Query ActionTrail events by assuming a RAM role - ActionTrail

This topic provides the log of a sample event in which a RAM user queried ActionTrail events by assuming a RAM role. This topic also describes the key fields involved in the event log.

Example

The following example shows that a RAM user of the Alibaba Cloud account whose ID is 175498693826**** queried ActionTrail events by assuming the custom-role-for-actiontrail RAM role that belongs to the Alibaba Cloud account whose ID is 159498693826**** at 08:00:00 on January 1, 2021, UTC+8.

{
  "apiVersion": "2020-07-06",
  "requestId": "3462D6AF-4434-4690-8CAD-E54A",
  "eventType": "ApiCall",
  "userIdentity": {
    "accessKeyId": "STS.NUQNP4PiGyckMsNiGELCs****",
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2021-01-01T00:00:00Z"
      }
    },
    "accountId": "159498693826****",
    "principalId": "34359792600393****:u1",
    "type": "assumed-role",
    "userName": "custom-role-for-actiontrail:u1"
  },
  "acsRegion": "cn-hangzhou",
  "eventName": "LookupEvents",
  "requestParameters": {
    "stsTokenPrincipalName": "custom-role-for-actiontrail/u1",
    "AcsHost": "actiontrail.cn-hangzhou.aliyuncs.com",
    "ServiceCode": "actiontrail",
    "AcsProduct": "Actiontrail",
    "RequestId": "3462D6AF-4434-4690-8CAD-E54A",
    "Region": "cn-hangzhou",
    "LookupAttribute.1.Value": "Write",
    "RegionId": "cn-hangzhou",
    "HostId": "actiontrail.cn-hangzhou.aliyuncs.com",
    "stsTokenPlayerUid": 175498693826****,
    "LookupAttribute.1.Key": "EventRW"
  },
  "eventSource": "actiontrail.cn-hangzhou.aliyuncs.com",
  "serviceName": "Actiontrail",
  "eventTime": "2021-01-01T00:00:00Z",
  "userAgent": "AlibabaCloud (Mac OS X; x86_64) Java/1.8.0_252-b09 Core/4.4.6 HTTPClient/ApacheHttpClient",
  "eventId": "3462D6AF-4434-4690-8CAD-****",
  "additionalEventData": {
    "Scheme": "http"
  },
  "errorCode": "",
  "errorMessage": "",
  "eventVersion": "1",
  "sourceIpAddress": "192.168.XX.XX"
}

The sample event log contains the following key fields:

userIdentity.accountId: the ID of the Alibaba Cloud account of the requester. The value in this example is 159498693826****, which indicates the ID of the Alibaba Cloud account to which the RAM role belongs.
userIdentity.principalId: the ID of the requester. The value is in the format of {roleId}:{sessionName}. roleId indicates the ID of the RAM role. sessionName indicates the name that was specified when the requester assumed the RAM role. The value in this example is 34359792600393****:u1. 34359792600393**** indicates the ID of the RAM role. u1 indicates the role name specified when the requester assumed the RAM role.
userIdentity.type: the type of the identity of the requester. The value in this example is assumed-role, which indicates that the requester performs operations by assuming the RAM role.
userIdentity.userName: the username of the requester. The value is in the format of {roleName}:{sessionName}. roleName indicates the name of the RAM role. sessionName indicates the name that was specified when the requester assumed the RAM role. The value in this example is custom-role-for-actiontrail:u1. custom-role-for-actiontrail indicates the name of the RAM role. u1 indicates the role name specified when the requester assumed the RAM role.

Note custom-role-for-actiontrail is the name of a custom RAM role for ActionTrail. The role can be assumed by the requester to query ActionTrail events.
userIdentity.creationDate: the time when the event occurred, in UTC. The value in the example is 2021-01-01T00:00:00Z, which indicates that the event occurred at 08:00:00 on January 1, 2021, in UTC+8.
requestParameters.stsTokenPlayerUid: the ID of the Alibaba Cloud account to which the RAM user belongs. The value in the example is 175498693826****, which indicates that the RAM user of the Alibaba Cloud account whose ID is 175498693826**** assumed the RAM role that belongs to the Alibaba Cloud account whose ID is 159498693826****.