ApsaraMQ for MQTT allows an Alibaba Cloud account to authorize Resource Access Management (RAM) users to use the topic resources, which prevents risks caused by exposing the AccessKey pair of the Alibaba Cloud account. Only authorized RAM users are allowed to manage resources in the ApsaraMQ for MQTT console and deliver and subscribe to messages through SDKs and API operations.

Note ApsaraMQ for MQTT Cross-account authorization is not supported.

Application scenarios

Enterprise A has purchased ApsaraMQ for MQTT services: the employees of enterprise A need to perform operations on the resources involved in these services, such as instances, topics, and Group resources. For example, some employees are responsible for creating resources, some are responsible for publishing messages, and some are responsible for subscribing to messages. Employees with different roles require different permissions.

The scenario is described as follows:
  • For security reasons, enterprise A does not want to disclose the AccessKey pair of its Alibaba Cloud account to employees. Instead, enterprise A prefers to create different RAM users for the employees and grant different permissions to these users.
  • A RAM user can only use resources under authorization. Resource usage and costs are not calculated separately for that RAM user. All expenses are billed to the Alibaba Cloud account of enterprise A.
  • Enterprise A can revoke the permissions granted to RAM users and delete RAM users at any time.

In this scenario, the Alibaba Cloud account of enterprise A can allow fine-grained separation of permissions on resources to be operated by employees.

Procedure

  1. Create a RAM user by using the Alibaba Cloud account of enterprise A.

    For more information, see Create a RAM user.

  2. (Optional) Create custom policies for the RAM user as needed.

    For more information, see Create a custom policy.

    Currently, ApsaraMQ for MQTT supports permission setting for instances, topics, and groups. For more information, see Policies.

  3. Grant permissions to the RAM user with the Alibaba Cloud account of enterprise A.

    For more information, see authorize a RAM user.

What to do next

After creating a RAM user with an Alibaba Cloud account, you can distribute the logon name and password of the RAM user or AccessKey pair information to other employees. Other employees can log on to the console or call an API operation with the RAM user through the following steps.

  • Console logon
    1. Open the RAM user logon portal in the browser.
    2. On the RAM user logon page, enter the RAM user name and click Next, enter the RAM user password, and then click Log on.
      Note The RAM user name is in the format of <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com. <$AccountAlias> is the account alias. If no account alias is set, the value defaults to the ID of the Alibaba Cloud account (primary account).
    3. On the RAM User Center page, click products with permissions to access the console.
  • Call an API operation with the RAM user's AccessKey

    Use the AccessKey ID and AccessKey Secret of the RAM user in the code.

References

What is RAM?