", "amqp:DeleteExchange", "amqp:ListQueue", "amqp:DeleteQueue", "amqp:CreateQueue", "amqp:BasicRecover", "amqp:BasicCancel", "amqp:BasicPublish", "amqp:BasicConsume", "amqp:BasicAck", "amqp:BasicNack", "amqp:BasicReject", "amqp:QueuePurge", "amqp:BasicGet", "amqp:GetExchange", "amqp:GetQueue" ], "Resource":"acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*", "Effect":"Allow" }, { "Action":[ "amqp:ListStaticAccounts", "amqp:FetchStaticAccount", "amqp:DeleteStaticAccount" ], "Resource":"acs:amqp:*:*:/instances/$instanceId/staticAccount/*", "Effect":"Allow" } ] }Example 2: Grant permissions to publish messages
{ "Version": "1", "Statement": [ { "Action": [ "amqp:GetInstance" ], "Resource": [ "acs:amqp:*:*:/instances/$instanceId", "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName" ], "Effect": "Allow" }, { "Action": [ "amqp:CreateExchange", "amqp:CreateQueue", "amqp:BasicRecover", "amqp:BasicPublish", "amqp:BasicAck", "amqp:BasicNack", "amqp:GetExchange", "amqp:GetQueue" ], "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*", "Effect": "Allow" } ] }Example 3: Grant permissions to subscribe to messages
{ "Version": "1", "Statement": [ { "Action": [ "amqp:GetInstance", "amqp:GetVhost" ], "Resource": [ "acs:amqp:*:*:/instances/$instanceId", "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName" ], "Effect": "Allow" }, { "Action": [ "amqp:CreateExchange", "amqp:CreateQueue", "amqp:BasicRecover", "amqp:BasicCancel", "amqp:BasicConsume", "amqp:BasicAck", "amqp:BasicNack", "amqp:BasicReject", "amqp:QueuePurge", "amqp:BasicGet", "amqp:GetExchange", "amqp:GetQueue" ], "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*", "Effect": "Allow" } ] }Example 4: Grant permissions to publish and subscribe to messages
{ "Version": "1", "Statement": [ { "Action": [ "amqp:GetInstance", "amqp:GetVhost" ], "Resource": [ "acs:amqp:*:*:/instances/$instanceId", "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName" ], "Effect": "Allow" }, { "Action": [ "amqp:ListExchange", "amqp:CreateExchange", "amqp:DeleteExchange", "amqp:ListQueue", "amqp:DeleteQueue", "amqp:CreateQueue", "amqp:BasicRecover", "amqp:BasicCancel", "amqp:BasicPublish", "amqp:BasicConsume", "amqp:BasicAck", "amqp:BasicNack", "amqp:BasicReject", "amqp:QueuePurge", "amqp:BasicGet", "amqp:GetExchange", "amqp:GetQueue" ], "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*", "Effect": "Allow" } ] }Example 5: Grant permissions to manage usernames and passwords
{ "Statement": [ { "Effect": "Allow", "Action": [ "amqp:ListStaticAccounts", "amqp:FetchStaticAccount", "amqp:DeleteStaticAccount" ], "Resource": "acs:amqp:*:*:/instances/$instanceId/staticAccount/*" }, { "Effect": "Allow", "Action": "amqp:GetInstance", "Resource": "acs:amqp:*:*:/instances/$instanceId" } ], "Version": "1" }Example 6: Grant a RAM user permissions to create instances
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "amqp:CreateInstance", "Resource": "acs:amqp:*:$accountid:/instances/*" } ] }Example 7: Grant a RAM user permissions to create only Platinum Edition instances that do not support Internet access
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "amqp:CreateInstance", "Resource": "acs:amqp:*:$accountid:/instances/*", "Condition": { "StringEquals": { "amqp:InstanceType": [ "vip" ], "amqp:SupportEIP": [ "false" ] } } } ] }Example 8: Grant a RAM user all permissions on a single instance
{ "Version": "1", "Statement": [ { "Action": "amqp:ListInstance", "Resource": "acs:amqp:*:*:/instances/*", "Effect": "Allow" }, { "Action": "amqp:*", "Resource": [ "acs:amqp:*:*:/instances/$instanceId", "acs:amqp:*:*:/instances/$instanceId/vhosts/*" ], "Effect": "Allow" }, { "Action": [ "amqp:ListStaticAccounts", "amqp:FetchStaticAccount", "amqp:DeleteStaticAccount" ], "Resource": "acs:amqp:*:*:/instances/$instanceId/staticAccount/*", "Effect": "Allow" } ] }