You can use Resource Access Management (RAM) to manage permissions on Message Queue for RabbitMQ resources and SDK-based message delivery and reception. RAM allows you to grant users only the minimum required permissions to avoid security risks caused by disclose of the AccessKey pair of your Alibaba Cloud account. The AccessKey pair consists of an AccessKey ID and an AccessKey secret.
RAM policies
In RAM, policies are a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. For more information, see Policy structure and syntax.
In RAM, a policy is a resource entity. Message Queue for RabbitMQ supports the following types of policies:
- System policies: System policies are created and updated by Alibaba Cloud. You cannot modify the system policies. These policies apply to coarse-grained control of RAM user permissions.
- Custom policies: You can create, update, and delete custom policies and maintain policy versions. These policies apply to fine-grained control of RAM user permissions.
System policies
The following table describes the system policies supported by Message Queue for RabbitMQ.
Policy | Description |
---|---|
AliyunAMQPFullAccess | The management permissions of Message Queue for RabbitMQ. The RAM user who has been attached with this policy has the permissions equivalent to those of the Alibaba Cloud account. This means that the RAM user has all permissions to manage resources and receive and send messages by using an SDK. |
AliyunAMQPReadOnlyAccess | The read-only permissions of Message Queue for RabbitMQ. The RAM user who has been attached with this policy has only the read-only permissions on all resources of the Alibaba Cloud account. |
Examples of system policies
The system policy AliyunAMQPFullAccess is used as an example. The RAM user who has been attached with this policy has the permissions equivalent to those of the Alibaba Cloud account. This means that the RAM user has all permissions to manage resources and receive and send messages by using an SDK. Policy content:
{
"Version": "1",
"Statement": [
{
"Action": "amqp:*",
"Resource": "*",
"Effect": "Allow"
}
]
}
Custom policies
This section describes the custom policies supported by Message Queue for RabbitMQ.
Policy | Action | Description | Resource |
---|---|---|---|
ListInstances | amqp:ListInstance | Queries instances. | acs:amqp:$region:$accountid:/instances/* |
CreateInstance | amqp:CreateInstance | Creates an instance. | acs:amqp:$region:$accountid:/instances/* |
DeleteInstance | amqp:DeleteInstance | Deletes an instance. | acs:amqp:$region:$accountid:/instances/$instanceId |
GetInstance | amqp:GetInstance | Queries instance information. | acs:amqp:$region:$accountid:/instances/$instanceId |
ListVhost | amqp:ListVhost | Queries vhosts. | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/* |
CreateVhost | amqp:CreateVhost | Creates a vhost. | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/* |
DeleteVhost | amqp:DeleteVhost | Deletes a vhost. | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName |
GetVhost | amqp:GetVhost | Queries vhost information. | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName |
ListExchange | amqp:ListExchange | Queries exchanges. | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* |
CreateExchange | amqp:CreateExchange | Creates an exchange. | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* |
DeleteExchange | amqp:DeleteExchange | Deletes an exchange. | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName |
GetExchange | amqp:GetExchange | Queries exchange information. | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName |
exchange.declare (passive=false) | amqp:CreateExchange | Declares an exchange and checks whether the exchange exists.
|
acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* |
exchange.declare (passive=true) | amqp:GetExchange | Declares an exchange and checks whether the exchange exists.
|
acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName |
exchange.bind | amqp:GetExchange (source exchange) | Binds a source exchange to a destination exchange. | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName (source exchange) |
amqp:CreateExchange (destination exchange) | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* (destination exchange) | ||
exchange.unbind | amqp:GetExchange (source exchange) | Unbinds a source exchange from a destination exchange. | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName (source exchange) |
amqp:CreateExchange (destination exchange) | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* (destination exchange) | ||
ListQueue | amqp:ListQueue | Queries queues. | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* |
CreateQueue | amqp:CreateQueue | Creates a queue. | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* |
DeleteQueue | amqp:DeleteQueue | Deletes a queue. | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName |
GetQueue | amqp:GetQueue | Queries queue information. | acs:amqp:$region:$accountid:/vhosts/$vhostName/queues/$queueName |
queue.declare (passive=false) | amqp:CreateQueue | Declares a queue and checks whether the queue exists.
|
acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* |
queue.declare (passive=true) | amqp:CreateQueue | Declares a queue and checks whether the queue exists.
|
acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName |
queue.declare (Dead-letter exchange configured) | amqp:CreateQueue | Declares a queue for which a dead-letter exchange is configured. | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* |
amqp:GetQueue | acs:amqp:$region:$accountid:/vhosts/$vhostName/queues/$queueName | ||
amqp:CreateExchange (Dead-letter exchange) | acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName (Dead-letter exchange) | ||
queue.bind | amqp:CreateQueue | Binds a queue to an exchange. | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* |
amqp:GetExchange | acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName | ||
queue.unbind | amqp:CreateQueue | Unbinds a queue from an exchange. | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* |
amqp:GetExchange | acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName | ||
BasicRecover | amqp:BasicRecover | Re-delivers the messages that are not acknowledged by consumers. | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* |
BasicCancel | amqp:BasicCancel | Cancels subscription. | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* |
BasicPublish | amqp:BasicPublish | Publishes a message. | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName/messages/* |
BasicConsume | amqp:BasicConsume | Starts a consumer. | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* |
BasicAck | amqp:BasicAck | Acknowledges one or more messages. | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* |
BasicNack | amqp:BasicNack | Negatively acknowledges one or more messages. | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* |
BasicReject | amqp:BasicReject | Rejects a message. | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* |
QueuePurge | amqp:QueuePurge | Clears all messages in a queue. | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* |
BasicGet | amqp:BasicGet | Provides direct access to messages in a queue. | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* |
ListStaticAccounts | amqp:ListStaticAccounts | Queries static usernames and passwords. | acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/* |
FetchStaticAccount | amqp:FetchStaticAccount | Creates a username/password pair. | acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/* |
DeleteStaticAccount | amqp:DeleteStaticAccount | Deletes a username/password pair. | acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/* |
Examples of custom policies
- Example 1: Message publishing
{ "Version": "1", "Statement": [ { "Action": [ "amqp:GetVhost" ], "Resource": [ "acs:amqp:*:*:/instances/amqp-cn-09k1o***", "acs:amqp:*:*:/instances/amqp-cn-09k1o***/vhosts/testVhost" ], "Effect": "Allow" }, { "Action": [ "amqp:CreateExchange", "amqp:GetExchange", "amqp:CreateQueue", "amqp:GetQueue", "amqp:BasicRecover", "amqp:BasicPublish", "amqp:BasicAck", "amqp:BasicNack" ], "Resource": "acs:amqp:*:*:/instances/amqp-cn-09k1o***/vhosts/testVhost/*", "Effect": "Allow" } ] }
- Example 2: Message subscription
{ "Version": "1", "Statement": [ { "Action": [ "amqp:GetVhost" ], "Resource": [ "acs:amqp:*:*:/instances/amqp-cn-09k1o***", "acs:amqp:*:*:/instances/amqp-cn-09k1o***/vhosts/testVhost" ], "Effect": "Allow" }, { "Action": [ "amqp:CreateExchange", "amqp:GetExchange", "amqp:GetQueue", "amqp:CreateQueue", "amqp:BasicRecover", "amqp:BasicCancel", "amqp:BasicConsume", "amqp:BasicAck", "amqp:BasicNack", "amqp:BasicReject", "amqp:QueuePurge", "amqp:BasicGet" ], "Resource": "acs:amqp:*:*:/instances/amqp-cn-09k1o***/vhosts/testVhost/*", "Effect": "Allow" } ] }
- Example 3: Message publishing and subscription
{ "Version": "1", "Statement": [ { "Action": [ "amqp:GetInstance", "amqp:GetVhost" ], "Resource": [ "acs:amqp:*:*:/instances/amqp-cn-09k1o***", "acs:amqp:*:*:/instances/amqp-cn-09k1o***/vhosts/testVhost" ], "Effect": "Allow" }, { "Action": [ "amqp:ListExchange", "amqp:CreateExchange", "amqp:DeleteExchange", "amqp:GetExchange", "amqp:ListQueue", "amqp:DeleteQueue", "amqp:GetQueue", "amqp:CreateQueue", "amqp:BasicRecover", "amqp:BasicCancel", "amqp:BasicPublish", "amqp:BasicConsume", "amqp:BasicAck", "amqp:BasicNack", "amqp:BasicReject", "amqp:QueuePurge", "amqp:BasicGet" ], "Resource": "acs:amqp:*:*:/instances/amqp-cn-09k1o***/vhosts/testVhost/*", "Effect": "Allow" } ] }
- Example 4: Management of usernames and passwords
{ "Statement": [ { "Effect": "Allow", "Action": [ "amqp:ListStaticAccounts", "amqp:FetchStaticAccount", "amqp:DeleteStaticAccount" ], "Resource": "acs:amqp:*:*:/instances/amqp-cn-09k1o***/staticAccount/*" }, { "Effect": "Allow", "Action": "amqp:GetInstance", "Resource": "acs:amqp:*:*:/instances/amqp-cn-09k1o***" } ], "Version": "1" }