All Products
Search
Document Center

Message Service:Permission policies and examples

Last Updated:Sep 28, 2023

MNS uses Alibaba Cloud Resource Access Management (RAM) to manage permissions. When you use RAM, you do not need to share the AccessKey pair of your Alibaba Cloud account with other users. Instead, you can grant them only the minimal required permissions. An AccessKey pair includes an AccessKey ID and an AccessKey secret. This topic describes the RAM policies and provides examples for MNS.

Background information

In RAM, a policy is a set of permissions that are described with the policy syntax and structure. A policy can accurately describe the authorized resource set, action set, and authorization conditions. For more information, see Policy structure and syntax.

MNS supports the following types of RAM policies:

  • System policies

    System policies are created by Alibaba Cloud. You can use these policies. However, you cannot modify these policies. The policy updates are maintained by Alibaba Cloud.

  • Custom policies

    You can create, update, and delete custom policies and maintain version updates of the policies. You can edit custom policies and attach them to RAM users in the RAM console.

System policies

The following table describes the default permission policies that are provided for MNS.

Policy

Description

AliyunMNSFullAccess

The permissions to manage MNS, which are equivalent to the permissions that the Alibaba Cloud account has. A RAM user to which this policy is attached can send and subscribe to all messages and use all the features of the console.

AliyunMNSReadOnlyAccess

The read-only permissions on MNS. A RAM user to which this policy is attached can only read resource information in the console or by calling API operations.

Custom policies

You can define custom policies to grant fine-grained permissions. The following table describes the actions and resources that can be used to define custom policies for MNS.

API operation

Action

Resource

OpenService

mns:OpenService

acs:mns:$region:$accountid:/commonbuy/openservice

ListQueue

mns:ListQueue

acs:mns:$region:$accountid:/queues

CreateQueue

mns:CreateQueue

acs:mns:$region:$accountid:/queues/$queueName

DeleteQueue

mns:DeleteQueue

acs:mns:$region:$accountid:/queues/$queueName

SetQueueAttributes

mns:SetQueueAttributes

acs:mns:$region:$accountid:/queues/$queueName

GetQueueAttributes

mns:GetQueueAttributes

acs:mns:$region:$accountid:/queues/$queueName

SendMessage or BatchSendMessage

mns:SendMessage

acs:mns:$region:$accountid:/queues/$queueName/messages

ReceiveMessage or BatchReceiveMessage

mns:ReceiveMessage

acs:mns:$region:$accountid:/queues/$queueName/messages

DeleteMessage

mns:DeleteMessage

acs:mns:$region:$accountid:/queues/$queueName/messages

PeekMessage or BatchPeekMessage

mns:PeekMessage

acs:mns:$region:$accountid:/queues/$queueName/messages

ChangeMessageVisibility

mns:ChangeMessageVisibility

acs:mns:$region:$accountid:/queues/$queueName/messages

ListTopic

mns:ListTopic

acs:mns:$region:$accountid:/topics

CreateTopic

mns:CreateTopic

acs:mns:$region:$accountid:/topics/$topicName

DeleteTopic

mns:DeleteTopic

acs:mns:$region:$accountid:/topics/$topicName

SetTopicAttributes

mns:SetTopicAttributes

acs:mns:$region:$accountid:/topics/$topicName

GetTopicAttributes

mns:GetTopicAttributes

acs:mns:$region:$accountid:/topics/$topicName

ListSubscriptionByTopic

mns:ListSubscriptionByTopic

acs:mns:$region:$accountid:/topics/$topicName/subscriptions

Subscribe

mns:Subscribe

acs:mns:$region:$accountid:/topics/$topicName/subscriptions/$subscriptionName

Unsubscribe

mns:Unsubscribe

acs:mns:$region:$accountid:/topics/$topicName/subscriptions/$subscriptionName

SetSubscriptionAttributes

mns:SetSubscriptionAttributes

acs:mns:$region:$accountid:/topics/$topicName/subscriptions/$subscriptionName

GetSubscriptionAttributes

mns:GetSubscriptionAttributes

acs:mns:$region:$accountid:/topics/$topicName/subscriptions/$subscriptionName

PublishMessage

mns:PublishMessage

acs:mns:$region:$accountid:/topics/$topicName/messages

Examples of custom policies

  • Example 1: Allow access from specified CIDR blocks

    The following example shows how to allow access from the 42.120.88.0/24 and 42.120.66.0/24 CIDR blocks to MNS.

    {
        "Version": "1",
        "Statement": [
            {
                "Action": "mns:*",
                "Effect": "Allow",
                "Resource": "acs:mns:*:*:*",
                "Condition":{
                    "IpAddress": {
                        "acs:SourceIp": ["42.120.88.0/24", "42.120.66.0/24"]
                    }
                }
            }
        ]
    }            
  • Example 2: Deny access from specified CIDR blocks

    The following example shows how to deny access from any IP address in the 42.120.88.0/24 CIDR block to MNS:

    {
        "Version":"1",
        "Statement":[
            {
                "Action":"mns:*",
                "Effect":"Deny",
                "Resource":"acs:mns:*:*:*",
                "Condition":{
                    "NotIpAddress":{
                        "acs:SourceIp":[
                            "42.120.88.0/24"
                        ]
                    }
                }
            }
        ]
    }          
    Important

    The Deny rule has a higher priority than the Allow rule in RAM policies. If you perform an access operation that is specified in the Deny rule, the operation fails. In this example, if you use an IP address that is not included in the 42.120.88.0/24 CIDR block to access MNS, an error message is returned. This is because you are not authorized to access MNS.

  • Example 3: Authorize a RAM user to view MNS topics and queues

    The following example shows how to authorize a RAM user to view MNS queues or topics, and parameters of each queue or topic:

    {
        "Version":"1",
        "Statement":[
            {
                "Effect":"Allow",
                "Action":[
                    "mns:ListQueue",
                    "mns:ListTopic",
                    "mns:GetQueueAttributes",
                    "mns:GetTopicAttributes"
                ],
                "Resource":"acs:mns:*:*:*"
            }
        ]
    }