RAM policies

You can use Alibaba Cloud Resource Access Management (RAM) to manage permissions on the console and API operations of ApsaraMQ for Kafka. RAM eliminates the need to share the AccessKey pair of your Alibaba Cloud account with other users. You can grant the RAM users of your Alibaba Cloud account the minimum required permissions. An AccessKey pair consists of an AccessKey ID and an AccessKey secret.

In RAM, policies are a set of permissions that are described based on the policy structure and syntax. Each policy describes the resources on which permissions are granted, the API operations that are allowed or denied, and the conditions that are required for the policy to take effect. For more information, see Policy structure and syntax.

In RAM, a policy is a resource entity. ApsaraMQ for Kafka supports the following types of policies:

System policy: System policies are created and maintained by Alibaba Cloud. These policies are suitable for implementing coarse-grained permission control on RAM users. System policies cannot be modified after they are created.
Custom policy: You can create, update, and delete custom policies. These policies are suitable for implementing fine-grained permission control on RAM users. You need to maintain the versions of custom policies.

System policies

The following table describes the system policies that are supported by ApsaraMQ for Kafka.


Policy	Description
AliyunKafkaFullAccess	The management permissions on ApsaraMQ for Kafka. RAM users to whom this policy is attached are granted the permissions to perform all operations on the console and API of Message Queue for Apache Kafka. This policy grants permissions that are equivalent to the permissions of an Alibaba Cloud account on Message Queue for Apache Kafka.
AliyunKafkaReadOnlyAccess	The read-only permissions on ApsaraMQ for Kafka. RAM users to whom this policy is attached are granted only the read-only permissions on all Message Queue for Apache Kafka resources that belong to their Alibaba Cloud accounts. This policy does not grant permissions to perform operations on the console or API of Message Queue for Apache Kafka.

Examples of system policies

Attach the AliyunKafkaFullAccess system policy to a RAM user. The RAM user is granted the permissions to perform all operations on the console and API of Message Queue for Apache Kafka. The granted permissions are equivalent to the permissions of the corresponding Alibaba Cloud account on Message Queue for Apache Kafka. The following code displays the content of the policy:

{
    "Version": "1",
    "Statement": [
        {
            "Action": "alikafka:*",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Custom policies

The following table describes the custom policies that are supported by ApsaraMQ for Kafka.


Action	Permission description	Read-only
ReadOnly	Only reads all resources.	Yes
ListInstance	Views instances.	Yes
StartInstance	Deploys instances.	No
UpdateInstance	Updates instance configurations.	No
ReleaseInstance	Release instances.	No
ListTopic	Views topics.	Yes
CreateTopic	Create topics.	No
UpdateTopic	Updates topic configurations.	No
DeleteTopic	Deletes topics.	No
ListGroup	Views groups.Group	Yes
CreateGroup	Creates groups.Group	No
UpdateGroup	Updates group configurations.Group	No
DeleteGroup	Deletes groups.Group	No
QueryMessage	Queries messages.	Yes
SendMessage	Sends messages.	No
DownloadMessage	Downloads messages.	Yes
CreateMessageSearch	Enables message retrieval.	No
OperateMessageSearch	Starts and stops message retrieval tasks.	No
ListMessageSearch	Views retrieved messages.	Yes
DeleteMessageSearch	Deletes message retrieval tasks.	No
CreateDeployment	Creates FC sink connectors. Creates MaxCompute sink connectors. Creates OSS sink connectors. Creates Elasticsearch sink connectors. Creates MySQL source connectors. Creates DLA sink connectors.	No
DeleteDeployment	Deletes FC sink connectors. Deletes MaxCompute sink connectors. Deletes OSS sink connectors. Deletes Elasticsearch sink connectors. Deletes MySQL source connectors. Deletes DLA sink connectors.	No
ListDeployments	Views connectors.	Yes
UpdateDeploymentRemark	Changes connector descriptions.	No
GetDeploymentLog	Queries the operational logs of connectors.	Yes
OperateDeployment	Starts and stops connectors.	No
CreateOtsSinkDeployment	Creates Tablestore sink connectors.	No
OperateOtsSinkDeployment	Starts and stops Tablestore sink connectors.	No
DeleteOtsSinkDeployment	Deletes Tablestore sink connectors.	No
CreateAdbSinkDeployment	Creates AnalyticDB sink connectors.	No
OperateAdbSinkDeployment	Starts and stops AnalyticDB sink connectors.	No
DeleteAdbSinkDeployment	Deletes AnalyticDB sink connectors.	No
EnableAcl	Enables the access control list (ACL) feature.	No
CreateAcl	Creates ACLs.	No
DeleteAcl	Deletes ACLs.	No
ListAcl	Queries ACLs.	Yes
CreateSaslUser	Creates Simple Authentication and Security Layer (SASL) users.	No
DeleteSaslUser	Deletes SASL users.	No
ListSaslUser	Queries SASL users.	Yes
CreateETLTask	Creates ETL tasks.	No
ListETLTask	Queries ETL tasks.	Yes
DeleteETLTask	Deletes ETL tasks.	No
UpdateConsumerOffset	Resets the consumer offset of a consumer group.	No

Examples of custom policies

Attach the AliyunKafkaCustomAccess policy to a RAM user. The RAM user is granted only the permissions to use the console or API of Message Queue for Apache Kafka to perform the following operations on the alikafka_post-cn-xxx instance: view the instance, view topics, view groups, query messages, and download messages.Group The following code displays the content of the policy:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
              "alikafka:ListInstance",
              "alikafka:ListTopic",
              "alikafka:ListGroup",
              "alikafka:QueryMessage",
              "alikafka:DownloadMessage"
                       ],
            "Resource": "acs:alikafka:*:*:alikafka_post-cn-xxx",
            "Effect": "Allow"
        }
    ]
}