You can use Alibaba Cloud Resource Access Management (RAM) to manage permissions on the console and API of Message Queue for Apache Kafka. RAM eliminates the need to share the AccessKey pair of your Alibaba Cloud account with other users. You can grant the RAM users of your Alibaba Cloud account the minimum required permissions. An AccessKey pair consists of an AccessKey ID and an AccessKey secret.

RAM policies

In RAM, policies are a set of permissions that are described based on the policy structure and syntax. Each policy describes the resources on which permissions are granted, the API operations that are allowed or denied, and the conditions that are required for the policy to take effect. For more information, see Policy structure and syntax.

In RAM, a policy is a resource entity. Message Queue for Apache Kafka supports the following types of policies:

  • System policy: System policies are created and maintained by Alibaba Cloud. These policies are suitable for implementing coarse-grained permission control on RAM users. System policies cannot be modified after they are created.
  • Custom policy: You can create, update, and delete custom policies. These policies are suitable for implementing fine-grained permission control on RAM users. You need to maintain the versions of custom policies.

System policies

The following table describes the system policies that are supported by Message Queue for Apache Kafka.

Policy Description
AliyunKafkaFullAccess The management permissions on Message Queue for Apache Kafka. RAM users to whom this policy is attached are granted the permissions to perform all operations on the console and API of Message Queue for Apache Kafka. This policy grants permissions that are equivalent to the permissions of an Alibaba Cloud account on Message Queue for Apache Kafka.
AliyunKafkaReadOnlyAccess The read-only permissions on Message Queue for Apache Kafka. RAM users to whom this policy is attached are granted only the read-only permissions on all Message Queue for Apache Kafka resources that belong to their Alibaba Cloud accounts. This policy does not grant permissions to perform operations on the console or API of Message Queue for Apache Kafka.

Examples of system policies

Attach the AliyunKafkaFullAccess system policy to a RAM user. The RAM user is granted the permissions to perform all operations on the console and API of Message Queue for Apache Kafka. The granted permissions are equivalent to the permissions of the corresponding Alibaba Cloud account on Message Queue for Apache Kafka. The following code displays the content of the policy:

{
    "Version": "1",
    "Statement": [
        {
            "Action": "alikafka:*",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Custom policies

The following table describes the custom policies that are supported by Message Queue for Apache Kafka.

Action Permission description Read-only
ReadOnly Only reads all resources. Yes
ListInstance Views instances. Yes
StartInstance Deploys instances. No
UpdateInstance Updates instance configurations. No
ReleaseInstance Release instances. No
ListTopic Views topics. Yes
CreateTopic Create topics. No
UpdateTopic Updates topic configurations. No
DeleteTopic Deletes topics. No
ListGroup Views groups.Group Yes
CreateGroup Creates groups.Group No
UpdateGroup Updates group configurations.Group No
DeleteGroup Deletes groups.Group No
QueryMessage Queries messages. Yes
SendMessage Sends messages. No
DownloadMessage Downloads messages. Yes
CreateMessageSearch Enables message retrieval. No
OperateMessageSearch Starts and stops message retrieval tasks. No
ListMessageSearch Views retrieved messages. Yes
DeleteMessageSearch Deletes message retrieval tasks. No
CreateDeployment
  • Creates FC sink connectors.
  • Creates MaxCompute sink connectors.
  • Creates OSS sink connectors.
  • Creates Elasticsearch sink connectors.
  • Creates MySQL source connectors.
  • Creates DLA sink connectors.
No
DeleteDeployment
  • Deletes FC sink connectors.
  • Deletes MaxCompute sink connectors.
  • Deletes OSS sink connectors.
  • Deletes Elasticsearch sink connectors.
  • Deletes MySQL source connectors.
  • Deletes DLA sink connectors.
No
ListDeployments Views connectors. Yes
UpdateDeploymentRemark Changes connector descriptions. No
GetDeploymentLog Queries the operational logs of connectors. Yes
OperateDeployment Starts and stops connectors. No
CreateOtsSinkDeployment Creates Tablestore sink connectors. No
OperateOtsSinkDeployment Starts and stops Tablestore sink connectors. No
DeleteOtsSinkDeployment Deletes Tablestore sink connectors. No
CreateAdbSinkDeployment Creates AnalyticDB sink connectors. No
OperateAdbSinkDeployment Starts and stops AnalyticDB sink connectors. No
DeleteAdbSinkDeployment Deletes AnalyticDB sink connectors. No
EnableAcl Enables the access control list (ACL) feature. No
CreateAcl Creates ACLs. No
DeleteAcl Deletes ACLs. No
ListAcl Queries ACLs. Yes
CreateSaslUser Creates Simple Authentication and Security Layer (SASL) users. No
DeleteSaslUser Deletes SASL users. No
ListSaslUser Queries SASL users. Yes
CreateETLTask Creates extract, transform, and load (ETL) tasks. No
ListETLTask Queries ETL tasks. Yes
DeleteETLTask Deletes ETL tasks. No

Examples of custom policies

Attach the AliyunKafkaCustomAccess policy to a RAM user. The RAM user is granted only the permissions to use the console or API of Message Queue for Apache Kafka to perform the following operations on the alikafka_post-cn-xxx instance: view the instance, view topics, view groups, query messages, and download messages.Group The following code displays the content of the policy:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
              "alikafka:ListInstance",
              "alikafka:ListTopic",
              "alikafka:ListGroup",
              "alikafka:QueryMessage",
              "alikafka:DownloadMessage"
                       ],
            "Resource": "acs:alikafka:*:*:alikafka_post-cn-xxx",
            "Effect": "Allow"
        }
    ]
}