Alibaba Cloud Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for Resource Access Management (RAM) roles. Using temporary credentials is a security best practice because they expire after a short period, reducing the risk associated with long-term AccessKey pairs.
How STS works
STS allows trusted principals to temporarily assume a RAM role. The core process is as follows:
A trusted principal (such as a RAM user, a federated user, or an Alibaba Cloud service) makes a request to STS to assume a specific RAM role.
STS authenticates the principal and verifies that it is trusted by the target role.
If the request is valid, STS returns a temporary credential, known as an STS token.
The principal uses the STS token to make authenticated API calls to Alibaba Cloud services with the permissions granted by the assumed role.
Benefits of STS
Enhanced security: Avoids the need to embed or distribute long-term AccessKey pairs. STS tokens expire automatically, which significantly reduces the risk of a compromised credential.
Simplified credential management: Because STS tokens are temporary and have a configurable duration, you do not need to manually rotate them.
Fine-grained permissions: You can apply a session policy when requesting an STS token to further restrict the permissions for that specific session, enforcing the principle of least privilege.
Common use cases
Cross-account and delegated access
An authorized RAM user in one account can call the AssumeRole operation to assume a role in another account. This grants temporary, cross-account access to resources without sharing long-term credentials. This is also used to grant temporary, elevated permissions to a user within the same account. For more information, see Assume a RAM role and Delegate access between accounts using RAM roles.
Identity federation
Users from an external identity provider (IdP), such as a corporate Active Directory, can be granted access to your Alibaba Cloud resources. The federated user authenticates with the IdP, receives a SAML assertion or OIDC token, and then exchanges it for an STS token by calling AssumeRoleWithSAML or AssumeRoleWithOIDC. For more information, see Overview of SAML 2.0 federation and Overview of OIDC federation.
Mobile and web applications
You can develop a secure application that uses STS to provide end-users with temporary access to Alibaba Cloud resources, such as uploading files to an Object Storage Service (OSS) bucket. The application authenticates the user and then obtains an STS token on their behalf. For more information, see Grant temporary access to mobile apps with STS.
Key concepts
Concept | Description |
RAM user | An identity with permanent credentials (a password and AccessKey pairs). It typically represents a person or an application that requires long-term access. For more information, see Overview of RAM users and Create a RAM user. |
RAM role | A virtual identity that defines a set of permissions. It does not have permanent credentials and is meant to be assumed temporarily by a trusted principal. For more information, see Overview of RAM roles, Create a RAM role for a trusted IdP, Create a RAM role for a trusted Alibaba Cloud account, and Create a RAM role for a trusted Alibaba Cloud service. |
RAM role ARN | The unique identifier for a RAM role, formatted as an Alibaba Cloud Resource Name (ARN). It is used to specify the role in policies and API calls. For example: |
STS token | A temporary credential consisting of a temporary AccessKey ID, a temporary AccessKey secret, and a security token. It grants the holder the permissions of the assumed RAM role for a limited duration. |
Trusted principal | The principal (such as a RAM user, an Alibaba Cloud service, or a federated user) that is permitted to assume a RAM role. This trust relationship is defined in the role's trust policy. |
Policy | The RAM policy attached to a role that defines its permissions. It specifies the actions the role is allowed or denied to perform on specific resources. A role without a policy has no permissions. |
Role assumption | The action of requesting temporary credentials for a RAM role. This is done by calling an STS API operation like AssumeRole. |