Custom policies grant fine-grained access to Simple Message Queue (formerly MNS) resources. Each policy specifies which actions a RAM identity can perform on which resources, and supports the principle of least privilege.
How custom policies work
Resource Access Management (RAM) supports two types of policies: system policies and custom policies. System policies are predefined by Alibaba Cloud. Custom policies are JSON documents that you create and maintain.
To use a custom policy, attach it to a RAM user, user group, or RAM role. The policy takes effect only after attachment. To delete a custom policy, first detach it from all principals. RAM also provides version management for custom policies, so you can track and roll back changes.
Resource management actions
These actions control resource lifecycle operations available in the SMQ console and through the SMQ API.
Queue management
| Action | API operation | Access level | Resource |
|---|---|---|---|
mns:ListQueue | ListQueue | List | acs:mns:${regionId}:${accountId}:/queues |
mns:CreateQueue | CreateQueue | Write | acs:mns:${regionId}:${accountId}:/queues/${queueName} |
mns:DeleteQueue | DeleteQueue | Write | acs:mns:${regionId}:${accountId}:/queues/${queueName} |
mns:GetQueueAttributes | GetQueueAttributes | Read | acs:mns:${regionId}:${accountId}:/queues/${queueName} |
mns:SetQueueAttributes | SetQueueAttributes | Write | acs:mns:${regionId}:${accountId}:/queues/${queueName} |
Topic management
| Action | API operation | Access level | Resource |
|---|---|---|---|
mns:ListTopic | ListTopic | List | acs:mns:${regionId}:${accountId}:/topics |
mns:CreateTopic | CreateTopic | Write | acs:mns:${regionId}:${accountId}:/topics/${topicName} |
mns:DeleteTopic | DeleteTopic | Write | acs:mns:${regionId}:${accountId}:/topics/${topicName} |
mns:GetTopicAttributes | GetTopicAttributes | Read | acs:mns:${regionId}:${accountId}:/topics/${topicName} |
mns:SetTopicAttributes | SetTopicAttributes | Write | acs:mns:${regionId}:${accountId}:/topics/${topicName} |
Subscription management
| Action | API operation | Access level | Resource |
|---|---|---|---|
mns:ListSubscriptionByTopic | ListSubscriptionByTopic | List | acs:mns:${regionId}:${accountId}:/topics/${topicName}/subscriptions |
mns:Subscribe | Subscribe | Write | acs:mns:${regionId}:${accountId}:/topics/${topicName}/subscriptions/${subscriptionName} |
mns:Unsubscribe | Unsubscribe | Write | acs:mns:${regionId}:${accountId}:/topics/${topicName}/subscriptions/${subscriptionName} |
mns:GetSubscriptionAttributes | GetSubscriptionAttributes | Read | acs:mns:${regionId}:${accountId}:/topics/${topicName}/subscriptions/${subscriptionName} |
mns:SetSubscriptionAttributes | SetSubscriptionAttributes | Write | acs:mns:${regionId}:${accountId}:/topics/${topicName}/subscriptions/${subscriptionName} |
Message operations
These actions control sending and receiving messages through client SDKs. For a complete list, see List of operations by function.
Queue messaging
| Action | API operation | Access level | Resource |
|---|---|---|---|
mns:SendMessage | SendMessage, BatchSendMessage | Write | acs:mns:${regionId}:${accountId}:/queues/${queueName}/messages |
mns:ReceiveMessage | ReceiveMessage, BatchReceiveMessage | Read | acs:mns:${regionId}:${accountId}:/queues/${queueName}/messages |
mns:DeleteMessage | DeleteMessage, BatchDeleteMessage | Write | acs:mns:${regionId}:${accountId}:/queues/${queueName}/messages |
mns:PeekMessage | PeekMessage, BatchPeekMessage | Read | acs:mns:${regionId}:${accountId}:/queues/${queueName}/messages |
mns:ChangeMessageVisibility | ChangeMessageVisibility | Write | acs:mns:${regionId}:${accountId}:/queues/${queueName}/messages |
Batch operations share the same action as their single-message counterparts. For example, bothSendMessageandBatchSendMessagerequire themns:SendMessageaction.
Topic messaging
| Action | API operation | Access level | Resource |
|---|---|---|---|
mns:PublishMessage | PublishMessage | Write | acs:mns:${regionId}:${accountId}:/topics/${topicName}/messages |