Overview

AutoMQ Cloud supports identity recognition and RBAC (Role-Based Access Control) permissions. This article introduces the basic concepts of accounts in the AutoMQ Cloud product system.

Account Types

AutoMQ Cloud offers two types of accounts: Member Account and Service Account. Their definitions and differences are as follows:

Account Type	Roles and Differences
Member Account	Scenario: A Member Account corresponds to an individual, typically held and used by a company employee. Access: Access AutoMQ Cloud through the environment console WebUI. Identity Recognition: Username and password login authentication.
Service Account	Scenario: A Service Account is used only for applications and API integration, generally configured within application code. Access: Service Accounts typically access AutoMQ Cloud via APIs, Terraform, etc. Identity Recognition: Access Key Id and Secret Access Key, verified through signature.

Member Account

Definition

Member accounts are identity credentials for environment-level operations, either generated by the system by default or manually created by existing environment members.

Member accounts support multiple roles based on the required permission scope, currently including Admin, Operator, and Viewer roles.

Creation Method

The initial Admin member of each environment is automatically created by the system when the environment is created. Subsequent members can be manually created by an Admin member.

Relationship Between Environment and Environment Members

When a new environment is created, the system will automatically initialize and create an Admin role member for the current environment. Subsequent members are then created by the initial Admin member.

Service Account

Definition

Service accounts are provided by AutoMQ Cloud for external systems to access AutoMQ via APIs and application integration. Service accounts do not have login passwords and cannot be operated through the WebUI.

Creation Method

Service accounts can be created by member accounts in the AutoMQ Console or via API.

RBAC Permission Control

Both member accounts and service accounts in AutoMQ Cloud support RBAC (Role Based Access Control). The system comes with multiple predefined roles, each with different permission scopes. Admin role accounts perform authorization operations by assigning roles to other accounts.

The currently supported roles are as follows:

Role	Permission Description
Admin Role	Role Description: Environment administrator role Permission Scope: Has operation permissions for all resources within the environment, including but not limited to: Member management Integration management Instance management
Operator Role	Role Description: Environment operations member role Scope of Permissions: Has write permissions for instance resources within the environment but cannot manage the environment or other members: Integration Management Instance Management
Viewer Role	Role Description: Environment read-only member role Scope of Permissions: Has read permissions for instance resources within the environment but cannot manage the environment or other members: Instance Viewing Integration Viewing