RAM policies

You can use Resource Access Management (RAM) to manage permissions on Message Queue for RabbitMQ resources and SDK-based message delivery and reception. RAM allows you to grant users only the minimum required permissions to avoid security risks caused by disclose of the AccessKey pair of your Alibaba Cloud account. The AccessKey pair consists of an AccessKey ID and an AccessKey secret.

In RAM, policies are a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. For more information, see Policy structure and syntax.

In RAM, a policy is a resource entity. Message Queue for RabbitMQ supports the following types of policies:

System policies: System policies are created and updated by Alibaba Cloud. You cannot modify the system policies. These policies apply to coarse-grained control of RAM user permissions.
Custom policies: You can create, update, and delete custom policies and maintain policy versions. These policies apply to fine-grained control of RAM user permissions.

System policies

The following table describes the system policies supported by Message Queue for RabbitMQ.


Policy	Description
AliyunAMQPFullAccess	The management permissions of Message Queue for RabbitMQ. The RAM user who has been attached with this policy has the permissions equivalent to those of the Alibaba Cloud account. This means that the RAM user has all permissions to manage resources and receive and send messages by using an SDK.
AliyunAMQPReadOnlyAccess	The read-only permissions of Message Queue for RabbitMQ. The RAM user who has been attached with this policy has only the read-only permissions on all resources of the Alibaba Cloud account.

Examples of system policies

The system policy AliyunAMQPFullAccess is used as an example. The RAM user who has been attached with this policy has the permissions equivalent to those of the Alibaba Cloud account. This means that the RAM user has all permissions to manage resources and receive and send messages by using an SDK. Policy content:

{
    "Version": "1",
    "Statement": [
        {
            "Action": "amqp:*",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Custom policies

This section describes the custom policies supported by Message Queue for RabbitMQ.

Notice To manage resources such as exchanges and queues, you must obtain the read permissions (amqp:GetVhost) on the vhosts where these resources reside.


Policy	Action	Description	Resource
ListInstances	amqp:ListInstance	Queries instances.	acs:amqp:$region:$accountid:/instances/*
CreateInstance	amqp:CreateInstance	Creates an instance.	acs:amqp:$region:$accountid:/instances/*
DeleteInstance	amqp:DeleteInstance	Deletes an instance.	acs:amqp:$region:$accountid:/instances/$instanceId
GetInstance	amqp:GetInstance	Queries instance information.	acs:amqp:$region:$accountid:/instances/$instanceId
ListVhost	amqp:ListVhost	Queries vhosts.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/*
CreateVhost	amqp:CreateVhost	Creates a vhost.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/*
DeleteVhost	amqp:DeleteVhost	Deletes a vhost.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName
GetVhost	amqp:GetVhost	Queries vhost information.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName
ListExchange	amqp:ListExchange	Queries exchanges.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*
CreateExchange	amqp:CreateExchange	Creates an exchange.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*
DeleteExchange	amqp:DeleteExchange	Deletes an exchange.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName
GetExchange	amqp:GetExchange	Queries exchange information.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName
exchange.declare (passive=false)	amqp:CreateExchange	Declares an exchange and checks whether the exchange exists. If the specified exchange does not exist, create an exchange. A message that indicates the declaration is successful is returned. If the specified exchange already exists, check whether the information about the exchange is correct. If the information is correct, a message that indicates the declaration is successful is returned. Otherwise, an error is reported.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*
exchange.declare (passive=true)	amqp:GetExchange	Declares an exchange and checks whether the exchange exists. If the specified exchange does not exist, an error is reported. If the specified exchange exists, a message that indicates the declaration is successful is returned.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName
exchange.bind	amqp:GetExchange (source exchange)	Binds a source exchange to a destination exchange.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName (source exchange)
exchange.bind	amqp:CreateExchange (destination exchange)	Binds a source exchange to a destination exchange.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* (destination exchange)
exchange.unbind	amqp:GetExchange (source exchange)	Unbinds a source exchange from a destination exchange.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName (source exchange)
exchange.unbind	amqp:CreateExchange (destination exchange)	Unbinds a source exchange from a destination exchange.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* (destination exchange)
ListQueue	amqp:ListQueue	Queries queues.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
CreateQueue	amqp:CreateQueue	Creates a queue.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
DeleteQueue	amqp:DeleteQueue	Deletes a queue.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName
GetQueue	amqp:GetQueue	Queries queue information.	acs:amqp:$region:$accountid:/vhosts/$vhostName/queues/$queueName
queue.declare (passive=false)	amqp:CreateQueue	Declares a queue and checks whether the queue exists. If the specified queue does not exist, create a queue. If the specified queue exists, check whether the information about the queue is correct. If the information is correct, a message that indicates the declaration is successful is returned. Otherwise, an error is reported.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
queue.declare (passive=true)	amqp:CreateQueue	Declares a queue and checks whether the queue exists. If the specified queue does not exist, an error is reported. If the specified queue exists, a message that indicates the declaration is successful is returned.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName
queue.declare (Dead-letter exchange configured)	amqp:CreateQueue	Declares a queue for which a dead-letter exchange is configured.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
	amqp:GetQueue		acs:amqp:$region:$accountid:/vhosts/$vhostName/queues/$queueName
	amqp:CreateExchange (Dead-letter exchange)		acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName (Dead-letter exchange)
queue.bind	amqp:CreateQueue	Binds a queue to an exchange.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
queue.bind	amqp:GetExchange	Binds a queue to an exchange.	acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName
queue.unbind	amqp:CreateQueue	Unbinds a queue from an exchange.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
queue.unbind	amqp:GetExchange	Unbinds a queue from an exchange.	acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName
BasicRecover	amqp:BasicRecover	Re-delivers the messages that are not acknowledged by consumers.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
BasicCancel	amqp:BasicCancel	Cancels subscription.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
BasicPublish	amqp:BasicPublish	Publishes a message.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName/messages/*
BasicConsume	amqp:BasicConsume	Starts a consumer.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
BasicAck	amqp:BasicAck	Acknowledges one or more messages.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
BasicNack	amqp:BasicNack	Negatively acknowledges one or more messages.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
BasicReject	amqp:BasicReject	Rejects a message.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
QueuePurge	amqp:QueuePurge	Clears all messages in a queue.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
BasicGet	amqp:BasicGet	Provides direct access to messages in a queue.	acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
ListStaticAccounts	amqp:ListStaticAccounts	Queries static usernames and passwords.	acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/*
FetchStaticAccount	amqp:FetchStaticAccount	Creates a username/password pair.	acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/*
DeleteStaticAccount	amqp:DeleteStaticAccount	Deletes a username/password pair.	acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/*

Examples of custom policies

Example 1: Message publishing

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "amqp:GetVhost"
            ],
            "Resource": [
                "acs:amqp:*:*:/instances/amqp-cn-09k1o***",
                "acs:amqp:*:*:/instances/amqp-cn-09k1o***/vhosts/testVhost"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "amqp:CreateExchange",
                "amqp:GetExchange",
                "amqp:CreateQueue",
                "amqp:GetQueue",
                "amqp:BasicRecover",
                "amqp:BasicPublish",
                "amqp:BasicAck",
                "amqp:BasicNack"
            ],
            "Resource": "acs:amqp:*:*:/instances/amqp-cn-09k1o***/vhosts/testVhost/*",
            "Effect": "Allow"
        }
    ]
}

Example 2: Message subscription

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "amqp:GetVhost"
            ],
            "Resource": [
                "acs:amqp:*:*:/instances/amqp-cn-09k1o***",
                "acs:amqp:*:*:/instances/amqp-cn-09k1o***/vhosts/testVhost"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "amqp:CreateExchange",
                "amqp:GetExchange",
                "amqp:GetQueue",
                "amqp:CreateQueue",
                "amqp:BasicRecover",
                "amqp:BasicCancel",
                "amqp:BasicConsume",
                "amqp:BasicAck",
                "amqp:BasicNack",
                "amqp:BasicReject",
                "amqp:QueuePurge",
                "amqp:BasicGet"
            ],
            "Resource": "acs:amqp:*:*:/instances/amqp-cn-09k1o***/vhosts/testVhost/*",
            "Effect": "Allow"
        }
    ]
}

Example 3: Message publishing and subscription

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "amqp:GetInstance",
                "amqp:GetVhost"
            ],
            "Resource": [
                "acs:amqp:*:*:/instances/amqp-cn-09k1o***",
                "acs:amqp:*:*:/instances/amqp-cn-09k1o***/vhosts/testVhost"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "amqp:ListExchange",
                "amqp:CreateExchange",
                "amqp:DeleteExchange",
                "amqp:GetExchange",
                "amqp:ListQueue",
                "amqp:DeleteQueue",
                "amqp:GetQueue",
                "amqp:CreateQueue",
                "amqp:BasicRecover",
                "amqp:BasicCancel",
                "amqp:BasicPublish",
                "amqp:BasicConsume",
                "amqp:BasicAck",
                "amqp:BasicNack",
                "amqp:BasicReject",
                "amqp:QueuePurge",
                "amqp:BasicGet"
            ],
            "Resource": "acs:amqp:*:*:/instances/amqp-cn-09k1o***/vhosts/testVhost/*",
            "Effect": "Allow"
        }
    ]
}

Example 4: Management of usernames and passwords

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "amqp:ListStaticAccounts",
                "amqp:FetchStaticAccount",
                "amqp:DeleteStaticAccount"
            ],
            "Resource": "acs:amqp:*:*:/instances/amqp-cn-09k1o***/staticAccount/*"
        },
        {
            "Effect": "Allow",
            "Action": "amqp:GetInstance",
            "Resource": "acs:amqp:*:*:/instances/amqp-cn-09k1o***"
        }
    ],
    "Version": "1"
}