All Products
Search
Document Center

ApsaraMQ for RabbitMQ:RAM policies

Last Updated:Dec 06, 2023

Resource Access Management (RAM) is used to manage resources on ApsaraMQ for RabbitMQ and permissions on sending and receiving messages by using SDKs. If you use RAM to manage permissions on your resources, you do not need to share the AccessKey ID or AccessKey secret of your Alibaba Cloud account with other users. You can grant RAM users of your Alibaba Cloud account the minimum required permissions.

RAM policies

In RAM, an authorization policy includes a set of permissions that are specified based on the policy structure and syntax. Each policy specifies the resources on which permissions are granted, the operations that can be performed or cannot be performed on specific resources, and the conditions that are required for the policy to take effect. For information about the structure and syntax of authorization policies, see Policy structure and syntax.

In RAM, an authorization policy is a resource entity. ApsaraMQ for RabbitMQ supports the following types of authorization policies:

  • System authorization policy: System authorization policies are created and maintained by Alibaba Cloud. You can use system authorization policies to perform coarse-grained permission control on RAM users. You cannot modify system authorization policies.

  • Custom authorization policy: You can create, update, and delete custom authorization policies. You can use custom authorization policies to perform fine-grained permission control on RAM users. You need to manage the versions of custom authorization policies.

System authorization policies

The following table describes the system authorization policies supported by ApsaraMQ for RabbitMQ.

Policy

Description

AliyunAMQPFullAccess

The management permissions on your ApsaraMQ for RabbitMQ resources. If you use this policy to grant permissions to RAM users, the RAM users are granted the permissions that are equivalent to the permissions of an Alibaba Cloud account. This indicates that the RAM users are granted the permissions to manage all ApsaraMQ for RabbitMQ resources of the Alibaba Cloud account, and to send and receive messages by using SDKs.

AliyunAMQPReadOnlyAccess

The read-only permissions on your ApsaraMQ for RabbitMQ resources. If you use this policy to grant permissions to RAM users, the RAM users can query the data of all ApsaraMQ for RabbitMQ resources of the Alibaba Cloud account.

Sample system authorization policy

In the following example, the system authorization policy AliyunAMQPFullAccess is granted to RAM users. RAM users who are granted permissions by using this policy can manage all ApsaraMQ for RabbitMQ resources of the Alibaba Cloud account, and send and receive messages by using SDKs. The following code displays the policy content:

{
    "Version": "1",
    "Statement": [
        {
            "Action": "amqp:*",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Custom policies

The following table describes the custom authorization policies supported by ApsaraMQ for RabbitMQ.

Important

To allow RAM users to manage resources such as exchanges and queues, you must grant the RAM users the read permissions on the virtual hosts (vhosts) on which the resources are deployed by granting the permissions on the amqp:GetVhost action.

API

Action

Description

Format

ListInstances

amqp:ListInstance

Queries the list of instances.

acs:amqp:$region:$accountid:/instances/*

CreateInstance

amqp:CreateInstance

Creates an instance.

The authorization policy of this API operation supports the following fields. For more information, see Condition.

  • amqp:InstanceType: the instance edition. Valid values:

    professional: Professional Edition

    enterprise: Enterprise Edition

    vip: Enterprise Platinum Edition

  • amqp:SupportEIP: specifies whether elastic IP addresses (EIPs) are supported. Valid values:

    • True

    • False

acs:amqp:$region:$accountid:/instances/*

DeleteInstance

amqp:DeleteInstance

Deletes an instance.

acs:amqp:$region:$accountid:/instances/$instanceId

GetInstance

amqp:GetInstance

Queries the details of an instance.

acs:amqp:$region:$accountid:/instances/$instanceId

ListVhost

amqp:ListVhost

Queries the list of vhosts.

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/*

CreateVhost

amqp:CreateVhost

Creates a vhost.

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/*

DeleteVhost

amqp:DeleteVhost

Deletes a vhost.

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName

GetVhost

amqp:GetVhost

Queries the details of a vhost.

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName

ListExchange

amqp:ListExchange

Queries the list of exchanges.

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*

CreateExchange

amqp:CreateExchange

Creates an exchange.

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*

DeleteExchange

amqp:DeleteExchange

Deletes an exchange.

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName

GetExchange

amqp:GetExchange

Queries the details of an exchange.

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName

exchange.declare (passive=false)

amqp:CreateExchange

Declares an exchange and checks whether the exchange exists.

  • If the specified exchange does not exist, the system creates an exchange and returns a message that indicates the declaration is successful.

  • If the specified exchange exists, the system checks whether the information about the exchange is correct. If the information is correct, the system returns a message that indicates that the declaration is successful. If the information is incorrect, the system returns an error.

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*

exchange.declare (passive=true)

amqp:GetExchange

Declares an exchange and checks whether the exchange exists.

  • If the specified exchange does not exist, the system returns an error.

  • If the specified exchange exists, the system returns a message that indicates that the declaration is successful.

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName

exchange.bind

amqp:GetExchange (source exchange)

Binds a source exchange to a destination exchange.

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName (source exchange)

amqp:CreateExchange (destination exchange)

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* (destination exchange)

exchange.unbind

amqp:GetExchange (source exchange)

Unbinds a source exchange from a destination exchange.

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName (source exchange)

amqp:CreateExchange (destination exchange)

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* (destination exchange)

ListQueue

amqp:ListQueue

Queries the list of queues.

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*

CreateQueue

amqp:CreateQueue

Creates a queue.

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*

DeleteQueue

amqp:DeleteQueue

Deletes a queue.

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName

GetQueue

amqp:GetQueue

Queries the details of a queue.

acs:amqp:$region:$accountid:/vhosts/$vhostName/queues/$queueName

queue.declare (passive=false)

amqp:CreateQueue

Declares a queue and checks whether the queue exists.

  • If the specified queue does not exist, the system creates a queue.

  • If the specified queue exists, the system checks whether the information about the queue is correct. If the information is correct, the system returns a message that indicates that the declaration is successful. If the information is incorrect, the system returns an error.

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*

queue.declare (passive=true)

amqp:CreateQueue

Declares a queue and checks whether the queue exists.

  • If the specified queue does not exist, the system returns an error.

  • If the specified queue exists, the system returns a message that indicates that the declaration is successful.

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName

queue.declare (dead-letter exchange configured)

amqp:CreateQueue

Declares a queue for which a dead-letter exchange is configured.

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*

amqp:GetQueue

acs:amqp:$region:$accountid:/vhosts/$vhostName/queues/$queueName

amqp:CreateExchange (dead-letter exchange)

acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName (dead-letter exchange)

queue.bind

amqp:CreateQueue

Binds a queue to an exchange.

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*

amqp:GetExchange

acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName

queue.unbind

amqp:CreateQueue

Unbinds a queue from an exchange.

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*

amqp:GetExchange

acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName

BasicRecover

amqp:BasicRecover

Redelivers the messages that are not acknowledged by consumers.

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*

BasicCancel

amqp:BasicCancel

Cancels a subscription.

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*

BasicPublish

amqp:BasicPublish

Publishes a message.

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName/messages/*

BasicConsume

amqp:BasicConsume

Starts a consumer.

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*

BasicAck

amqp:BasicAck

Acknowledges one or more messages.

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*

BasicNack

amqp:BasicNack

Negatively acknowledges one or more messages.

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*

BasicReject

amqp:BasicReject

Rejects a message.

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*

QueuePurge

amqp:QueuePurge

Clears all messages in a queue.

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*

BasicGet

amqp:BasicGet

Queries messages in a queue.

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*

ListStaticAccounts

amqp:ListStaticAccounts

Queries static usernames and passwords.

acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/*

FetchStaticAccount

amqp:FetchStaticAccount

Create a pair of username and password

acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/*

DeleteStaticAccount

amqp:DeleteStaticAccount

Deletes a pair of username and password.

acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/*

Sample custom authorization policies

Important

When you create a custom policy, you must specify the following parameter values based on your actual situation:

  • $region: the ID of the region where the resource resides. For more information, see Endpoints.

  • $accountid: the ID of the Alibaba Cloud Account to which the authorized object belongs.

  • $instanceId: the ID of the ApsaraMQ for RabbitMQ instance.

  • $vhostName: the vhost name.

  • $queueName: the queue name.

  • $exchangeName: the exchange name.

  • Example 1: An authorization policy that can be used to grant message publishing and message subscription permissions on a vhost

    {
        "Version":"1",
        "Statement":[
            {
                "Action":[
                    "amqp:GetInstance",
                    "amqp:GetVhost",
                    "amqp:ListVhost"
                ],
                "Resource":[
                    "acs:amqp:*:*:/instances/$instanceId",
                    "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName",
                    "acs:amqp:*:*:/instances/$instanceId/vhosts/*"
                ],
                "Effect":"Allow"
            },
            {
                "Action":[
                    "amqp:ListExchange",
                    "amqp:CreateExchange",
                    "amqp:DeleteExchange",
                    "amqp:GetExchange",
                    "amqp:ListQueue",
                    "amqp:DeleteQueue",
                    "amqp:GetQueue",
                    "amqp:CreateQueue",
                    "amqp:BasicRecover",
                    "amqp:BasicCancel",
                    "amqp:BasicPublish",
                    "amqp:BasicConsume",
                    "amqp:BasicAck",
                    "amqp:BasicNack",
                    "amqp:BasicReject",
                    "amqp:QueuePurge",
                    "amqp:BasicGet"
                ],
                "Resource":"acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*",
                "Effect":"Allow"
            },
            {
                "Action":[
                    "amqp:ListStaticAccounts",
                    "amqp:FetchStaticAccount",
                    "amqp:DeleteStaticAccount"
                ],
                "Resource":"acs:amqp:*:*:/instances/$instanceId/staticAccount/*",
                "Effect":"Allow"
            }
        ]
    }
  • Example 1: An authorization policy that can be used to grant message publishing permissions

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "amqp:GetInstance",
                    "amqp:GetVhost"
                ],
                "Resource": [
                    "acs:amqp:*:*:/instances/$instanceId",
                    "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "amqp:CreateExchange",
                    "amqp:GetExchange",
                    "amqp:CreateQueue",
                    "amqp:GetQueue",
                    "amqp:BasicRecover",
                    "amqp:BasicPublish",
                    "amqp:BasicAck",
                    "amqp:BasicNack"
                ],
                "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*",
                "Effect": "Allow"
            }
        ]
    }
  • Example 2: An authorization policy that can be used to grant message subscription permissions

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "amqp:GetInstance",
                    "amqp:GetVhost"
                ],
                "Resource": [
                    "acs:amqp:*:*:/instances/$instanceId",
                    "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "amqp:CreateExchange",
                    "amqp:GetExchange",
                    "amqp:GetQueue",
                    "amqp:CreateQueue",
                    "amqp:BasicRecover",
                    "amqp:BasicCancel",
                    "amqp:BasicConsume",
                    "amqp:BasicAck",
                    "amqp:BasicNack",
                    "amqp:BasicReject",
                    "amqp:QueuePurge",
                    "amqp:BasicGet"
                ],
                "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*",
                "Effect": "Allow"
            }
        ]
    }
  • Example 3: An authorization policy that can be used to grant message publishing and message subscription permissions

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "amqp:GetInstance",
                    "amqp:GetVhost"
                ],
                "Resource": [
                    "acs:amqp:*:*:/instances/$instanceId",
                    "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "amqp:ListExchange",
                    "amqp:CreateExchange",
                    "amqp:DeleteExchange",
                    "amqp:GetExchange",
                    "amqp:ListQueue",
                    "amqp:DeleteQueue",
                    "amqp:GetQueue",
                    "amqp:CreateQueue",
                    "amqp:BasicRecover",
                    "amqp:BasicCancel",
                    "amqp:BasicPublish",
                    "amqp:BasicConsume",
                    "amqp:BasicAck",
                    "amqp:BasicNack",
                    "amqp:BasicReject",
                    "amqp:QueuePurge",
                    "amqp:BasicGet"
                ],
                "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*",
                "Effect": "Allow"
            }
        ]
    }
  • Example 4: An authorization policy that can be used to grant username and password management permissions

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "amqp:ListStaticAccounts",
                    "amqp:FetchStaticAccount",
                    "amqp:DeleteStaticAccount"
                ],
                "Resource": "acs:amqp:*:*:/instances/$instanceId/staticAccount/*"
            },
            {
                "Effect": "Allow",
                "Action": "amqp:GetInstance",
                "Resource": "acs:amqp:*:*:/instances/$instanceId"
            }
        ],
        "Version": "1"
    }
  • Example 6: An authorization policy that can be used to grant a RAM user permissions to create instances

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "amqp:CreateInstance",
                "Resource": "acs:amqp:*:$accountid:/instances/*",
            }
        ]
    }
  • Example 7: An authorization policy that can be used to grant a RAM user permissions to create Enterprise Platinum Edition instances that do not support EIPs

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "amqp:CreateInstance",
                "Resource": "acs:amqp:*:$accountid:/instances/*",
                "Condition": {
                    "StringEquals": {
                        "amqp:InstanceType": [
                            "vip"
                        ],
                        "amqp:SupportEIP": [
                            "false"
                        ]
                    }
                }
            }
        ]
    }