Authorize a RAM user of the current Alibaba Cloud account to use server-side subscription - IoT Platform

You can use a Resource Access Management (RAM) role to authorize a RAM user to use the server-side subscription feature of IoT Platform. This topic describes how to use a RAM role to authorize a RAM user to receive server-side subscription messages from IoT Platform.

Background information

Security Token Service (STS) allows you to manage temporary credentials used to access your Alibaba Cloud resources. RAM allows you to create and manage the following identities for Alibaba Cloud accounts: RAM user and RAM role.

A RAM role is a virtual identity to which policies can be attached. RAM roles do not have logon passwords or AccessKey pairs. A RAM role must be assumed by a trusted entity, such as a RAM user, an Alibaba Cloud service, or an identity provider (IdP). If a trusted entity assumes a RAM role, the trusted entity can obtain and use an STS token of the RAM role to access the resources on which the RAM role has permissions.

For more information about the features and benefits of STS, see What is STS?

Note

You can also directly authorize a RAM user to access IoT Platform resources. However, it is more secure to use a RAM role to authorize a RAM user to access the resources on which the RAM role has permissions.

If you use a RAM user, you must attach a RAM policy that contains the iot:sub action to the RAM user. This way, the RAM user can use the server-side subscription feature of IoT Platform. Otherwise, the connection fails. For more information, see Mapping between IoT Platform API operations and RAM policies.

Step 1: Create a RAM role and grant permissions to the RAM role

Create a RAM role for a trusted Alibaba Cloud account: Log on to the RAM console by using your Alibaba Cloud account and create a RAM role for the current Alibaba Cloud account.
In the Configure Role step of the Create Role wizard, select Current Alibaba Cloud Account for the Select Trusted Alibaba Cloud Account parameter.
Create a custom policy on the JSON tab: Use your Alibaba Cloud account to create a custom policy.
To grant the permission to use server-side subscription, set the Action parameter to iot:sub. The following code shows the policy content:
```
{
  "Statement": [
    {
      "Action": "iot:sub",
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "1"
}
```
Grant permissions to the RAM role: Use your Alibaba Cloud account to attach the custom policy that you created in the previous step to the RAM role.
Create a RAM user: Log on to the RAM console by using your Alibaba Cloud account and create a RAM user.
Grant permissions to the RAM user: Use your Alibaba Cloud account to grant the AliyunSTSAssumeRoleAccess permission to the RAM user that you created in the previous step. This way, the RAM user can assume the RAM role of your Alibaba Cloud account.

Step 2: Receive AMQP server-side subscription messages as a RAM user

Configure an AMQP server-side subscription: Use your Alibaba Cloud account to log on to the IoT Platform console and configure an Advanced Message Queuing Protocol (AMQP) server-side subscription.
Configure an AMQP client to receive server-side subscription messages: Connect an AMQP client to IoT Platform as the RAM user that you created to receive device messages from IoT Platform by using the server-side subscription feature.