ActionTrail records the events that are related to Identity Management Service (IMS). You can query the details of an event to obtain information such as the time when the event occurred, the region where the event occurred, and the RAM user involved. This topic provides the logs of four sample IMS-related events and describes the key fields included in the event logs.
Create a RAM user in the RAM console by using an Alibaba Cloud account
The following sample event log indicates that an Alibaba Cloud account created the
RAM user whose username is Alice@163205818484****.onaliyun.com
by using the RAM console at 14:59:52 on August 05, 2021, UTC+8.
{
"eventId": "80648075-F89C-555D-974B-78E436FE4331",
"eventVersion": 1,
"responseElements": {
"User": {
"UpdateDate": "2021-08-05T06:59:52Z",
"Email": "username@example.com",
"Comments": "",
"UserId": "21284212814679*****",
"LastLoginDate": "",
"DisplayName": "Alice",
"UserPrincipalName": "Alice@163205818484****.onaliyun.com",
"CreateDate": "2021-08-05T06:59:52Z",
"MobilePhone": "1381111****"
},
"RequestId": "80648075-F89C-555D-974B-78E436FE4331"
},
"eventSource": "ims-share.aliyuncs.com",
"requestParameters": {
"charset": "UTF-8",
"AcsHost": "ims-share.aliyuncs.com",
"AcsProduct": "Ims",
"RequestId": "80648075-F89C-555D-974B-78E436FE4331",
"DisplayName": "Alice",
"AcceptLanguage": "zh-CN",
"AkProxySuffix": "ram",
"UserPrincipalName": "Alice@163205818484****.onaliyun.com",
"HostId": "ims-share.aliyuncs.com"
},
"sourceIpAddress": "192.168.XX.XX",
"userAgent": "ram.console.aliyun.com",
"eventType": "ApiCall",
"referencedResources": {
"ACS::RAM::User": [
"Alice@163205818484****.onaliyun.com"
]
},
"userIdentity": {
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-05T06:59:52Z"
}
},
"accountId": "163205818484****",
"principalId": "163205818484****",
"type": "root-account",
"userName": "root"
},
"serviceName": "Ims",
"additionalEventData": {
"Scheme": "http",
"CallerBid": "26888"
},
"apiVersion": "2019-08-15",
"requestId": "80648075-F89C-555D-974B-78E436FE4331",
"eventTime": "2021-08-05T06:59:52Z",
"isGlobal": true,
"acsRegion": "cn-shanghai",
"eventName": "CreateUser"
}
The sample event log contains the following key fields:
userIdentity.type
: the identity type of the requester. The value in the example isroot-account
, which indicates an Alibaba Cloud account.serviceName
: the name of the Alibaba Cloud service related to the event. The value in the example isIms
, which indicates IMS.eventName
: the name of the event. The value in the example isCreateUser
, which indicates that a RAM user was created.referencedResources
: the one or more resources that are related to the event. The value in the example is{"ACS::RAM::User": ["Alice@163205818484****.onaliyun.com"]}
, which indicates the RAM user whose username isAlice@163205818484****.onaliyun.com
.eventTime
: the time when the event occurred in UTC. The value in the example is2021-08-05T06:59:52Z
, which indicates 14:59:52 on August 05, 2021, UTC+8.
Create a RAM user in the RAM console as a RAM user
The following sample event log indicates that the RAM user whose username is Alice
created the RAM user whose username is test@189217171671****.onaliyun.com
by using the RAM console at 14:44:37 on August 05, 2021, UTC+8.
{
"eventId": "BB774582-E706-5B89-8540-84D9490D0F11",
"eventVersion": 1,
"responseElements": {
"User": {
"UpdateDate": "2021-08-05T06:44:37Z",
"Email": "username@example.com",
"Comments": "",
"UserId": "27688052814587****",
"LastLoginDate": "",
"DisplayName": "test",
"UserPrincipalName": "test@189217171671****.onaliyun.com",
"CreateDate": "2021-08-05T06:44:37Z",
"MobilePhone": "1381111****"
},
"RequestId": "BB774582-E706-5B89-8540-84D9490D0F11"
},
"eventSource": "ims-share.aliyuncs.com",
"requestParameters": {
"charset": "UTF-8",
"AcsHost": "ims-share.aliyuncs.com",
"AcsProduct": "Ims",
"RequestId": "BB774582-E706-5B89-8540-84D9490D0F11",
"DisplayName": "test",
"AcceptLanguage": "zh-CN",
"AkProxySuffix": "ram",
"UserPrincipalName": "test@189217171671****.onaliyun.com",
"HostId": "ims-share.aliyuncs.com"
},
"sourceIpAddress": "192.168.XX.XX",
"userAgent": "ram.console.aliyun.com",
"eventType": "ApiCall",
"referencedResources": {
"ACS::RAM::User": [
"test@189217171671****.onaliyun.com"
]
},
"userIdentity": {
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-05T06:44:37Z"
}
},
"accountId": "189217171671****",
"principalId": "26135379175722****",
"type": "ram-user",
"userName": "Alice"
},
"serviceName": "Ims",
"additionalEventData": {
"Scheme": "http",
"CallerBid": "26842"
},
"apiVersion": "2019-08-15",
"requestId": "BB774582-E706-5B89-8540-84D9490D0F11",
"eventTime": "2021-08-05T06:44:37Z",
"isGlobal": true,
"acsRegion": "cn-shanghai",
"eventName": "CreateUser"
}
The sample event log contains the following key fields:
userIdentity.type
: the identity type of the requester. The value in the example isram-user
, which indicates a RAM user.userIdentity.userName
: the username of the RAM user that performed the operation.serviceName
: the name of the Alibaba Cloud service related to the event. The value in the example isIms
, which indicates IMS.eventName
: the name of the event. The value in the example isCreateUser
, which indicates that a RAM user was created.referencedResources
: the one or more resources that are related to the event. The value in the example is{"ACS::RAM::User": ["test@189217171671****.onaliyun.com"]}
, which indicates the RAM user whose username istest@189217171671****.onaliyun.com
.eventTime
: the time when the event occurred in UTC. The value in the example is2021-08-05T06:44:37Z
, which indicates 14:44:37 on August 05, 2021, UTC+8.
Create a RAM user by calling the CreateUser operation with an AccessKey pair used
The following sample event log indicates that the RAM user whose username is Alice
created the RAM user whose username is test@example.onaliyun.com
by calling the CreateUser operation at 14:52:21 on August 05, 2021, UTC+8. The Alice
RAM user used the AccessKey pair whose ID is LTAI4Fz1ykT4qxgNMvN6****
to initiate the API call.
{
"eventId": "ED377CCF-2F1E-542D-96E6-25ACD4C866E3",
"eventVersion": 1,
"responseElements": {
"User": {
"UpdateDate": "2021-08-05T06:52:21Z",
"Email": "username@example.com",
"Comments": "",
"UserId": "23705482814634****",
"LastLoginDate": "",
"DisplayName": "test",
"UserPrincipalName": "test@example.onaliyun.com",
"CreateDate": "2021-08-05T06:52:21Z",
"MobilePhone": "1381111****"
},
"RequestId": "ED377CCF-2F1E-542D-96E6-25ACD4C866E3"
},
"eventSource": "ims.aliyuncs.com",
"requestParameters": {
"AcsHost": "ims.aliyuncs.com",
"AcsProduct": "Ims",
"RequestId": "ED377CCF-2F1E-542D-96E6-25ACD4C866E3",
"DisplayName": "test",
"UserPrincipalName": "test@example.onaliyun.com",
"HostId": "ims.aliyuncs.com"
},
"sourceIpAddress": "192.168.XX.XX",
"userAgent": "AlibabaCloud (Mac OS X; x86_64) Java/1.8.0_151-b12 tea-util/0.2.6 TeaDSL/1",
"eventType": "ApiCall",
"referencedResources": {
"ACS::RAM::User": [
"test@example.onaliyun.com"
]
},
"userIdentity": {
"accessKeyId": "LTAI4Fz1ykT4qxgNMvN6****",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-05T06:52:21Z"
}
},
"accountId": "121410627017****",
"principalId": "29041080637456****",
"type": "ram-user",
"userName": "Alice"
},
"serviceName": "Ims",
"additionalEventData": {
"Scheme": "https",
"CallerBid": "26842"
},
"apiVersion": "2019-08-15",
"requestId": "ED377CCF-2F1E-542D-96E6-25ACD4C866E3",
"eventTime": "2021-08-05T06:52:21Z",
"isGlobal": true,
"acsRegion": "cn-shanghai",
"eventName": "CreateUser"
}
The sample event log contains the following key fields:
userIdentity.accessKeyId
: the AccessKey ID that is used to initiate the API call. The value in the example isLTAI4Fz1ykT4qxgNMvN6****
.userIdentity.principalId
: the ID of the account to which the AccessKey pair belongs. The value in the example is29041080637456****
.userIdentity.type
: the identity type of the requester. The value in the example isram-user
, which indicates a RAM user.serviceName
: the name of the Alibaba Cloud service related to the event. The value in the example isIms
, which indicates IMS.eventName
: the name of the event. The value in the example isCreateUser
, which indicates that a RAM user was created.referencedResources
: the one or more resources that are related to the event. The value in the example is{"ACS::RAM::User": ["test@example.onaliyun.com"]}
, which indicates the RAM user whose username istest@example.onaliyun.com
.eventTime
: the time when the event occurred in UTC. The value in the example is2021-08-05T06:52:21Z
, which indicates 14:52:21 on August 05, 2021, UTC+8.
Create a RAM user by assuming a RAM role as a RAM user
The following sample event log indicates that a RAM user of the Alibaba Cloud account
whose ID is 189217171671****
created a RAM user by assuming the RAM role whose name is ram-role
of the current account at 14:50:12 on August 05, 2021, UTC+8. The created RAM user
is named test@189217171671****.onaliyun.com
.
{
"eventId": "7831E25F-2AAF-522B-A6A8-228ED41396C0",
"eventVersion": 1,
"responseElements": {
"User": {
"UpdateDate": "2021-08-05T06:50:12Z",
"Email": "username@example.com",
"Comments": "",
"UserId": "20560232814621****",
"LastLoginDate": "",
"DisplayName": "test",
"UserPrincipalName": "test@189217171671****.onaliyun.com",
"CreateDate": "2021-08-05T06:50:12Z",
"MobilePhone": "1381111****"
},
"RequestId": "7831E25F-2AAF-522B-A6A8-228ED41396C0"
},
"eventSource": "ims-share.aliyuncs.com",
"requestParameters": {
"stsTokenPrincipalName": "ram-role/roleTest123",
"charset": "UTF-8",
"AcsHost": "ims-share.aliyuncs.com",
"AcsProduct": "Ims",
"RequestId": "7831E25F-2AAF-522B-A6A8-228ED41396C0",
"DisplayName": "test",
"AcceptLanguage": "zh-CN",
"AkProxySuffix": "ram",
"UserPrincipalName": "test@189217171671****.onaliyun.com",
"HostId": "ims-share.aliyuncs.com",
"stsTokenPlayerUid": 189217171671****
},
"sourceIpAddress": "Internal",
"userAgent": "ram.console.aliyun.com",
"eventType": "ApiCall",
"referencedResources": {
"ACS::RAM::User": [
"test@189217171671****.onaliyun.com"
]
},
"userIdentity": {
"accessKeyId": "STS.NTGje1eLLVFMNcgRsLVic****",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-05T06:50:12Z"
}
},
"accountId": "189217171671****",
"principalId": "37177545076791****:roleTest123",
"type": "assumed-role",
"userName": "ram-role:roleTest123"
},
"serviceName": "Ims",
"additionalEventData": {
"Scheme": "http",
"CallerBid": "26842"
},
"apiVersion": "2019-08-15",
"requestId": "7831E25F-2AAF-522B-A6A8-228ED41396C0",
"eventTime": "2021-08-05T06:50:12Z",
"isGlobal": true,
"acsRegion": "cn-shanghai",
"eventName": "CreateUser"
}
The sample event log contains the following key fields:
userIdentity.type
: the identity type of the requester. The value in the example isassumed-role
, which indicates a RAM role.userIdentity.userName
: the username of the requester. The value is in the format of{roleName}:{sessionName}
.roleName
indicates the name of the RAM role that was assumed.sessionName
indicates the name that was specified when the RAM user that performed the operation assumed the RAM role. The value in the example isram-role:roleTest123
, which indicates that the name of the RAM role that was assumed isram-role
, and the name that was specified when the RAM user that performed the operation assumed the RAM role isroleTest123
.requestParameters.stsTokenPlayerUid
: the ID of the Alibaba Cloud account to which the RAM user that performed the operation belongs. The value in the example is189217171671****
.referencedResources
: the one or more resources that are related to the event. The value in the example is{"ACS::RAM::User": ["test@189217171671****.onaliyun.com"]}
, which indicates the RAM user whose username istest@189217171671****.onaliyun.com
.serviceName
: the name of the Alibaba Cloud service related to the event. The value in the example isIms
, which indicates IMS.eventName
: the name of the event. The value in the example isCreateUser
, which indicates that a RAM user was created.eventTime
: the time when the event occurred in UTC. The value in the example is2021-08-05T06:50:12Z
, which indicates 14:50:12 on August 05, 2021, UTC+8.