This topic provides the log of a sample event in which a RAM user queried ActionTrail events by assuming a RAM role. This topic also describes the key fields involved in the event log.
Example
The following example shows that a RAM user of the Alibaba Cloud account whose ID
is 175498693826****
queried ActionTrail events by assuming the custom-role-for-actiontrail
RAM role that belongs to the Alibaba Cloud account whose ID is 159498693826****
at 08:00:00 on January 1, 2021, UTC+8.
{
"apiVersion": "2020-07-06",
"requestId": "3462D6AF-4434-4690-8CAD-E54A",
"eventType": "ApiCall",
"userIdentity": {
"accessKeyId": "STS.NUQNP4PiGyckMsNiGELCs****",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-01-01T00:00:00Z"
}
},
"accountId": "159498693826****",
"principalId": "34359792600393****:u1",
"type": "assumed-role",
"userName": "custom-role-for-actiontrail:u1"
},
"acsRegion": "cn-hangzhou",
"eventName": "LookupEvents",
"requestParameters": {
"stsTokenPrincipalName": "custom-role-for-actiontrail/u1",
"AcsHost": "actiontrail.cn-hangzhou.aliyuncs.com",
"ServiceCode": "actiontrail",
"AcsProduct": "Actiontrail",
"RequestId": "3462D6AF-4434-4690-8CAD-E54A",
"Region": "cn-hangzhou",
"LookupAttribute.1.Value": "Write",
"RegionId": "cn-hangzhou",
"HostId": "actiontrail.cn-hangzhou.aliyuncs.com",
"stsTokenPlayerUid": 175498693826****,
"LookupAttribute.1.Key": "EventRW"
},
"eventSource": "actiontrail.cn-hangzhou.aliyuncs.com",
"serviceName": "Actiontrail",
"eventTime": "2021-01-01T00:00:00Z",
"userAgent": "AlibabaCloud (Mac OS X; x86_64) Java/1.8.0_252-b09 Core/4.4.6 HTTPClient/ApacheHttpClient",
"eventId": "3462D6AF-4434-4690-8CAD-****",
"additionalEventData": {
"Scheme": "http"
},
"errorCode": "",
"errorMessage": "",
"eventVersion": "1",
"sourceIpAddress": "192.168.XX.XX"
}
The sample event log contains the following key fields:
userIdentity.accountId
: the ID of the Alibaba Cloud account of the requester. The value in this example is159498693826****
, which indicates the ID of the Alibaba Cloud account to which the RAM role belongs.userIdentity.principalId
: the ID of the requester. The value is in the format of{roleId}:{sessionName}
.roleId
indicates the ID of the RAM role.sessionName
indicates the name that was specified when the requester assumed the RAM role. The value in this example is34359792600393****:u1
.34359792600393****
indicates the ID of the RAM role.u1
indicates the role name specified when the requester assumed the RAM role.userIdentity.type
: the type of the identity of the requester. The value in this example isassumed-role
, which indicates that the requester performs operations by assuming the RAM role.userIdentity.userName
: the username of the requester. The value is in the format of{roleName}:{sessionName}
.roleName
indicates the name of the RAM role.sessionName
indicates the name that was specified when the requester assumed the RAM role. The value in this example iscustom-role-for-actiontrail:u1
.custom-role-for-actiontrail
indicates the name of the RAM role.u1
indicates the role name specified when the requester assumed the RAM role.Notecustom-role-for-actiontrail
is the name of a custom RAM role for ActionTrail. The role can be assumed by the requester to query ActionTrail events.userIdentity.creationDate
: the time when the event occurred, in UTC. The value in the example is2021-01-01T00:00:00Z
, which indicates that the event occurred at 08:00:00 on January 1, 2021, in UTC+8.requestParameters.stsTokenPlayerUid
: the ID of the Alibaba Cloud account to which the RAM user belongs. The value in the example is175498693826****
, which indicates that the RAM user of the Alibaba Cloud account whose ID is175498693826****
assumed the RAM role that belongs to the Alibaba Cloud account whose ID is159498693826****
.