Alibaba Cloud provides the Resource Access Management (RAM) service for you to manage permissions for Message Queue for MQTT. When you use RAM, you do not need to share the AccessKey pair of your Alibaba Cloud account with other users. Instead, you can grant them only the minimal required permissions. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. This topic describes the policies of Message Queue for MQTT in RAM.

Policy types

In RAM, a policy is a collection of permissions described by using the syntax structure. A policy can accurately describe the authorized resource sets, action sets, and authorization conditions. The following types of RAM policies are provided for Message Queue for MQTT:

  • System policies: the policies that are created by Alibaba Cloud. You can use these policies, but cannot modify them. Alibaba Cloud maintains the version updates of the policies.
  • Custom policies: the policies that you can create, update, and delete. You maintain the version updates of these policies.

System policies

Message Queue for MQTT provides four system policies by default.

Notice Message Queue for MQTT does not support independent system policies. When you attach the following system policies to RAM users, these policies take effect for both Message Queue for MQTT and Message Queue for Apache RocketMQ.
Policy Description
AliyunMQFullAccess The permissions to manage Message Queue for MQTT. They are equivalent to the permissions that the Alibaba Cloud account has. A RAM user to which these permissions are granted can send and subscribe to all messages and use all the features of the console.
AliyunMQPubOnlyAccess The permissions to send messages in Message Queue for MQTT. A RAM user to which these permissions are granted can use all the resources of the Alibaba Cloud account to send messages by using SDKs.
AliyunMQSubOnlyAccess The subscription permissions of Message Queue for MQTT. A RAM user to which these permissions are granted can use all the resources of the Alibaba Cloud account to subscribe to messages by using SDKs.
AliyunMQReadOnlyAccess The read-only permissions on Message Queue for MQTT. A RAM user to which these permissions are granted can only read resource information by using the console or by calling API operations.

Custom policies

Custom policies allow you to grant fine-grained permissions to users.

The following section describes the mappings between resources and actions in Message Queue for MQTT.

In Message Queue for MQTT, instances, topics, groups, and rules are different types of resources. Permissions are granted to perform actions on these resources.

The possible values and corresponding rules of resources and actions in Message Queue for MQTT can be divided into three categories: console, API, and Message Queue for MQTT client. Resource-related operations in the console are divided into four categories based on resource types: instance, topic, group, and rule.

Note To access the resources of a Message Queue for MQTT instance and call the API to perform operations on the instance, you must obtain access permissions on the Message Queue for MQTT instance, and the corresponding action is mq:MqttInstanceAccess.

For more information about sample custom policies, see Sample permission policies.

Permissions of the Message Queue for MQTT client to send and subscribe to messages

The permissions to send and subscribe to messages involve the resource naming formats of topics and group IDs.
  • Topic: acs:mq:*:*:topic/{mqttInstanceId}/{topic}
  • Group ID: acs:mq:*:*:groupId/{mqttInstanceId}/{gid}
Action Description Remarks
mq:PUB Sends a message. Before you grant permissions on topics and groups to a RAM user, you must grant the user the mq:MqttInstanceAccess permission on the instance to which the topics and groups belong.
mq:SUB Subscribes to a topic.
Note The permissions of the Message Queue for MQTT client to send and subscribe to messages cannot be granted across Alibaba Cloud accounts.

Permissions to manage instances in the console

The resource naming format of a Message Queue for MQTT instance is acs:mq:*:*:instance/{mqttInstanceId}.

Action Description Remarks
mq:MqttInstanceAccess Queries the basic information of a specific instance. Before you grant permissions on topics and groups to a RAM user, you must grant the user the mq:MqttInstanceAccess permission on the instance to which the topics and groups belong.
mq:DeleteMqttInstance Deletes an instance. N/A
mq:UpdateMqttInstance Modifies instance information. N/A
mq:ListMqttInstance Queries instances. N/A
mq:UpdateMqttInstanceWarn Updates the alert information of a specific instance. N/A

Permissions to manage topics in the console

The resource naming format of a topic is acs:mq:*:*:topic/{mqttInstanceId}/{topic}.

Action Description Remarks
mq:QueryMqttClientByTopic Queries the Message Queue for MQTT clients that subscribe to a specific topic. Before you grant permissions on topics and groups to a RAM user, you must grant the user the mq:MqttInstanceAccess permission on the instance to which the topics and groups belong.
mq:QueryMqttMsgTransTrend Queries messaging statistics based on a specific topic.
mq:SendMqttMessageByConsole Tests the message sending feature in the console.
mq:CreateMqttTopic Creates a topic.
mq:DeleteMqttTopic Deletes a topic.
mq:ListMqttTopic Queries a topic.
mq:UpdateMqttTopic Updates the remarks of a topic.

Permissions to manage group IDs in the console

The resource naming format of a group ID is acs:mq:*:*:groupId/{mqttInstanceId}/{gid}.

Action Description Remarks
mq:CreateMqttGroupId Creates a group ID. Before you grant permissions on topics and groups to a RAM user, you must grant the user the mq:MqttInstanceAccess permission on the instance to which the topics and groups belong.
mq:ListMqttGroupId Queries group IDs.
mq:QueryMqttClientByClientId Queries Message Queue for MQTT client information based on a specific client ID.
mq:QueryMqttClientByGroupId Queries Message Queue for MQTT client information based on a specific group ID.
mq:QueryMqttHistoryOnline Queries the information about historical connected Message Queue for MQTT clients based on a specific group ID.
mq:DeleteMqttGroupId Deletes a group ID.
mq:QueryMqttDeviceTrace Queries traces of a Message Queue for MQTT client.
mq:QueryMqttDeviceTrace Queries the information about a specific Message Queue for MQTT client.

Permissions to manage rules in the console

The resource naming format of a rule is acs:mq:*:*:rule/{mqttInstanceId}/{ruleId}.

When you grant permissions on a rule, make sure that the related instances, topics, and group IDs belong to the same Alibaba Cloud account.

Action Description Remarks
mq:CreateMqttInboundRule Creates a data inbound rule. Before you grant permissions on rules to a RAM user, you must grant the user the mq:MqttInstanceAccess permission on the instance with which the rules are associated.
mq:DeleteMqttInboundRule Deletes a data inbound rule.
mq:ListMqttInboundRule Queries a data inbound rule.
mq:UpdateMqttInboundRule Updates a data inbound rule.
mq:CreateMqttOutboundRule Creates a data outbound rule.
mq:DeleteMqttOutboundRule Deletes a data outbound rule.
mq:ListMqttOutboundRule Queries a data outbound rule.
mq:UpdateMqttOutboundRule Updates a data outbound rule.
mq:CreateClientStatusNotifyRule Creates a rule for client status notification.
mq:DeleteClientStatusNotifyRule Deletes a rule for client status notification.
mq:ListClientStatusNotifyRule Queries a rule for client status notification.
mq:UpdateClientStatusNotifyRule Updates a rule for client status notification.

Permissions to call API operations

Before you grant the permissions to perform operations on rules by calling API operations, make sure that the related instances, topics, and group IDs belong to the same Alibaba Cloud account.

API operation Resource naming format Resource naming example Action
RevokeToken * *
  • mq:MqttInstanceAccess
  • mq:RevokeToken
QueryToken * *
  • mq:MqttInstanceAccess
  • mq:QueryToken
ApplyToken
  • Instance: acs:mq:*:*:instance/{mqttInstanceId}
  • Topic: acs:mq:*:*:topic/{mqttInstanceId}/{topic}
  • Instance: acs:mq:*:*:instance/post-cn-09k1noy****
  • Topic: acs:mq:*:*:topic/post-cn-09k1noy****/Topic_****
  • mq:MqttInstanceAccess
  • mq:ApplyToken
CreateGroupId
  • Instance: acs:mq:*:*:instance/{mqttInstanceId}
  • Group ID: acs:mq:*:*:groupId/{mqttInstanceId}/{gid}
  • Instance: acs:mq:*:*:instance/post-cn-09k1noy****
  • Group ID: acs:mq:*:*:groupId/post-cn-09k1noy****/GID_****
  • mq:MqttInstanceAccess
  • mq:CreateMqttGroupId
DeleteGroupId
  • mq:MqttInstanceAccess
  • mq:DeleteMqttGroupId
ListGroupId
  • mq:MqttInstanceAccess
  • mq:ListMqttGroupId
CreateTopic
  • Instance: acs:mq:*:*:instance/{mqttInstanceId}
  • Topic: acs:mq:*:*:topic/{mqttInstanceId}/{topic}
  • Instance: acs:mq:*:*:instance/post-cn-09k1noy****
  • Topic: acs:mq:*:*:topic/post-cn-09k1noy****/Topic_****
  • mq:MqttInstanceAccess
  • mq:CreateMqttTopic
DeleteTopic
  • mq:MqttInstanceAccess
  • mq:DeleteMqttTopic
ListTopic
  • mq:MqttInstanceAccess
  • mq:ListMqttTopic
UpdateTopic
  • mq:MqttInstanceAccess
  • mq:UpdateMqttTopic
CreateMqttInboundRule
  • Instance: acs:mq:*:*:instance/{mqttInstanceId}
  • Rule: acs:mq:*:*:rule/{mqttInstanceId}/{ruleId}
  • Instance: acs:mq:*:*:instance/post-cn-09k1noy****
  • Rule: acs:mq:*:*:rule/post-cn-09k1noy****/111****
  • mq:MqttInstanceAccess
  • mq:CreateMqttInboundRule
DeleteMqttInboundRule
  • mq:MqttInstanceAccess
  • mq:DeleteMqttInboundRule
ListMqttInboundRuleInPage
  • mq:MqttInstanceAccess
  • mq:ListMqttInboundRule
UpdateMqttInboundRule
  • mq:MqttInstanceAccess
  • mq:UpdateMqttInboundRule
CreateMqttOutboundRule
  • mq:MqttInstanceAccess
  • mq:CreateMqttOutboundRule
DeleteMqttOutboundRule
  • mq:MqttInstanceAccess
  • mq:DeleteMqttOutboundRule
ListMqttOutboundRuleInPage
  • mq:MqttInstanceAccess
  • mq:ListMqttOutboundRule
UpdateMqttOutboundRule
  • mq:MqttInstanceAccess
  • mq:UpdateMqttOutboundRule
CreateClientStatusNotifyRule
  • mq:MqttInstanceAccess
  • mq:CreateClientStatusNotifyRule
DeleteClientStatusNotifyRule
  • mq:MqttInstanceAccess
  • mq:DeleteClientStatusNotifyRule
ListClientStatusNotifyRuleInPage
  • mq:MqttInstanceAccess
  • mq:ListClientStatusNotifyRule
UpdateClientStatusNotifyRule
  • mq:MqttInstanceAccess
  • mq:UpdateClientStatusNotifyRule
QuerySessionByClientId
  • Instance: acs:mq:*:*:instance/{mqttInstanceId}
  • Group ID: acs:mq:*:*:groupId/{mqttInstanceId}/{gid}
  • Instance: acs:mq:*:*:instance/post-cn-09k1noy****
  • Group ID: acs:mq:*:*:groupId/post-cn-09k1noy****/GID_****
mq:MqttInstanceAccess
BatchQuerySessionByClientIds mq:MqttInstanceAccess
RegisterDeviceCredential mq:MqttInstanceAccess
GetDeviceCredential mq:MqttInstanceAccess
UnRegisterDeviceCredential mq:MqttInstanceAccess
RefreshDeviceCredential mq:MqttInstanceAccess
QueryMqttTraceDevice
  • mq:MqttInstanceAccess
  • mq:QueryMqttTraceDevice
QueryMqttTraceMessageOfClient
  • mq:MqttInstanceAccess
  • mq:QueryMqttDeviceTrace
QueryMqttTraceMessagePublish Instance: acs:mq:*:*:instance/{mqttInstanceId} Instance: acs:mq:*:*:instance/post-cn-09k1noy**** mq:MqttInstanceAccess
QueryMqttTraceMessageSubscribe mq:MqttInstanceAccess
Note For more information about the API operations, see List of operations by function.

References