You can use Resource Access Management (RAM) to manage permissions on your Message Queue for RabbitMQ resources, and publish and receive messages by using SDKs. If you use RAM to manage permissions on your resources, you do not need to share the AccessKey ID and AccessKey secret of your Alibaba Cloud account with other users. You can grant RAM users of your Alibaba Cloud account the minimum required permissions.

Overview

In RAM, an authorization policy can include a set of permissions that are specified based on the policy structure and syntax. Each policy specifies the resources on which permissions are granted, the operations that can be performed or cannot be performed on specific resources, and the conditions that are required for the policy to take effect. For information about the structure and syntax of authorization policies, see Policy structure and syntax.

In RAM, an authorization policy is a resource entity. Message Queue for RabbitMQ supports the following types of authorization policies:

  • System authorization policy: System authorization policies are created and maintained by Alibaba Cloud. You can use system authorization policies to perform coarse-grained permission control on RAM users. You cannot modify system authorization policies.
  • Custom authorization policy: You can create, update, and delete custom authorization policies. You can use custom authorization policies to perform fine-grained permission control on RAM users. You need to manage the versions of custom authorization policies.

System authorization policies

The following table describes the system authorization policies supported by Message Queue for RabbitMQ.

Policy Description
AliyunAMQPFullAccess The management permissions on your Message Queue for RabbitMQ resources. If you use this policy to grant permissions to RAM users, the RAM users are granted the permissions that are equivalent to the permissions of the Alibaba Cloud account. This indicates that the RAM users are granted the permissions to manage all Message Queue for RabbitMQ resources of the Alibaba Cloud account, and publish and receive messages by using SDKs.
AliyunAMQPReadOnlyAccess The read-only permissions on your Message Queue for RabbitMQ resources. If you use this policy to grant permissions to RAM users, the RAM users can query the data of all Message Queue for RabbitMQ resources of the Alibaba Cloud account.

Sample system authorization policies

In the following example, the system authorization policy AliyunAMQPFullAccess is described. RAM users who are granted permissions by using this policy can manage all Message Queue for RabbitMQ resources of the Alibaba Cloud account, and publish and receive messages by using SDKs. The following sample code shows the content of the policy:

{
    "Version": "1",
    "Statement": [
        {
            "Action": "amqp:*",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Custom policies

The following table describes the custom authorization policies supported by Message Queue for RabbitMQ.

Notice To allow RAM users to manage resources such as exchanges and queues, you must grant the RAM users the read permissions on the virtual hosts (vhosts) on which the resources are deployed by granting the permissions on the amqp:GetVhost action.
API Action Description Format
ListInstances amqp:ListInstance Queries the list of instances. acs:amqp:$region:$accountid:/instances/*
CreateInstance amqp:CreateInstance Creates an instance. acs:amqp:$region:$accountid:/instances/*
DeleteInstance amqp:DeleteInstance Deletes an instance. acs:amqp:$region:$accountid:/instances/$instanceId
GetInstance amqp:GetInstance Queries the details of an instance. acs:amqp:$region:$accountid:/instances/$instanceId
ListVhost amqp:ListVhost Queries the list of vhosts. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/*
CreateVhost amqp:CreateVhost Creates a vhost. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/*
DeleteVhost amqp:DeleteVhost Deletes a vhost. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName
GetVhost amqp:GetVhost Queries the details of a vhost. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName
ListExchange amqp:ListExchange Queries the lists of exchanges. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*
CreateExchange amqp:CreateExchange Creates an exchange. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*
DeleteExchange amqp:DeleteExchange Deletes an exchange. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName
GetExchange amqp:GetExchange Queries the details of an exchange. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName
exchange.declare (passive=false) amqp:CreateExchange Declares an exchange and checks whether the exchange exists.
  • If the specified exchange does not exist, the system creates an exchange and returns a message that indicates the declaration is successful.
  • If the specified exchange exists, the system checks whether the information about the exchange is correct. If the information is correct, the system returns a message that indicates that the declaration is successful. If the information is incorrect, the system returns an error.
acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*
exchange.declare (passive=true) amqp:GetExchange Declares an exchange and checks whether the exchange exists.
  • If the specified exchange does not exist, the system returns an error.
  • If the specified exchange exists, the system returns a message that indicates that the declaration is successful.
acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName
exchange.bind amqp:GetExchange (Source exchange) Binds a source exchange to a destination exchange. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName (Source exchange)
amqp:CreateExchange (Destination exchange) acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* (Destination exchange)
exchange.unbind amqp:GetExchange (Source exchange) Unbinds a source exchange from a destination exchange. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName (Source exchange)
amqp:CreateExchange (Destination exchange) acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* (Destination exchange)
ListQueue amqp:ListQueue Queries the list of queues. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
CreateQueue amqp:CreateQueue Creates a queue. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
DeleteQueue amqp:DeleteQueue Deletes a queue. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName
GetQueue amqp:GetQueue Queries the details of a queue. acs:amqp:$region:$accountid:/vhosts/$vhostName/queues/$queueName
queue.declare (passive=false) amqp:CreateQueue Declares a queue and checks whether the queue exists.
  • If the specified queue does not exist, the system creates a queue.
  • If the specified queue exists, the system checks whether the information about the queue is correct. If the information is correct, the system returns a message that indicates that the declaration is successful. If the information is incorrect, the system returns an error.
acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
queue.declare (passive=true) amqp:CreateQueue Declares a queue and checks whether the queue exists.
  • If the specified queue does not exist, the system returns an error.
  • If the specified queue exists, the system returns a message that indicates that the declaration is successful.
acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName
queue.declare (Dead-letter exchange configured) amqp:CreateQueue Declares a queue for which a dead-letter exchange is configured. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
amqp:GetQueue acs:amqp:$region:$accountid:/vhosts/$vhostName/queues/$queueName
amqp:CreateExchange (Dead-letter exchange) acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName (Dead-letter exchange)
queue.bind amqp:CreateQueue Binds a queue to an exchange. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
amqp:GetExchange acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName
queue.unbind amqp:CreateQueue Unbinds a queue from an exchange. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
amqp:GetExchange acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName
BasicRecover amqp:BasicRecover Re-sends the messages that are not acknowledged by consumers. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
BasicCancel amqp:BasicCancel Cancels a subscription. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
BasicPublish amqp:BasicPublish Publishes a message. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName/messages/*
BasicConsume amqp:BasicConsume Starts a consumer. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
BasicAck amqp:BasicAck Sends an acknowledgement for one or more messages. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
BasicNack amqp:BasicNack Sends a negative acknowledgement for one or more messages. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
BasicReject amqp:BasicReject Rejects a message. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
QueuePurge amqp:QueuePurge Clears all messages in a queue. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
BasicGet amqp:BasicGet Queries messages in a queue. acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
ListStaticAccounts amqp:ListStaticAccounts Queries static usernames and passwords. acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/*
FetchStaticAccount amqp:FetchStaticAccount Creates a username and password. acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/*
DeleteStaticAccount amqp:DeleteStaticAccount Deletes a username and password. acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/*

Sample custom authorization policies

  • Example 1: An authorization policy that can be used to grant message publishing and message subscription permissions on a vhost
    {
        "Version":"1",
        "Statement":[
            {
                "Action":[
                    "amqp:GetInstance",
                    "amqp:GetVhost",
                    "amqp:ListVhost"
                ],
                "Resource":[
                    "acs:amqp:*:*:/instances/$instanceId",
                    "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName",
                    "acs:amqp:*:*:/instances/$instanceId/vhosts/*"
                ],
                "Effect":"Allow"
            },
            {
                "Action":[
                    "amqp:ListExchange",
                    "amqp:CreateExchange",
                    "amqp:DeleteExchange",
                    "amqp:GetExchange",
                    "amqp:ListQueue",
                    "amqp:DeleteQueue",
                    "amqp:GetQueue",
                    "amqp:CreateQueue",
                    "amqp:BasicRecover",
                    "amqp:BasicCancel",
                    "amqp:BasicPublish",
                    "amqp:BasicConsume",
                    "amqp:BasicAck",
                    "amqp:BasicNack",
                    "amqp:BasicReject",
                    "amqp:QueuePurge",
                    "amqp:BasicGet"
                ],
                "Resource":"acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*",
                "Effect":"Allow"
            },
            {
                "Action":[
                    "amqp:ListStaticAccounts",
                    "amqp:FetchStaticAccount",
                    "amqp:DeleteStaticAccount"
                ],
                "Resource":"acs:amqp:*:*:/instances/$instanceId/staticAccount/*",
                "Effect":"Allow"
            }
        ]
    }
  • Example 1: An authorization policy that can be used to grant message publishing permissions
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "amqp:GetInstance",
                    "amqp:GetVhost"
                ],
                "Resource": [
                    "acs:amqp:*:*:/instances/$instanceId",
                    "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "amqp:CreateExchange",
                    "amqp:GetExchange",
                    "amqp:CreateQueue",
                    "amqp:GetQueue",
                    "amqp:BasicRecover",
                    "amqp:BasicPublish",
                    "amqp:BasicAck",
                    "amqp:BasicNack"
                ],
                "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*",
                "Effect": "Allow"
            }
        ]
    }
  • Example 2: An authorization policy that can be used to grant message subscription permissions
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "amqp:GetInstance",
                    "amqp:GetVhost"
                ],
                "Resource": [
                    "acs:amqp:*:*:/instances/$instanceId",
                    "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "amqp:CreateExchange",
                    "amqp:GetExchange",
                    "amqp:GetQueue",
                    "amqp:CreateQueue",
                    "amqp:BasicRecover",
                    "amqp:BasicCancel",
                    "amqp:BasicConsume",
                    "amqp:BasicAck",
                    "amqp:BasicNack",
                    "amqp:BasicReject",
                    "amqp:QueuePurge",
                    "amqp:BasicGet"
                ],
                "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*",
                "Effect": "Allow"
            }
        ]
    }
  • Example 3: An authorization policy that can be used to grant message publishing and message subscription permissions
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "amqp:GetInstance",
                    "amqp:GetVhost"
                ],
                "Resource": [
                    "acs:amqp:*:*:/instances/$instanceId",
                    "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "amqp:ListExchange",
                    "amqp:CreateExchange",
                    "amqp:DeleteExchange",
                    "amqp:GetExchange",
                    "amqp:ListQueue",
                    "amqp:DeleteQueue",
                    "amqp:GetQueue",
                    "amqp:CreateQueue",
                    "amqp:BasicRecover",
                    "amqp:BasicCancel",
                    "amqp:BasicPublish",
                    "amqp:BasicConsume",
                    "amqp:BasicAck",
                    "amqp:BasicNack",
                    "amqp:BasicReject",
                    "amqp:QueuePurge",
                    "amqp:BasicGet"
                ],
                "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*",
                "Effect": "Allow"
            }
        ]
    }
  • Example 4: An authorization policy that can be used to grant username and password management permissions
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "amqp:ListStaticAccounts",
                    "amqp:FetchStaticAccount",
                    "amqp:DeleteStaticAccount"
                ],
                "Resource": "acs:amqp:*:*:/instances/$instanceId/staticAccount/*"
            },
            {
                "Effect": "Allow",
                "Action": "amqp:GetInstance",
                "Resource": "acs:amqp:*:*:/instances/$instanceId"
            }
        ],
        "Version": "1"
    }