This topic provides answers to some frequently asked questions (FAQ) about RAM roles and STS tokens.

How are RAM roles classified?

RAM roles are classified into the following types based on trusted entities:

  • Alibaba Cloud account
  • Alibaba Cloud service
  • Identity provider (IdP)

What entities can assume the three types of RAM roles?

  • Alibaba Cloud account: RAM users under an Alibaba Cloud account can assume this type of RAM role. RAM users who assume this type of RAM role can belong to their parent Alibaba Cloud accounts or other Alibaba Cloud accounts. This type of RAM role is used for cross-account access and temporary authorization.
  • Alibaba Cloud service: Alibaba Cloud services can assume this type of RAM role. RAM roles that ECS instances assume are categorized into this type of RAM role. In this case, the trusted entity is the ECS service. For more information, see Access other Cloud Product APIs by the Instance RAM Role. The RAM roles of this type are used for granting Alibaba Cloud services the required permissions to manage your resources.
  • IdP: Users of a trusted IdP can assume this type of RAM role. The RAM roles of this type are used to implement single sign-on (SSO) between Alibaba Cloud and a trusted IdP.

Can I specify the RAM role that a RAM user can assume?

Yes, you can create a custom policy to specify the RAM role that a RAM user can assume. A sample policy is shown as follows:

{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Resource": "acs:ram:*:$accountId:role/$roleName"
        }
    ],
    "Version": "1"
}
Note
  • In this policy, the Resource element indicates the Alibaba Cloud Resource Name (ARN) of the RAM role. For more information about how to find the ARN of a RAM role, see How do I find the ARN of a RAM role? In this element, $accountId indicates the ID of the Alibaba Cloud account and $roleName indicates the name of the RAM role.
  • The preceding policy specifies the RAM role that a RAM user can assume. For more information about how to attach the policy to the RAM user, see Grant permissions to a RAM user.

How do I find the ARN of a RAM role?

  1. To find the ARN of a RAM role, log on to the RAM console.
  2. In the left-side navigation pane, click RAM Roles. On the RAM Roles page, click the name of the RAM role.
  3. In the Basic Information section, view the ARN of the RAM role. ARN of a RAM role

Why does an error occur when a RAM user accesses STS?

The following error message may be returned when a RAM user uses the SDK for Java to generate an STS token:

Error message: You are not authorized to do this action. You should be authorized by RAM.

The reason is that the required permissions are not granted to the RAM user.

To resolve this issue, grant the RAM user the required permissions by attaching the AliyunSTSAssumeRoleAccess policy or a custom policy to the RAM user. For more information, see Can I specify the RAM role that a RAM user can assume?

Is the number of STS API requests limited?

Yes, STS supports up to 100 AssumeRole API requests for each Alibaba Cloud account. API requests that are sent by using RAM users and RAM roles that belong to the Alibaba Cloud account are also counted. If the number of API requests reaches 100, the following error message is returned:

Request was denied due to user flow control

What are the permissions of an STS token?

The permissions of an STS token are the specified RAM role's permissions that are included in the policy specified when the AssumeRole API operation is called.

Note If you do not specify the Policy parameter when calling the AssumeRole API operation, the returned STS token has all the permissions of the specified RAM role.

What is the validity period of an STS token?

The validity period of an STS token ranges from 900 seconds to the maximum session duration that you specify. The default validity period is 3,600 seconds.

Note
  • You can specify the DurationSeconds parameter when you call the AssumeRole API operation to limit the validity period of an STS token.
  • You can use the console or API to set the maximum session duration of a RAM role. For more information, see Set the maximum session duration for a RAM role.

If multiple STS tokens have been obtained at different times, are the old and new tokens valid at the same time?

All STS tokens are valid before their expiration time.

What can I do if STS tokens are disclosed?

If STS tokens that RAM users obtain after assuming a RAM role are disclosed, you can disable all of the STS tokens.

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. Detach all policies from the RAM role. For more information, see Remove permissions from a RAM role.
  3. Delete the RAM role. For more information, see Delete a RAM role.

    After the RAM role is deleted, all STS tokens that are obtained by assuming the RAM role and have not expired become invalid.

If you want to continue using the deleted RAM role, create a new RAM role with the same name and grant the same permissions to the new RAM role.