A RAM user can call the AssumeRole operation to assume a RAM role whose specified trusted entity is an Alibaba Cloud account. This topic provides the log of a sample event in which a RAM user assumed a RAM role and describes the key fields involved in the event log.
Example
In the following example, a RAM user named Alice
whose ID is 23890260100229****
called the AssumeRole operation at 11:42:19 on August 2, 2021, UTC+8. The custom-role-for-actiontrail
RAM role that belongs to the Alibaba Cloud account whose ID is 159498693826****
was assumed by the RAM user.
{
"eventId": "2546c4b7-6b56-403e-97d3-500d8d29339a",
"eventVersion": 1,
"responseElements": {
"requestId": "2546c4b7-6b56-403e-97d3-500d8d29339a",
"assumedRoleUser": {
"arn": "acs:ram::159498693826****:role/custom-role-for-actiontrail/Alice",
"assumedRoleId": "39484351102463****:Alice"
},
"credentials": {
"accessKeyId": "STS.NUQNP4PiGyckMsNiGELCs****",
"accessKeySecret": "Ss7sq2j0ZoJujZnmVgXcu6QT9e****",
"expiration": "2021-08-02T04:42:19Z"
}
},
"eventSource": "sts.aliyuncs.com",
"requestParameters": {
"AcsHost": "sts.aliyuncs.com",
"AcsProduct": "Sts",
"RequestId": "2546c4b7-6b56-403e-97d3-500d8d29339a",
"RoleSessionName": "Alice",
"DurationSeconds": 3600,
"HostId": "sts.aliyuncs.com",
"RoleArn": "acs:ram::159498693826****:role/custom-role-for-actiontrail"
},
"sourceIpAddress": "192.168.XX.XX",
"userAgent": "Jakarta Commons-HttpClient/3.1",
"eventType": "ApiCall",
"referencedResources": {
"ACS::RAM::AccessKey": [
"STS.NUQNP4PiGyckMsNiGELCs****"
]
},
"userIdentity": {
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-02T03:42:19Z"
}
},
"accountId": "159498693826****",
"principalId": "23890260100229****",
"type": "ram-user",
"userName": "Alice"
},
"serviceName": "Sts",
"additionalEventData": {
"Scheme": "https",
"CallerBid": "26842"
},
"apiVersion": "2015-04-01",
"requestId": "2546c4b7-6b56-403e-97d3-500d8d29339a",
"eventTime": "2021-08-02T03:42:19Z",
"isGlobal": false,
"acsRegion": "cn-shanghai",
"eventName": "AssumeRole"
}
The preceding example contains the following key fields:
userIdentity.accountId
: the ID of the Alibaba Cloud account of the requester. The value in the example is159498693826****
, which indicates the ID of the Alibaba Cloud account to which the RAM user belongs.userIdentity.principalId
: the ID of the RAM user that assumed the RAM role.userIdentity.type
: the identity type of the requester. The value in the example isram-user
, which indicates that the RAM user initiated a request to assume the RAM role.userIdentity.userName
: the username of the requester. The value in the example isAlice
.userIdentity.attributes.creationDate
: the time when the event occurred, in UTC. The value in the example is2021-08-02T03:42:19Z
, which indicates that the event occurred at 11:42:19 on August 2, 2021, UTC+8.requestParameters.RoleArn
: the Alibaba Cloud Resource Name (ARN) of the RAM role that was assumed by the RAM user. The value in the example isacs:ram::159498693826****:role/custom-role-for-actiontrail
.159498693826****
indicates the ID of the Alibaba Cloud account to which the RAM role belongs.custom-role-for-actiontrail
indicates the name of the RAM role.responseElements.assumedRoleUser.assumedRoleId
: the unique identifier of the RAM role when the role is being assumed by the current RAM user. The value is in the format of{roleId}:{sessionName}
.roleId
indicates the ID of the original RAM role.sessionName
indicates the name dedicated for the RAM role when it was assumed by the RAM user. The value in the example is39484351102463****:Alice
.39484351102463****
represents the ID of the original RAM role.Alice
represents the name dedicated for the RAM role during the role assuming.referencedResources
: the resource that is required to assume the RAM role. The value in the example is{ "ACS::RAM::AccessKey": [ "STS.NUQNP4PiGyckMsNiGELCs****"]}
, which indicates the temporary Security Token Service (STS) token obtained by the RAM user.