How to grant RAM users permissions to operate on ApsaraMQ for RocketMQ - ApsaraMQ for RocketMQ

When the predefined system policies for ApsaraMQ for RocketMQ do not meet your access control requirements, create custom Resource Access Management (RAM) policies to enforce least-privilege access at the instance, topic, or group level.

System policies vs. custom policies

RAM policies fall into two categories:

Type	Created by	Editable	Version control
System policies	Alibaba Cloud	No	No
Custom policies	You	Yes	Yes, through RAM version management

After you create a custom policy, attach it to a RAM user, RAM user group, or RAM role to grant the specified permissions. You can directly delete a custom policy that is not attached to any principal. To delete a custom policy that is attached to a principal, detach it first.

Actions and resource scope

The following table lists the actions available for ApsaraMQ for RocketMQ custom policies and the resource types each action applies to.

Action	Description	Applicable resource types
`mq:QueryInstanceBaseInfo`	Query instance details	Instance
`mq:PUB`	Publish messages to a topic	Topic
`mq:SUB`	Subscribe to messages from a topic or group	Topic, Group
`mq:*`	All actions	All

Resource ARN formats

ApsaraMQ for RocketMQ supports two resource scoping models depending on whether your instance uses namespaces. The scoping hierarchy from broadest to narrowest is: Instance > Topic/Group.

With namespaces -- Topics and groups are scoped to an instance. The instance ID is part of the topic and group ARN.
Without namespaces -- Topics and groups are globally scoped. The ARN contains only the topic or group name.

Resource	ARN (with namespace)	ARN (without namespace)
Instance	`acs:mq:::{instanceId}`	`acs:mq:::{instanceId}`
Topic	`acs:mq:::{instanceId}%{topic}`	`acs:mq:::{topic}`
Group	`acs:mq:::{instanceId}%{groupId}`	`acs:mq:::{groupId}`
All resources on an instance	`acs:mq:::{instanceId}*`	N/A

Important

Before you grant permissions on a topic or group, grant mq:QueryInstanceBaseInfo on the corresponding instance.

Create and apply a custom policy

Create a custom policy in the RAM console. For detailed steps, see Create a custom policy.
Attach the policy to a RAM user, RAM user group, or RAM role.
Verify that the principal can access only the intended resources.

To use a custom policy, you must understand the permission management requirements of your business and the authorization information about ApsaraMQ for RocketMQ. For the full list of actions and resource definitions, see RAM authorization.

Policy examples

Important

The JSON examples below contain // comments for explanation only. Remove all comments before you use the code. JSON does not support inline comments.

Grant publish and subscribe permissions on a specific topic and group

This policy grants a RAM user permission to publish messages to and subscribe to messages from a specific topic and group on a single instance.

Replace the following placeholders with your values:

Placeholder	Description	Example
`{instanceId}`	RocketMQ instance ID	MQ_INST_abc123
`{topic}`	Topic name	order-topic
`{groupId}`	Consumer group ID	GID_order-consumer

Instances with namespaces:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "mq:QueryInstanceBaseInfo"
            ],
            "Resource": [
                "acs:mq:*:*:{instanceId}"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "mq:PUB",
                "mq:SUB"
            ],
            "Resource": [
                "acs:mq:*:*:{instanceId}%{topic}"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "mq:SUB"
            ],
            "Resource": [
                "acs:mq:*:*:{instanceId}%{groupId}"
            ]
        }
    ]
}

The policy contains three statements:

Statement 1 -- Grants mq:QueryInstanceBaseInfo on the instance. Required before granting topic-level or group-level permissions.
Statement 2 -- Grants mq:PUB and mq:SUB on a specific topic, scoped to the instance by the {instanceId}%{topic} ARN format.
Statement 3 -- Grants mq:SUB on a specific group.

Instances without namespaces:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "mq:QueryInstanceBaseInfo"
            ],
            "Resource": [
                "acs:mq:*:*:{instanceId}"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "mq:PUB",
                "mq:SUB"
            ],
            "Resource": [
                "acs:mq:*:*:{topic}"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "mq:SUB"
            ],
            "Resource": [
                "acs:mq:*:*:{groupId}"
            ]
        }
    ]
}

The difference: topic and group ARNs do not include the instance ID prefix. The resource field uses acs:mq:*:*:{topic} instead of acs:mq:*:*:{instanceId}%{topic}.

Grant full permissions on all resources of an instance

This policy grants all permissions on every resource (topics, groups) within a single instance. It applies only to instances with namespaces.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "mq:*"
            ],
            "Resource": [
                "acs:mq:*:*:{instanceId}*"
            ]
        }
    ]
}

The wildcard * after {instanceId} matches all topics and groups on that instance. Replace {instanceId} with your instance ID.

ApsaraMQ for RocketMQ:Custom policies for ApsaraMQ for RocketMQ