This topic describes the common scenarios and examples of creating custom policies in the Simple Message Queue (SMQ) console or by using client SDKs.
Create custom policies in the SMQ console
Grant the console access permissions
Example 1: Authorize a RAM user to access the SMQ console
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "mns:ListQueue",
"Resource": "*"
}
]
}Example 2: Authorize a RAM user to access the SMQ console over HTTPS
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": "mns:*",
"Resource": "*",
"Condition": {
"Bool": {
"acs:SecureTransport": [
"false"
]
}
}
}
]
}Grant the queue management permissions
Example 3: Authorize a RAM user to access the SMQ console and read messages from all queues
Authorize a RAM user to read the attributes of all queues within the Alibaba Cloud account by using the management SDKs of SMQ.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:ListQueue" ], "Resource": "*" } ] }Authorize a RAM user to access the Queues menu item in the SMQ console.
NoteQueue management involves multiple actions including
mns:ListTagResources.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:ListTagResources", "mns:ListQueue" ], "Resource": "*" } ] }
Example 4: Authorize a RAM user to manage messages of only a specific queue
Authorize a RAM user to read or write messages from or to only a specific queue by using the management SDKs of SMQ. In this example, the queue name
MySampleQueueis used.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:CreateQueue", "mns:DeleteQueue", "mns:GetQueueAttributes", "mns:SetQueueAttributes" ], "Resource": "acs:mns:*:*:/queues/MySampleQueue" } ] }Authorize a RAM user to query the details of a specific queue in the SMQ console.
NoteThe URL for accessing the details of the specified queue is in the format of
https://${SMQ management address}/region/${regionId}/queue/${queueName}/detail.Queue management involves multiple actions, including
mns:ListQueue.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:CreateQueue", "mns:DeleteQueue", "mns:GetQueueAttributes", "mns:SetQueueAttributes" ], "Resource": "acs:mns:*:*:/queues/MySampleQueue" }, { "Effect": "Allow", "Action": "mns:ListQueue", "Resource": "*" } ] }
Grant the topic management permissions
Example 5: Authorize a RAM user to access the SMQ console and read messages of all topics
Authorize a RAM user to read the attributes of all topics within the Alibaba Cloud account by using the management SDKs of SMQ.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:ListTopic" ], "Resource": "*" } ] }Authorize a RAM user to access the Topics menu item in the SMQ console.
NoteTopic management involves multiple actions, including
mns:ListTagResources.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:ListTagResources", "mns:ListTopic" ], "Resource": "*" } ] }
Example 6: Authorize a RAM user to manage messages of only a specific topic
Authorize a RAM user to read or write messages from or to only a specific topic by using the management SDKs of SMQ. In this example, the topic name
MySampleTopicis used.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:CreateTopic", "mns:DeleteTopic", "mns:GetTopicAttributes", "mns:SetTopicAttributes" ], "Resource": "acs:mns:*:*:/topics/MySampleTopic" } ] }Authorize a RAM user to query the details of a specific topic in the SMQ console.
NoteThe URL for accessing the details of the specified topic is in the format of
https://${SMQ management address}/region/${regionId}/topic/${topicName}/detail.Topic management involves multiple actions, including
mns:ListSubscriptionByTopic.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:CreateTopic", "mns:DeleteTopic", "mns:GetTopicAttributes", "mns:SetTopicAttributes" ], "Resource": "acs:mns:*:*:/topics/MySampleTopic" }, { "Effect": "Allow", "Action": [ "mns:ListQueue", "mns:ListSubscriptionByTopic" ], "Resource": "*" } ] }
Create custom policies by using client SDKs
Grant the queue-related messaging permissions
Example 1: Authorize a RAM user to send or receive messages to or from only a specific queue
Authorize a RAM user to send or receive messages to or from only a specific queue by using client SDKs. In this example, the queue name
MySampleQueueis used.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:SendMessage", "mns:ReceiveMessage", "mns:DeleteMessage", "mns:PeekMessage", "mns:ChangeMessageVisibility" ], "Resource": "acs:mns:*:*:/queues/MySampleQueue/messages" } ] }Authorize a RAM user to manage queue-related messaging in the SMQ console.
NoteThe URL of the queue is in the format of
https://${SMQ management address}/region/${regionId}/queue/${queueName}/publish.Queue management involves multiple actions, including
mns:ListQueue.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:SendMessage", "mns:ReceiveMessage", "mns:DeleteMessage", "mns:PeekMessage", "mns:ChangeMessageVisibility" ], "Resource": "acs:mns:*:*:/queues/MySampleQueue/messages" }, { "Effect": "Allow", "Action": "mns:ListQueue", "Resource": "*" } ] }
Grant the topic-related messaging permissions
Example 2: Authorize a RAM user to send messages to only a specific topic
Authorize a RAM user to send messages to only a specific topic by using client SDKs. In this example, the topic name
MySampleTopicis used.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:PublishMessage" ], "Resource": "acs:mns:*:*:/topics/MySampleTopic/messages" } ] }Authorize a RAM user to manage topic-related messaging in the SMQ console.
NoteThe URL of the topic is in the format of
https://${SMQ management address}/region/${regionId}/topic/${topicName}/publish.Queue management involves multiple actions, including
mns:ListQueue.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:PublishMessage" ], "Resource": "acs:mns:*:*:/topics/MySampleTopic/messages" }, { "Effect": "Allow", "Action": "mns:ListQueue", "Resource": "*" } ] }