Custom policies for ApsaraMQ for RocketMQ - ApsaraMQ for RocketMQ

Resource Access Management (RAM) policies control who can access your ApsaraMQ for RocketMQ resources and what actions they can perform. If the built-in system policies are too broad for your needs, create custom policies to enforce least-privilege access.

When to use custom policies

System policies grant predefined sets of permissions. Use a custom policy when you need to:

Restrict access to a specific instance, topic, or consumer group
Allow only certain actions, such as creating instances or deleting topics
Combine multiple permission scopes in a single policy

How custom policies work

After you create a custom policy, attach it to a RAM user, RAM user group, or RAM role to grant the specified permissions.

Keep these rules in mind:

Detach before deleting. You can delete a policy that is not attached to a principal. If the policy is attached to a principal, detach it first.
Use version control. Custom policies support versioning. You can manage custom policy versions based on the version management mechanism provided by RAM.

Resource ARN format

Each Resource field in a policy uses an Alibaba Cloud Resource Name (ARN) to identify the target. The ARN format for ApsaraMQ for RocketMQ is:

acs:rocketmq:{regionId}:{accountId}:instance/{InstanceId}/topic/{TopicName}

Segment	Description
`{regionId}`	Region where the instance resides. See Endpoints.
`{accountId}`	Your Alibaba Cloud account ID.
`{InstanceId}`	ApsaraMQ for RocketMQ instance ID.
`{TopicName}`	Topic name.
`{ConsumerGroupId}`	Consumer group ID.

Use wildcards to broaden the scope:

Pattern	Scope
`instance/*`	All instances under the account in the specified region
`instance/{InstanceId}*`	A specific instance and all its child resources (topics, consumer groups)
`:{#accountId}:/*`	All resources under the account across all regions

Policy examples

Important

Replace the placeholder values in the following examples with your actual resource identifiers before applying the policy.

Grant full access to a specific instance

This policy grants all ApsaraMQ for RocketMQ permissions on a single instance and its child resources. It includes three statements because different resource scopes are required for listing instances, operating on a specific instance, and querying diagnostics.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rocketmq:ListInstances"
            ],
            "Resource": [
                "acs:rocketmq:{regionId}:{accountId}:instance/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "rocketmq:*"
            ],
            "Resource": [
                "acs:rocketmq:{regionId}:{accountId}:instance/{InstanceId}*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "rocketmq:ListAnalyticsQuery"
            ],
            "Resource": [
                "acs:rocketmq:*:{#accountId}:*/*"
            ]
        }
    ]
}

The three statements serve different purposes:

List instances -- rocketmq:ListInstances on all instances (instance/*) lets the user browse and locate the target instance in the console.
Full instance access -- rocketmq:* on the specific instance (instance/{InstanceId}*). The trailing wildcard covers all child resources.
Diagnostics access -- rocketmq:ListAnalyticsQuery enables diagnostics queries. The wildcard region (*) allows cross-region queries.

Grant permission to create instances

This policy allows a RAM user to create ApsaraMQ for RocketMQ instances in a specific region. The resource uses instance/* because the instance ID is not yet known at creation time.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rocketmq:CreateInstance"
            ],
            "Resource": [
                "acs:rocketmq:{regionId}:{accountId}:instance/*"
            ]
        }
    ]
}

Grant permission to delete a specific topic

This policy restricts the DeleteTopic action to a single topic on a specific instance. Use this pattern to delegate topic cleanup without granting broader permissions.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rocketmq:DeleteTopic"
            ],
            "Resource": [
                "acs:rocketmq:{regionId}:{accountId}:instance/{InstanceId}/topic/{TopicName}"
            ]
        }
    ]
}

Grant full access to instance diagnostics

This policy grants all diagnostics-related permissions: submitting, listing, and retrieving analytics queries. The wildcard region and resource pattern enable diagnostics access across all instances and regions under the account.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rocketmq:GetAnalyticsQuery",
                "rocketmq:SubmitAnalyticsQuery",
                "rocketmq:ListAnalyticsQuery"
            ],
            "Resource": [
                "acs:rocketmq:*:{#accountId}:*/*"
            ]
        }
    ]
}

ApsaraMQ for RocketMQ:Custom policies for ApsaraMQ for RocketMQ