In an event, if the value of the userIdentity.type field is assumed-role, a Resource Access Management (RAM) role is assumed by an Alibaba Cloud account or a RAM user. This topic describes how to identify the Alibaba Cloud account or the RAM user that assumes a RAM role.
Background information
After you log on to the ActionTrail console by using the Alibaba Cloud account 159498693826****, an event in which the value of the userIdentity.type field is assumed-role is displayed. You want to identify the operator that assumes the RAM role in the event.
{
"eventId": "8DC8A000-6E74-59BD-8EB9-DDF64E45****",
"eventVersion": 1,
"eventSource": "ecs-openapi-share.cn-hangzhou.aliyuncs.com",
"requestParameters": {
"stsTokenPrincipalName": "role-for-user-identity/Alice",
"SourceRegionId": "cn-hangzhou",
"AcsProduct": "ECS",
"RegionId": "cn-hangzhou",
"stsTokenPlayerUid": 159498693826****
},
"sourceIpAddress": "42.120.XX.XX",
"userAgent": "AlibabaCloud (darwin; x64) Node.js/v17.1.0 Core/1.7.11",
"eventType": "ApiCall",
"userIdentity": {
"accessKeyId": "STS.NTxwELwTuZr6XtdjqjsbT****",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2022-06-08T01:58:23Z"
}
},
"accountId": "159498693826****",
"principalId": "35443786793104****:Alice",
"type": "assumed-role",
"userName": "role-for-user-identity:Alice"
},
"serviceName": "Ecs",
"additionalEventData": {
"CallerBid": "26842"
},
"apiVersion": "2014-05-26",
"requestId": "8DC8A000-6E74-59BD-8EB9-DDF64E454B2A",
"eventTime": "2022-06-08T01:58:26Z",
"isGlobal": false,
"acsRegion": "cn-hangzhou",
"eventName": "DescribeInstances"
}Event analysis
You can analyze the event based on the fields and values that are recorded in the event. For more information, see Management event structure.
The following list describes some key fields in the event:
userIdentity.accountId: the Alibaba Cloud account to which the assumed RAM role belongs. In this example, the Alibaba Cloud account is159498693826****.userIdentity.type: the identity type of the operator. In this example, the value isassumed-role, which indicates a RAM role.userIdentity.userName: the name of the assumed RAM role. In this example, the value isrole-for-user-identity.userIdentity.accessKeyId: the temporary Security Token Service (STS) token that is generated for the role assuming event. In this example, the value isSTS.NTxwELwTuZr6XtdjqjsbT****.requestParameters.stsTokenPlayerUid: the Alibaba Cloud account to which the operator belongs. In this example, the value is159498693826****.
In this example, the value of the userIdentity.accountId field is the same as that of the requestParameters.stsTokenPlayerUid field. The operator and the assumed RAM role belong to the same Alibaba Cloud account.
If the values of the two fields are different, the operator and the assumed RAM role belong to different Alibaba Cloud accounts.
You can use the Alibaba Cloud account to which the operator belongs to log on to the ActionTrail console and use the event query feature to identify the operator. In this example, the Alibaba Cloud account that you can use is 159498693826****.
Event query
You can use the event query feature and the recorded STS token to search for the role assuming event. In this example, the STS token is STS.NTxwELwTuZr6XtdjqjsbT****.
STS.NTxwELwTuZr6XtdjqjsbT**** is the value of the userIdentity.accessKeyId field in the event.
Log on to the ActionTrail console by using the Alibaba Cloud account to which the operator belongs.
In the left-side navigation pane, choose .
On the Event Query page, select Resource Name from the drop-down list, enter the STS token STS.NTxwELwTuZr6XtdjqjsbT**** in the field, and then click the Search icon.
Find the event that you want to query and click View Event Details in the Actions column.
{ "eventId": "961F78D5-0F8F-52B9-851D-000C5199****", "eventVersion": 1, "responseElements": { "RequestId": "961F78D5-0F8F-52B9-851D-000C51996F0C", "AssumedRoleUser": { "Arn": "acs:ram::159498693826****:role/role-for-user-identity/Alice", "AssumedRoleId": "35443786793104****:Alice" }, "Credentials": { "AccessKeyId": "STS.NTxwELwTuZr6XtdjqjsbT****", "AccessKeySecret": "dylEiakiwLFB1CufDyxyCwlCxZ****", "Expiration": "2022-06-08T02:58:25Z" } }, "eventSource": "sts.cn-hangzhou.aliyuncs.com", "requestParameters": { "AcsProduct": "Sts", "RoleSessionName": "Alice", "Region": "cn-hangzhou", "DurationSeconds": 3600, "RoleArn": "acs:ram::159498693826****:role/role-for-user-identity" }, "sourceIpAddress": "42.120.XX.XX", "userAgent": "AlibabaCloud (darwin; x64) Node.js/v17.1.0 Core/1.7.11", "eventType": "ApiCall", "referencedResources": { "ACS::RAM::AccessKey": [ "STS.NTxwELwTuZr6XtdjqjsbT****" ] }, "userIdentity": { "accessKeyId": "LTAI5tPvdUTowp2tDHsg****", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2022-06-08T01:58:22Z" } }, "accountId": "159498693826****", "principalId": "29577185456911****", "type": "ram-user", "userName": "Alice" }, "serviceName": "Sts", "additionalEventData": { "CallerBid": "26842" }, "apiVersion": "2015-04-01", "requestId": "961F78D5-0F8F-52B9-851D-000C51996F0C", "eventTime": "2022-06-08T01:58:25Z", "isGlobal": false, "acsRegion": "cn-hangzhou", "eventName": "AssumeRole" }Analyze the event.
The following list describes some key fields in the role assuming event:
eventName: the name of the role assuming event. In this example, the event name isAssumeRole.userIdentity.responseElements.CredentialsAccessKeyId: the temporary AccessKey ID that is generated for the role assuming event. In this example, the temporary AccessKey ID isSTS.NTxwELwTuZr6XtdjqjsbT****.userIdentity.type: the identity type of the operator. In this example, the identity type isram-user, which indicates a RAM user.userIdentity.userName: the name of the operator. In this example, the name of the operator isAlice.userIdentity.accessKeyId: the AccessKey ID of the operator. In this example, the AccessKey ID isLTAI5tPvdUTowp2tDHsg****.
The analysis proves that the RAM user
Aliceassumes the RAM rolerole-for-user-identityto call the DescribeInstances operation. The RAM user belongs to the Alibaba Cloud account 29577185456911****.