You can call the AssumeRoleWithSAML operation to obtain a temporary identity to assume a RAM role during role-based single sign-on (SSO). This topic provides the log of a sample event in which a user of an enterprise assumed a RAM role during role-based SSO. This topic also describes the key fields involved in the event log.
Example
In the following example, a user named Alice@example.com
assumed the testrole
RAM role within the Alibaba Cloud account whose ID is 159498693826****
at 14:05:20 on August 2, 2021, UTC+8.
{
"apiVersion": "2015-04-01",
"requestId": "3462D6AF-4434-4690-8CAD-E54A",
"eventType": "ApiCall",
"userIdentity": {
"accountId": "159498693826****",
"type": "saml-user",
"userName": "Alice@example.com"
},
"acsRegion": "cn-shanghai",
"eventName": "AssumeRoleWithSAML",
"requestParameters": {
"AcsHost": "sts.aliyuncs.com",
"SAMLAssertion": "****",
"AcsProduct": "Sts",
"RequestId": "3462D6AF-4434-4690-8CAD-E54A",
"DurationSeconds": 3600,
"HostId": "sts.aliyuncs.com",
"SAMLProviderArn": "acs:ram::159498693826****:saml-provider/test",
"RoleArn": "acs:ram::159498693826****:role/testrole"
},
"eventSource": "sts.aliyuncs.com",
"serviceName": "Sts",
"eventTime": "2021-08-02T06:05:20Z",
"referencedResources": {
"ACS::RAM::AccessKey": [
"STS.NUQNP4PiGyckMsNiGELCs****"
]
},
"userAgent": "Jakarta Commons-HttpClient/3.1",
"eventId": "3462D6AF-4434-4690-8CAD-****",
"additionalEventData": {
"Scheme": "https"
},
"responseElements": {
"RequestId": "3462D6AF-4434-4690-8CAD-E54A",
"SAMLAssertionInfo": {
"SubjectType": "persis****",
"Issuer": "https://sts.windows.net/d1ee1acd9a83906adg****/",
"Recipient": "https://signin.aliyun.com/saml-role/sso",
"Subject": "Alice@example.com"
},
"AssumedRoleUser": {
"Arn": "acs:ram::159498693826****:role/testrole/Alice",
"AssumedRoleId": "179432153826****:Alice"
},
"Credentials": {
"AccessKeyId": "STS.NUQNP4PiGyckMsNiGELCs****",
"AccessKeySecret": "Ss7sq2j0ZoJujZnmVgXcu6QT9e****",
"Expiration": "2021-08-02T07:05:20Z"
}
},
"errorCode": "",
"errorMessage": "",
"eventVersion": "1",
"sourceIpAddress": "192.168.XX.XX"
}
The sample event log contains the following key fields:
userIdentity.accountId
: the ID of the Alibaba Cloud account to which the RAM role belongs. The value in this example is159498693826****
.userIdentity.type
: the identity type of the requester. The value in this example issaml-user
, which indicates a user of an enterprise.userIdentity.userName
: the username of the requester. The value in this example isAlice@example.com
, which indicates the username of the requester that assumed the RAM role.eventName
: the name of the event. The value in this example isAssumeRoleWithSAML
, which indicates the operation to obtain a temporary identity to assume the RAM role.SAMLProviderArn
: the Alibaba Cloud Resource Name (ARN) of the identity provider (IdP)configured in the RAM console. The value is in the format ofacs:ram::<account_ID>:saml-provider/<saml_provider_ID>
.account_ID
indicates the ID of the Alibaba Cloud account.saml_provider_ID
indicates the name of the IdP. The value in this example isacs:ram::159498693826****:saml-provider/test
.159498693826****
indicates the ID of the Alibaba Cloud account.test
indicates the name of the IdP.RoleArn
: the ARN of the RAM role assumed by the requester. The value is in the format ofacs:ram::<accountID>:role/<roleName>
.account_ID
indicates the ID of the Alibaba Cloud account.roleName
indicates the name of the RAM role assumed by the requester. The value in this example isacs:ram::159498693826****:role/testrole
.159498693826****
indicates the ID of the Alibaba Account.testrole
indicates the name of the RAM role assumed by the requester.AssumedRoleUser
: the temporary identity used by the requester to assume the RAM role. The value in this example is{"Arn": "acs:ram::159498693826****:role/testrole/Alice","AssumedRoleId": "179432153826****:Alice"}
.acs:ram::159498693826****:role/testrole/Alice
indicates the ARN of the temporary identity.179432153826****:Alice
indicates the ID of the temporary identity.Credentials
: the access credential used by the requester to log on to the Alibaba Cloud Management Console. The value in this example is{"AccessKeyId": "STS.NUQNP4PiGyckMsNiGELCs****","AccessKeySecret": "Ss7sq2j0ZoJujZnmVgXcu6QT9e****","Expiration": "2021-08-02T07:05:20Z"}
.STS.NUQNP4PiGyckMsNiGELCs****
indicates the AccessKey ID.Ss7sq2j0ZoJujZnmVgXcu6QT9e****
indicates the AccessKey secret.2021-08-02T07:05:20Z
indicates the point in time when the access credential expired.referencedResources
: the resource that is required to assume the RAM role. The value in this example is{ "ACS::RAM::AccessKey": [ "STS.NUQNP4PiGyckMsNiGELCs****"]}
, which indicates the temporary AccessKey secret obtained by the requester.eventTime
: the time when the event occurred in UTC. The value in this example is2021-08-02T06:05:20Z
, which indicates that the event occurred at 14:05:20 on August 2, 2021, UTC+8.