All Products
Search

This Product

    ApsaraMQ for RabbitMQ:User and permission management

    Document Center

    ApsaraMQ for RabbitMQ:User and permission management

    Last Updated:Aug 21, 2025

    ApsaraMQ for RabbitMQ provides two authentication and permission modes: an open-source mode and a RAM mode. If you use an open-source client to access an ApsaraMQ for RabbitMQ server, you must provide a username and password for authentication. You can access the server only after you are successfully authenticated.

    Background information

    ApsaraMQ for RabbitMQ supports two authentication and permission modes: Open-source Authentication and Permission Management and Alibaba Cloud Resource Access Management (RAM). You can select only one mode when you create an instance. You cannot change the mode later. The following table compares the two modes.

    Authentication and permission mode

    Description

    Scope

    Pros and cons

    Open source identity verification and permission management methods

    Lets you create custom usernames and passwords, and grant permissions to users.

    Client SDK

    • Pros:

      • Supports seamless migration from open source RabbitMQ to the cloud.

      • Creating, retrieving, updating, and deleting permissions is more intuitive.

      • Supports fine-grained permission management for resources within a vhost.

    • Cons:

      • For enhanced security, you need to integrate PrivateLink in an internal network environment, and using private endpoints incurs fees.

    RAM

    Usernames and passwords can be generated using the AccessKey ID and AccessKey secret from Alibaba Cloud Resource Access Management (RAM). For more information, see Create a static username and password.

    • Console

    • OpenAPI

    • Client SDK

    • Pros:

      • You do not need to integrate your internal network with PrivateLink, and no fees are incurred.

      • Supports authorization at the vhost, exchange, and queue level.

    • Cons:

      • Highly dependent on RAM, resulting in tight coupling.

      • Permission configuration is relatively complex.

      • When migrating to the cloud, clients need to change their usernames and passwords.

    Usage notes

    • Open-source authentication and permission management mode

      • This mode is available only for new Serverless Dedicated instances. It is not supported for existing instances.

      • Do not use simple passwords to prevent them from being compromised.

      • Disable the default guest account.

    • Alibaba Cloud Resource Access Management (RAM)

      • The account that you use to log on to the ApsaraMQ for RabbitMQ console must be an Alibaba Cloud account or a RAM user that is granted at least the permissions to view, create, and delete static usernames and passwords. For more information about the required permissions and how to grant them, see RAM access policies and Grant permissions to RAM users.

      • The instance for which you want to create or delete a static username and password must be in the In Service state.

      • An AccessKey pair provides account-level authentication and can be shared by multiple instances under the same Alibaba Cloud account. However, a unique username and password is generated for each instance, even if they use the same AccessKey pair.

      • If you want to update a static username and password, you must delete the existing pair and create a new one.

    Important

    If you use an SDK to send and receive messages on your client, we recommend that you use persistent connections. This prevents the client from having to establish a new connection for each message. Frequently establishing connections consumes significant network and broker resources and may trigger SYN flood attack protection on the broker. For more information, see Connection.

    Open source authentication and permission management mode

    Create a username and password

    1. Log on to the ApsaraMQ for RabbitMQ console. In the left-side navigation pane, click Instances.

    2. In the top navigation bar of the Instances page, select the region where the instance that you want to manage resides. Then, in the instance list, click the name of the instance that you want to manage.

    3. In the left-side navigation pane, click Users and Permissions.

    4. On the Users and Permissions page, click Create Username/Password.

    5. In the Create Username/Password panel, complete the Username, Password, and Confirm Password fields, and then click OK.

    Edit a user password

    1. On the Users and Permissions page, find the user that you want to edit and click Edit in the Actions column.

    2. In the Edit Username and Password panel, enter the password in the Password and Confirm Password fields, and click OK.

    Delete a user

    Warning

    If you delete a user, any client that uses the user's credentials to connect to ApsaraMQ for RabbitMQ will be denied access.

    1. On the Users and Permissions page, find the user that you want to delete, and in the Actions column, click Delete.

    2. In the Delete dialog box, click OK.

    Permission management

    The open-source authentication and permission management mode of ApsaraMQ for RabbitMQ grants permissions at the virtual host (Vhost) level. User permissions apply only within the Vhost to which a user belongs. You can use regular expressions (regex) to configure fine-grained permissions for operations on exchanges and queues. For more information, see Open-source authentication and permission management.

    Add permissions

    1. On the Users and Permissions page, find the target user, and in the Actions column, click Manage Permissions.

    2. On the Manage Permissions panel, click Add Permission.

    3. From the drop-down list, select the Vhost that you want to configure, enter the regular expression for the corresponding operation, and then click OK.

      • The regular expression matches exchanges and queues.

      • .* matches all resources.

      • ^$ matches only an empty string. This overwrites all other resource permissions and prevents the user from performing any operations.

      • '^(amq\.gen.*|amq\.default)$' allows access to system resources and the default exchange.

      Important

      If you use a public endpoint, you must also configure a public IP address whitelist after you configure the permissions.

    Update permissions

    Warning

    If you modify a user's permissions on a Virtual Host, a client that uses the user's credentials to connect to that Virtual Host may encounter errors when it sends or consumes messages.

    1. In the Manage Permissions panel, find the target Virtual Host, and in the Actions column, click Update.

    2. Enter the regular expression to modify the operation, and then click OK.

    Delete permissions

    Warning

    If you delete a user's permissions on a Virtual Host, a client that uses the user's credentials to connect to that Virtual Host will be denied access.

    1. In the Manage Permissions panel, find the Virtual Host that you want to delete, and click Delete in the Actions column.

    2. In the Delete dialog box, click OK.

    Alibaba Cloud Resource Access Management (RAM)

    Create a static username and password

    1. Log on to the ApsaraMQ for RabbitMQ console. In the left-side navigation pane, click Instances.

    2. In the top navigation bar of the Instances page, select the region where the instance that you want to manage resides. Then, in the instance list, click the name of the instance that you want to manage.

    3. In the left-side navigation pane, click Users and Permissions.

    4. On the Users and Permissions page, click Create Username/Password.

    5. In the Create Username/Password panel, enter the AccessKey ID and AccessKey secret, and then click OK.

      Note

      You can obtain the AccessKey ID and AccessKey secret from the Alibaba Cloud RAM console. For more information, see Create an AccessKey pair.

      The created static username and password pair appears on the Users and Permissions page. The password is masked.username and password

    6. In the Password column for the created static username and password, click Display to view the password.

    Note

    If you use the AccessKey of a RAM user to create a static username and password to access ApsaraMQ for RabbitMQ, ensure that the RAM user is granted the required permissions to send and receive messages. For more information, see RAM access policies.

    Delete a static username and password

    Warning

    If a static username and password pair is deleted, or if the AccessKey pair used to create it is disabled or deleted, the credentials become invalid. A client that attempts to connect to ApsaraMQ for RabbitMQ using these credentials will be rejected.

    1. On the Users and Permissions page, find the static username and password pair that you want to delete and click Delete in the Actions column.

    2. In the Note dialog box, read the message carefully and click OK.

      The deleted static username and password pair no longer appears on the Users and Permissions page.

    Related operations

    After you create a username and password, you can use an open-source RabbitMQ client to connect to ApsaraMQ for RabbitMQ. For more information, see SDK list and sample code.