Query events by using role-based SSO - ActionTrail - Alibaba Cloud Documentation Center

You can call the AssumeRoleWithSAML operation to obtain a temporary identity to assume a RAM role during role-based single sign-on (SSO). This topic provides the log of a sample event in which a user queried events by using role-based SSO. This topic also describes the key fields involved in the event log.

Example

The following example shows that a user of an enterprise assumed the testrole RAM role within the Alibaba Cloud account whose ID is 159498693826**** to query events at 14:05:24 on August 02, 2021, UTC+8.

{
  "apiVersion": "2016-11-11",
  "requestId": "3462D6AF-4434-4690-8CAD-E54AED8B",
  "eventType": "ApiCall",
  "userIdentity": {
    "accessKeyId": "STS.NUQNP4PiGyckMsNiGELCs****",
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2021-08-02T06:05:24Z"
      }
    },
    "accountId": "159498693826****",
    "principalId": "179432153826****:Alice@159498693826****.com",
    "type": "assumed-role",
    "userName": "testrole:Alice@159498693826****.com"
  },
  "acsRegion": "cn-shanghai",
  "eventName": "LookUpEvents",
  "requestParameters": {
    "stsTokenPrincipalName": "testrole:Alice@159498693826****.com",
    "AcsHost": "actiontrail.cn-hangzhou.aliyuncs.com",
    "ServiceCode": "actiontrail",
    "AcsProduct": "Actiontrail",
    "RequestId": "3462D6AF-4434-4690-8CAD-E54AED8B",
    "Region": "cn-hangzhou",
    "LookupAttribute.1.Value": "Write",
    "RegionId": "cn-hangzhou",
    "HostId": "actiontrail.cn-hangzhou.aliyuncs.com",
    "stsTokenPlayerUid": 10001,
    "LookupAttribute.1.Key": "EventRW"
  },
  "eventSource": "actiontrail.cn-hangzhou.aliyuncs.com",
  "serviceName": "Actiontrail",
  "eventTime": "2021-08-02T06:05:24Z",
  "userAgent": "",
  "eventId": "3462D6AF-4434-4690-8CAD-E54A****",
  "additionalEventData": {
    "Scheme": "https"
  },
  "errorCode": "",
  "errorMessage": "",
  "eventVersion": "1",
  "sourceIpAddress": "192.168.XX.XX"
}

The sample event log contains the following key fields:

userIdentity.accountId: the ID of the Alibaba Cloud account used by the requester. The value in this example is 159498693826****, which indicates the ID of the Alibaba Cloud account to which the RAM role belongs.
userIdentity.type: the identity type of the requester. The value in this example is assumed-role, which indicates a RAM role.
userIdentity.userName: the username of the requester. The value is in the format of {roleName}:{sessionName}. roleName indicates the name of the RAM role that was assumed. sessionName indicates the name that was specified when the requester assumed the RAM role. The value in this example is testrole:Alice@159498693826****.com. testrole indicates the name of the RAM role. Alice@159498693826****.com indicates the name specified when the requester assumed the RAM role.
userIdentity.attributes.creationDate: the time when the event occurred, in UTC. The value in this example is 2021-08-02T06:05:24Z which indicates 14:05:24 on August 02, 2021, UTC+8.