All Products
Search
Document Center

ApsaraMQ for RabbitMQ:Permissions

Last Updated:Jun 20, 2026

ApsaraMQ for RabbitMQ supports two authentication and authorization modes: native open-source authentication and Resource Access Management (RAM). When an open-source client connects to the ApsaraMQ for RabbitMQ server, it must provide a username and password for authentication based on the selected mode. Access is granted only after successful authentication.

Background information

ApsaraMQ for RabbitMQ supports two authentication and permission modes: open-source authentication and permission management and Alibaba Cloud Resource Access Management (RAM). When you create an instance, you can select only one of these modes, and your selection cannot be changed later. The two modes are compared as follows.

Authentication mode

Description

Scope

Pros and cons

Open-Source Authentication and Permission Management

Create custom usernames and passwords and grant permissions to users.

Client SDK

  • Pros:

    • Enables seamless migration of open-source RabbitMQ to the cloud.

    • Supports intuitive permission management.

    • Supports fine-grained permission control for resources within a vhost.

  • Cons:

    • For enhanced security, you need to integrate PrivateLink in an intranet environment. Using private endpoints incurs fees.

Resource Access Management (RAM)

Usernames and passwords are generated from an AccessKey pair (AccessKey ID and AccessKey Secret) from RAM. For more information, see Create static credentials below.

  • console

  • OpenAPI

  • Client SDK

  • Pros:

    • Internal networks do not require integration with PrivateLink, and no charges are incurred.

    • Supports authorization at the vhost, exchange, and queue levels.

  • Cons:

    • High dependency on RAM creates tight coupling.

    • Permission configuration is complex.

    • Requires client-side updates to usernames and passwords when migrating from open-source RabbitMQ.

Notes

  • Open-Source Authentication and Permission Management

    • Only newly purchased exclusive-cluster serverless instances are supported.

    • Avoid using weak passwords to prevent credential leaks.

    • Disable the default guest account.

  • Resource Access Management (RAM)

    • The account used to log on to the ApsaraMQ for RabbitMQ console is an Alibaba Cloud account or a RAM user that has been granted at least the permissions to view, create, and delete static usernames and passwords. For more information about static username and password permissions and authorization operations, see RAM permission policies and RAM principal and sub-account authorization.

    • To create or delete a static username and password, the instance must be in the Running state.

    • The system generates a unique username and password for each instance, even when using the same AccessKey pair.

    • To update a static username and password, delete the existing one and create a new one.

Important

When your client calls an SDK to send and receive messages, we recommend that you use long-lived connections. This prevents the client from creating new connections for each message, which can consume significant network and server resources and may trigger SYN flood protection on the server. For more information, see Connection.

Open-source authentication and permissions

Create a username and password

  1. Log on to the ApsaraMQ for RabbitMQ console. In the left-side navigation pane, click Instances.

  2. In the top navigation bar of the Instances page, select the region where the instance that you want to manage resides. Then, in the instance list, click the name of the instance that you want to manage.

  3. In the left-side navigation pane, click Users and Permissions.

  4. On the Users and Permissions page, click Create Username/Password.

  5. In the Create Username/Password panel, enter the Username, Password, and Confirm Password, and then click OK.

Edit user password

  1. On the Users and Permissions page, find the user whose password you want to edit. In the Actions column, click Edit.

  2. In the Edit Username and Password panel, enter the new Password and Confirm Password, and then click OK.

Delete user

Warning

If a user is deleted, a client that uses the username and password of that user to connect to ApsaraMQ for RabbitMQ will be rejected.

  1. On the Users and Permissions page, find the user that you want to delete. In the Actions column, click Delete.

  2. In the Delete dialog box, click OK.

Permission management

The open-source authentication and permission management of ApsaraMQ for RabbitMQ is scoped to vhosts. User permissions are effective only within the vhosts to which the user is assigned. Fine-grained control over user permissions for operations on Exchanges and Queues is implemented by using regular expressions (Regex). For more information, see Open-source authentication and permission management.

Add permission

  1. On the Users and Permissions page, find the user to whom you want to add permissions. In the Actions column, click Manage Permissions.

  2. In the Manage Permissions panel, click Add Permission.

  3. From the drop-down list, select the vhost that you want to configure, enter the regular expressions for the relevant operations, and then click OK.

    • The regular expression matches against exchange and queue names.

    • .* matches all resources.

    • ^$ matches only an empty string. This overrides all resource access and blocks the user from performing any operation.

    • '^(amq\.gen.*|amq\.default)$' allows access to system-generated resources and the default exchange.

    Important

    If you use a public endpoint, you must also configure a public IP address whitelist after setting permissions.

Update permission

Warning

Modifying a user's permissions for a virtual host may cause clients connecting to that virtual host with the user's credentials to encounter errors when sending or consuming messages.

  1. In the Manage Permissions panel, find the virtual host permission that you want to modify. In the Actions column, click Update.

  2. Enter the updated regular expression for the operation and click OK.

Delete permission

Warning

If a user's permissions for a virtual host are deleted, the server will reject connection attempts from clients using those credentials for that virtual host.

  1. In the Manage Permissions panel, find the virtual host permission that you want to delete. In the Actions column, click Delete.

  2. In the Delete dialog box, click OK.

Resource Access Management (RAM)

Create static credentials

  1. Log on to the ApsaraMQ for RabbitMQ console. In the left-side navigation pane, click Instances.

  2. In the top navigation bar of the Instances page, select the region where the instance that you want to manage resides. Then, in the instance list, click the name of the instance that you want to manage.

  3. In the left-side navigation pane, click Users and Permissions.

  4. On the Users and Permissions page, click Create Username/Password.

  5. In the Create Username/Password panel, enter the AccessKey ID and AccessKey Secret, and then click OK.

    Note

    You can obtain the AccessKey ID and AccessKey Secret from the Alibaba Cloud RAM console. For more information, see Create an AccessKey pair.

    After the credentials are created, the Users and Permissions page displays the new static username and password, with the password hidden by default. The new entry appears in the credential list with columns such as Instance ID, AccessKey, Username, Password, and Creation Time. You can click Delete in the Actions column to remove the credential.

  6. In the Password column for the created static credential, click Display to view the password.

Note

If you use a static username and password created from a RAM user's AccessKey to connect to ApsaraMQ for RabbitMQ and send and receive messages, ensure that the RAM user is granted the permissions to send and receive messages. For more information, see RAM permission policies.

Delete static credentials

Warning

A static username and password becomes invalid if it is deleted or if the AccessKey used to create it is disabled or deleted. If a client uses this static username and password to connect to ApsaraMQ for RabbitMQ, the connection is rejected.

  1. On the Users and Permissions page, find the static username and password to delete, and in the Actions column, click Delete.

  2. In the Prompt dialog box, carefully read the message and click OK.

    The deleted static username and password no longer appear on the Users and Permissions page.

Related operations

After you create a username and password, your client can directly use an open-source RabbitMQ client to connect to ApsaraMQ for RabbitMQ. For more information, see SDK list and sample code.