Custom policies for ApsaraMQ for RocketMQ - ApsaraMQ for RocketMQ

If system policies do not meet your requirements, you can configure custom policies to implement the principle of least privilege. You can use custom policies to implement fine-grained control over permissions and increase resource access security. This topic describes the scenarios in which custom policies for ApsaraMQ for RocketMQ are used. This topic also provides sample custom policies.

What is a custom policy?

Resource Access Management (RAM) policies are classified into system policies and custom policies. You can manage custom policies based on your business requirements.

After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, you must detach the RAM policy from the principal before you can delete the RAM policy.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.

References

Sample custom policies

Important

If you copy the sample code, replace the following fields:

{regionId}: Replace it with the ID of the region where your ApsaraMQ for RocketMQ instance resides. For more information, see Endpoints.
{accountId}: Replace it with the ID of your Alibaba Cloud account.
{InstanceId}: Replace it with the ID of your ApsaraMQ for RocketMQ instance.
{ConsumerGroupId}: Replace it with the ID of your consumer group.
{TopicName}: Replace it with the name of your topic.

Example 1: Grant a RAM user all permissions on an instance

{
    "Version": "1",
    "Statement": [
       {
            "Effect": "Allow",
            "Action": [
                "rocketmq:ListInstances"
            ],
            "Resource": [
                "acs:rocketmq:{regionId}:{accountId}:instance/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "rocketmq:*"
            ],
            "Resource": [
                "acs:rocketmq:{regionId}:{accountId}:instance/{InstanceId}*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "rocketmq:ListAnalyticsQuery"
            ],
            "Resource": [
                "acs:rocketmq:*:{#accountId}:*/*"
            ]
        }
    ]
}

Example 2: Grant a RAM user the permissions to create an instance

{  
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rocketmq:CreateInstance"
            ],
            "Resource": [
                "acs:rocketmq:{regionId}:{accountId}:instance/*" 
            ]
        }
    ]
}

Example 3: Grant a RAM user the permissions to delete a specific topic

{  
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rocketmq:DeleteTopic"
            ],
            "Resource": [
                "acs:rocketmq:{regionId}:{accountId}:instance/{InstanceId}/topic/{TopicName}" 
            ]
        }
    ]
}

Example 4: Grant a RAM user all permissions on instance diagnostics

{
    "Version":"1",
    "Statement":[
        {
            "Effect":"Allow",
            "Action":[
                "rocketmq:GetAnalyticsQuery",
                "rocketmq:SubmitAnalyticsQuery",
                 "rocketmq:ListAnalyticsQuery"
            ],
            "Resource":[
                 "acs:rocketmq:*:{#accountId}:*/*"
            ]
        }
    ]
}

References

To use custom policies, you must understand the permission management requirements of your business and the authorization information about ApsaraMQ for RocketMQ. For more information, see RAM authorization.