ActionTrail records the events that are related to Alibaba Cloud Security Token Service (STS). You can query the details of an STS-related event to obtain information such as the time when the event occurred, the region where the event occurred, and the temporary identity involved. This topic provides the logs of three sample STS-related events and describes the key fields included in the event logs.
Obtain a temporary identity as a RAM user in the console
The following sample event log indicates that the RAM user whose username is Alice
obtained a temporary identity by assuming the cna-manager-test-role
RAM role of the Alibaba Cloud account whose ID is 127812487797****
at 15:59:47 on August 05, 2021, UTC+8.
{
"eventId": "FC410992-13D4-5D33-89A7-D8F4100CEE6B",
"eventVersion": 1,
"responseElements": {
"RequestId": "FC410992-13D4-5D33-89A7-D8F4100CEE6B",
"AssumedRoleUser": {
"Arn": "acs:ram::127812487797****:role/cna-manager-test-role/169074",
"AssumedRoleId": "33618118978621****:169074"
},
"Credentials": {
"AccessKeyId": "STS.NUQ79dzjpMPxYesi1YY5U****",
"AccessKeySecret": "gS09k8a8fDwwgR0ey9IeCFuNfr****",
"Expiration": "2021-08-05T08:59:47Z"
}
},
"eventSource": "sts.aliyuncs.com",
"requestParameters": {
"AcsHost": "sts.aliyuncs.com",
"AcsProduct": "Sts",
"RequestId": "FC410992-13D4-5D33-89A7-D8F4100CEE6B",
"RoleSessionName": 169074,
"RegionId": "cn-hangzhou",
"HostId": "sts.aliyuncs.com",
"RoleArn": "acs:ram::127812487797****:role/cna-manager-test-role"
},
"sourceIpAddress": "192.168.XX.XX",
"userAgent": "AlibabaCloud (Linux; amd64) Java/1.8.0_152-b187 Core/4.5.17 HTTPClient/ApacheHttpClient",
"eventType": "ApiCall",
"referencedResources": {
"ACS::RAM::AccessKey": [
"STS.NUQ79dzjpMPxYesi1YY5U****"
]
},
"userIdentity": {
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-05T07:59:46Z"
}
},
"accountId": "146411043369****",
"principalId": "21336811218169****",
"type": "ram-user",
"userName": "Alice"
},
"serviceName": "Sts",
"additionalEventData": {
"Scheme": "https",
"CallerBid": "26842"
},
"apiVersion": "2015-04-01",
"requestId": "FC410992-13D4-5D33-89A7-D8F4100CEE6B",
"eventTime": "2021-08-05T07:59:47Z",
"isGlobal": false,
"acsRegion": "cn-hangzhou",
"eventName": "AssumeRole"
}
The sample event log contains the following key fields:
userIdentity.type
: the identity type of the requester. The value in the example isram-user
, which indicates a RAM user.userIdentity.userName
: the username of the RAM user.serviceName
: the name of the Alibaba Cloud service related to the event. The value in the example isSts
, which indicates STS.eventName
: the name of the event. The value in the example isAssumeRole
, which indicates that a temporary identity that is used to assume a RAM role was obtained. In this example, an Alibaba Cloud account is used as the trusted entity of the RAM role.requestParameters.RoleArn
: the Alibaba Cloud Resource Name (ARN) of the RAM role that was assumed by the RAM user. The value in the example isacs:ram::127812487797****:role/cna-manager-test-role
.127812487797****
indicates the ID of the Alibaba Cloud account to which the RAM role belongs.cna-manager-test-role
indicates the name of the RAM role.referencedResources
: the one or more resources that are related to the event. The value in the example is{"ACS::RAM::AccessKey": ["STS.NUQ79dzjpMPxYesi1YY5U****"]}
, which indicates theSTS.NUQ79dzjpMPxYesi1YY5U****
temporary identity credential.eventTime
: the time when the event occurred in UTC. The value in the example is2021-08-05T07:59:47Z
, which indicates 15:59:47 on August 05, 2021, UTC+8.
Obtain a temporary identity as a RAM user by calling the AssumeRole role
The following sample event log indicates that the RAM user whose username is Alice
obtained a temporary access token by assuming the aliyunosstokengeneratorrole
RAM role of the Alibaba Cloud account whose ID is 193875730500****
at 16:03:31 on August 05, 2021, UTC+8. The RAM user called the AssumeRole operation
to assume the RAM role.
{
"eventId": "B936D2EE-05DC-5AC1-9163-48F0DE28B963",
"eventVersion": 1,
"responseElements": {
"RequestId": "B936D2EE-05DC-5AC1-9163-48F0DE28B963",
"AssumedRoleUser": {
"Arn": "acs:ram::193875730500****:role/aliyunosstokengeneratorrole/X5wpmS6EgkM080aE0Kym****",
"AssumedRoleId": "30815480203992****:X5wpmS6EgkM080aE0Kym****"
},
"Credentials": {
"AccessKeyId": "STS.NTobFuYYn6EBxAVhC18ta****",
"AccessKeySecret": "gS09k8a8fDwwgR0ey9IeCFuNfr****",
"Expiration": "2021-08-05T09:03:31Z"
}
},
"eventSource": "sts.cn-hangzhou.aliyuncs.com",
"requestParameters": {
"Policy": {
"Version": "1",
"Statement": [
{
"Condition": {},
"Action": [
"oss:PutObject"
],
"Resource": [
"acs:oss:*:*:taowo/image/disucss/2021/8/5/xNodqHMtGkX9arNrAkrz4d****/*",
"acs:oss:*:*:taowo/video/disucss/2021/8/5/xNodqHMtGkX9arNrAkrz4d****/*",
"acs:oss:*:*:taowo/sound/disucss/2021/8/5/xNodqHMtGkX9arNrAkrz4d****/*"
],
"Effect": "Allow"
}
]
},
"AcsHost": "sts.cn-hangzhou.aliyuncs.com",
"AcsProduct": "Sts",
"RequestId": "B936D2EE-05DC-5AC1-9163-48F0DE28B963",
"RoleSessionName": "X5wpmS6EgkM080aE0Kym****",
"Region": "cn-hangzhou",
"SignatureType": "",
"RegionId": "cn-hangzhou",
"HostId": "sts.cn-hangzhou.aliyuncs.com",
"RoleArn": "acs:ram::193875730500****:role/aliyunosstokengeneratorrole"
},
"sourceIpAddress": "192.168.XX.XX",
"userAgent": "AlibabaCloud (Linux 3.10.0-1127.19.1.el7.x86_64;x86_64) Python/3.8.8 Core/2.13.32 python-requests/2.18.3",
"eventType": "ApiCall",
"referencedResources": {
"ACS::RAM::AccessKey": [
"STS.NTobFuYYn6EBxAVhC18ta****"
]
},
"userIdentity": {
"accessKeyId": "LTAI2jP0BF0f****",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-05T08:03:31Z"
}
},
"accountId": "193875730500****",
"principalId": "21365465900895****",
"type": "ram-user",
"userName": "Alice"
},
"serviceName": "Sts",
"additionalEventData": {
"Scheme": "https",
"CallerBid": "26842"
},
"apiVersion": "2015-04-01",
"requestId": "B936D2EE-05DC-5AC1-9163-48F0DE28B963",
"eventTime": "2021-08-05T08:03:31Z",
"isGlobal": false,
"acsRegion": "cn-hangzhou",
"eventName": "AssumeRole"
}
The sample event log contains the following key fields:
userIdentity.accessKeyId
: the AccessKey ID that is used to initiate the API call. The value in the example isLTAI2jP0BF0f****
.userIdentity.principalId
: the ID of the account to which the AccessKey pair belongs. The value in the example is21365465900895****
.userIdentity.type
: the identity type of the requester. The value in the example isram-user
, which indicates a RAM user.serviceName
: the name of the Alibaba Cloud service related to the event. The value in the example isSts
, which indicates STS.eventName
: the name of the event. The value in the example isAssumeRole
, which indicates that a temporary identity that is used to assume a RAM role was obtained. In this example, an Alibaba Cloud account is used as the trusted entity of the RAM role.requestParameters.RoleArn
: the ARN of the RAM role that was assumed by the RAM user. The value in the example isacs:ram::193875730500****:role/aliyunosstokengeneratorrole
.193875730500****
indicates the ID of the Alibaba Cloud account to which the RAM role belongs.aliyunosstokengeneratorrole
indicates the name of the RAM role.referencedResources
: the one or more resources that are related to the event. The value in the example is{"ACS::RAM::AccessKey": ["STS.NTobFuYYn6EBxAVhC18ta****"]}
, which indicates theSTS.NTobFuYYn6EBxAVhC18ta****
temporary identity credential.eventTime
: the time when the event occurred in UTC. The value in the example is2021-08-05T08:03:31Z
, which indicates 16:03:31 on August 05, 2021, UTC+8.
Obtain a temporary identity as an enterprise user by using role-based SSO
The following sample event log indicates that the enterprise user whose username is
Alice
obtained a temporary identity by using role-based SSO at 16:04:56 on August 05, 2021,
UTC+8. The enterprise user used role-based SSO to assume the cruisetestrole
RAM role of the Alibaba Cloud account whose ID is 189186630579****
{
"eventId": "66FDD0F9-3546-567A-8964-2BD734198356",
"eventVersion": 1,
"responseElements": {
"RequestId": "66FDD0F9-3546-567A-8964-2BD734198356",
"SAMLAssertionInfo": {
"SubjectType": "transient",
"Issuer": "https://testidp/saml",
"Recipient": "https://signin.aliyun.com/saml-role/sso",
"Subject": "Alice"
},
"AssumedRoleUser": {
"Arn": "acs:ram::189186630579****:role/cruisetestrole/cruisetest",
"AssumedRoleId": "37924473051351****:cruisetest"
},
"Credentials": {
"AccessKeyId": "STS.NUTNKhGR8BR3QL9sJkSHp****",
"AccessKeySecret": "gS09k8a8fDwwgR0ey9IeCFuNfr****",
"Expiration": "2021-08-05T09:04:56Z"
}
},
"eventSource": "sts.aliyuncs.com",
"requestParameters": {
"AcsHost": "sts.aliyuncs.com",
"SAMLAssertion": "***",
"AcsProduct": "Sts",
"RequestId": "66FDD0F9-3546-567A-8964-2BD734198356",
"DurationSeconds": 3600,
"HostId": "sts.aliyuncs.com",
"SAMLProviderArn": "acs:ram::189186630579****:saml-provider/mockedIdp",
"RoleArn": "acs:ram::189186630579****:role/cruisetestrole"
},
"sourceIpAddress": "192.168.XX.XX",
"userAgent": "Jakarta Commons-HttpClient/3.1",
"eventType": "ApiCall",
"referencedResources": {
"ACS::RAM::AccessKey": [
"STS.NUTNKhGR8BR3QL9sJkSHp****"
]
},
"userIdentity": {
"accountId": "189186630579****",
"samlProviderName": "mockedIdp",
"type": "saml-user",
"userName": "Alice",
"samlIssuer": "https://testidp/saml"
},
"serviceName": "Sts",
"additionalEventData": {
"Scheme": "https",
"CallerBid": "26842"
},
"apiVersion": "2015-04-01",
"requestId": "66FDD0F9-3546-567A-8964-2BD734198356",
"eventTime": "2021-08-05T08:04:56Z",
"isGlobal": false,
"acsRegion": "cn-shanghai",
"eventName": "AssumeRoleWithSAML"
}
The sample event log contains the following key fields:
userIdentity.type
: the identity type of the requester. The value in the example issaml-user
, which indicates a user of an enterprise-specific identity system.userIdentity.userName
: the username of the enterprise user.requestParameters.RoleArn
: the ARN of the RAM role that was assumed by the enterprise user. The value in the example iscs:ram::189186630579****:role/cruisetestrole
.189186630579****
indicates the ID of the Alibaba Cloud account to which the RAM role belongs.cruisetestrole
indicates the name of the RAM role.referencedResources
: the one or more resources that are related to the event. The value in the example is{"ACS::RAM::AccessKey": ["STS.NUTNKhGR8BR3QL9sJkSHp****"]}
, which indicates theSTS.NUTNKhGR8BR3QL9sJkSHp****
temporary identity credential.serviceName
: the name of the Alibaba Cloud service related to the event. The value in the example isSts
, which indicates STS.eventName
: the name of the event. The value in the example isAssumeRoleWithSAML
, which indicates that a temporary identity was obtained by using role-based SSO.eventTime
: the time when the event occurred in UTC. The value in the example is2021-08-05T08:04:56Z
, which indicates 16:04:56 on August 05, 2021, UTC+8.