You can call the AssumeRoleWithSAML operation to obtain a temporary identity to assume a RAM role during role-based single sign-on (SSO). This topic provides the log of a sample event in which a user queried events by using role-based SSO. This topic also describes the key fields involved in the event log.
Example
The following example shows that a user of an enterprise assumed the testrole
RAM role within the Alibaba Cloud account whose ID is 159498693826****
to query events at 14:05:24 on August 02, 2021, UTC+8.
{
"apiVersion": "2016-11-11",
"requestId": "3462D6AF-4434-4690-8CAD-E54AED8B",
"eventType": "ApiCall",
"userIdentity": {
"accessKeyId": "STS.NUQNP4PiGyckMsNiGELCs****",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-02T06:05:24Z"
}
},
"accountId": "159498693826****",
"principalId": "179432153826****:Alice@159498693826****.com",
"type": "assumed-role",
"userName": "testrole:Alice@159498693826****.com"
},
"acsRegion": "cn-shanghai",
"eventName": "LookUpEvents",
"requestParameters": {
"stsTokenPrincipalName": "testrole:Alice@159498693826****.com",
"AcsHost": "actiontrail.cn-hangzhou.aliyuncs.com",
"ServiceCode": "actiontrail",
"AcsProduct": "Actiontrail",
"RequestId": "3462D6AF-4434-4690-8CAD-E54AED8B",
"Region": "cn-hangzhou",
"LookupAttribute.1.Value": "Write",
"RegionId": "cn-hangzhou",
"HostId": "actiontrail.cn-hangzhou.aliyuncs.com",
"stsTokenPlayerUid": 10001,
"LookupAttribute.1.Key": "EventRW"
},
"eventSource": "actiontrail.cn-hangzhou.aliyuncs.com",
"serviceName": "Actiontrail",
"eventTime": "2021-08-02T06:05:24Z",
"userAgent": "",
"eventId": "3462D6AF-4434-4690-8CAD-E54A****",
"additionalEventData": {
"Scheme": "https"
},
"errorCode": "",
"errorMessage": "",
"eventVersion": "1",
"sourceIpAddress": "192.168.XX.XX"
}
The sample event log contains the following key fields:
userIdentity.accountId
: the ID of the Alibaba Cloud account used by the requester. The value in this example is159498693826****
, which indicates the ID of the Alibaba Cloud account to which the RAM role belongs.userIdentity.type
: the identity type of the requester. The value in this example isassumed-role
, which indicates a RAM role.userIdentity.userName
: the username of the requester. The value is in the format of{roleName}:{sessionName}
.roleName
indicates the name of the RAM role that was assumed.sessionName
indicates the name that was specified when the requester assumed the RAM role. The value in this example istestrole:Alice@159498693826****.com
.testrole
indicates the name of the RAM role.Alice@159498693826****.com
indicates the name specified when the requester assumed the RAM role.userIdentity.attributes.creationDate
: the time when the event occurred, in UTC. The value in this example is2021-08-02T06:05:24Z
which indicates 14:05:24 on August 02, 2021, UTC+8.