Alibaba Cloud Security Token Service (STS) allows you to manage short-term access from other users to your Alibaba Cloud resources.


You can use STS to grant temporary access tokens to RAM entities (RAM users and RAM roles). You can customize the validity period and access permissions of these STS tokens. Authorized RAM entities can use the STS tokens to access Alibaba Cloud resources by using one of the following methods:

  • Call Alibaba Cloud API operations.
  • Log on to the Alibaba Cloud console.


The STS endpoint that is used to call API operations is


RAM role
A virtual RAM user.
The Alibaba Cloud Resource Name (ARN) of a RAM role. In Alibaba Cloud, each role has a unique ARN. Format: acs:ram::$accountID:role/$roleName.
trusted entity
An entity that is entrusted to assume a RAM role. You must specify a trusted entity when you create a RAM role. Only trusted entities can assume the RAM role. A trusted entity can be an Alibaba Cloud account, Alibaba Cloud service, or identity provider (IdP).
role assuming
A method for entities to obtain STS tokens of RAM roles. An entity can obtain an STS token by calling the AssumeRole STS API operation. Then, the entity can use the STS token to call Alibaba Cloud API operations.