ActionTrail records the events that are related to Alibaba Cloud Security Token Service (STS). You can query the details of an STS-related event to obtain information such as the time when the event occurred, the region where the event occurred, and the temporary identity involved. This topic provides the logs of three sample STS-related events and describes the key fields included in the event logs.

Obtain a temporary identity as a RAM user in the console

The following sample event log indicates that the RAM user whose username is Alice obtained a temporary identity by assuming the cna-manager-test-role RAM role of the Alibaba Cloud account whose ID is 127812487797**** at 15:59:47 on August 05, 2021, UTC+8. 

{
  "eventId": "FC410992-13D4-5D33-89A7-D8F4100CEE6B",
  "eventVersion": 1,
  "responseElements": {
    "RequestId": "FC410992-13D4-5D33-89A7-D8F4100CEE6B",
    "AssumedRoleUser": {
      "Arn": "acs:ram::127812487797****:role/cna-manager-test-role/169074",
      "AssumedRoleId": "33618118978621****:169074"
    },
    "Credentials": {
      "AccessKeyId": "STS.NUQ79dzjpMPxYesi1YY5U****",
      "AccessKeySecret": "gS09k8a8fDwwgR0ey9IeCFuNfr****",
      "Expiration": "2021-08-05T08:59:47Z"
    }
  },
  "eventSource": "sts.aliyuncs.com",
  "requestParameters": {
    "AcsHost": "sts.aliyuncs.com",
    "AcsProduct": "Sts",
    "RequestId": "FC410992-13D4-5D33-89A7-D8F4100CEE6B",
    "RoleSessionName": 169074,
    "RegionId": "cn-hangzhou",
    "HostId": "sts.aliyuncs.com",
    "RoleArn": "acs:ram::127812487797****:role/cna-manager-test-role"
  },
  "sourceIpAddress": "192.168.XX.XX",
  "userAgent": "AlibabaCloud (Linux; amd64) Java/1.8.0_152-b187 Core/4.5.17 HTTPClient/ApacheHttpClient",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::RAM::AccessKey": [
      "STS.NUQ79dzjpMPxYesi1YY5U****"
    ]
  },
  "userIdentity": {
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2021-08-05T07:59:46Z"
      }
    },
    "accountId": "146411043369****",
    "principalId": "21336811218169****",
    "type": "ram-user",
    "userName": "Alice"
  },
  "serviceName": "Sts",
  "additionalEventData": {
    "Scheme": "https",
    "CallerBid": "26842"
  },
  "apiVersion": "2015-04-01",
  "requestId": "FC410992-13D4-5D33-89A7-D8F4100CEE6B",
  "eventTime": "2021-08-05T07:59:47Z",
  "isGlobal": false,
  "acsRegion": "cn-hangzhou",
  "eventName": "AssumeRole"
}

The sample event log contains the following key fields:

  • userIdentity.type: the identity type of the requester. The value in the example is ram-user, which indicates a RAM user.
  • userIdentity.userName: the username of the RAM user.
  • serviceName: the name of the Alibaba Cloud service related to the event. The value in the example is Sts, which indicates STS.
  • eventName: the name of the event. The value in the example is AssumeRole, which indicates that a temporary identity that is used to assume a RAM role was obtained. In this example, an Alibaba Cloud account is used as the trusted entity of the RAM role.
  • requestParameters.RoleArn: the Alibaba Cloud Resource Name (ARN) of the RAM role that was assumed by the RAM user. The value in the example is acs:ram::127812487797****:role/cna-manager-test-role. 127812487797**** indicates the ID of the Alibaba Cloud account to which the RAM role belongs. cna-manager-test-role indicates the name of the RAM role.
  • referencedResources: the one or more resources that are related to the event. The value in the example is {"ACS::RAM::AccessKey": ["STS.NUQ79dzjpMPxYesi1YY5U****"]}, which indicates the STS.NUQ79dzjpMPxYesi1YY5U**** temporary identity credential.
  • eventTime: the time when the event occurred in UTC. The value in the example is 2021-08-05T07:59:47Z, which indicates 15:59:47 on August 05, 2021, UTC+8.

Obtain a temporary identity as a RAM user by calling the AssumeRole role

The following sample event log indicates that the RAM user whose username is Alice obtained a temporary access token by assuming the aliyunosstokengeneratorrole RAM role of the Alibaba Cloud account whose ID is 193875730500**** at 16:03:31 on August 05, 2021, UTC+8. The RAM user called the AssumeRole operation to assume the RAM role. 

{
  "eventId": "B936D2EE-05DC-5AC1-9163-48F0DE28B963",
  "eventVersion": 1,
  "responseElements": {
    "RequestId": "B936D2EE-05DC-5AC1-9163-48F0DE28B963",
    "AssumedRoleUser": {
      "Arn": "acs:ram::193875730500****:role/aliyunosstokengeneratorrole/X5wpmS6EgkM080aE0Kym****",
      "AssumedRoleId": "30815480203992****:X5wpmS6EgkM080aE0Kym****"
    },
    "Credentials": {
      "AccessKeyId": "STS.NTobFuYYn6EBxAVhC18ta****",
      "AccessKeySecret": "gS09k8a8fDwwgR0ey9IeCFuNfr****",
      "Expiration": "2021-08-05T09:03:31Z"
    }
  },
  "eventSource": "sts.cn-hangzhou.aliyuncs.com",
  "requestParameters": {
    "Policy": {
      "Version": "1",
      "Statement": [
        {
          "Condition": {},
          "Action": [
            "oss:PutObject"
          ],
          "Resource": [
            "acs:oss:*:*:taowo/image/disucss/2021/8/5/xNodqHMtGkX9arNrAkrz4d****/*",
            "acs:oss:*:*:taowo/video/disucss/2021/8/5/xNodqHMtGkX9arNrAkrz4d****/*",
            "acs:oss:*:*:taowo/sound/disucss/2021/8/5/xNodqHMtGkX9arNrAkrz4d****/*"
          ],
          "Effect": "Allow"
        }
      ]
    },
    "AcsHost": "sts.cn-hangzhou.aliyuncs.com",
    "AcsProduct": "Sts",
    "RequestId": "B936D2EE-05DC-5AC1-9163-48F0DE28B963",
    "RoleSessionName": "X5wpmS6EgkM080aE0Kym****",
    "Region": "cn-hangzhou",
    "SignatureType": "",
    "RegionId": "cn-hangzhou",
    "HostId": "sts.cn-hangzhou.aliyuncs.com",
    "RoleArn": "acs:ram::193875730500****:role/aliyunosstokengeneratorrole"
  },
  "sourceIpAddress": "192.168.XX.XX",
  "userAgent": "AlibabaCloud (Linux 3.10.0-1127.19.1.el7.x86_64;x86_64) Python/3.8.8 Core/2.13.32 python-requests/2.18.3",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::RAM::AccessKey": [
      "STS.NTobFuYYn6EBxAVhC18ta****"
    ]
  },
  "userIdentity": {
    "accessKeyId": "LTAI2jP0BF0f****",
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2021-08-05T08:03:31Z"
      }
    },
    "accountId": "193875730500****",
    "principalId": "21365465900895****",
    "type": "ram-user",
    "userName": "Alice"
  },
  "serviceName": "Sts",
  "additionalEventData": {
    "Scheme": "https",
    "CallerBid": "26842"
  },
  "apiVersion": "2015-04-01",
  "requestId": "B936D2EE-05DC-5AC1-9163-48F0DE28B963",
  "eventTime": "2021-08-05T08:03:31Z",
  "isGlobal": false,
  "acsRegion": "cn-hangzhou",
  "eventName": "AssumeRole"
}

The sample event log contains the following key fields:

  • userIdentity.accessKeyId: the AccessKey ID that is used to initiate the API call. The value in the example is LTAI2jP0BF0f****.
  • userIdentity.principalId: the ID of the account to which the AccessKey pair belongs. The value in the example is 21365465900895****.
  • userIdentity.type: the identity type of the requester. The value in the example is ram-user, which indicates a RAM user.
  • serviceName: the name of the Alibaba Cloud service related to the event. The value in the example is Sts, which indicates STS.
  • eventName: the name of the event. The value in the example is AssumeRole, which indicates that a temporary identity that is used to assume a RAM role was obtained. In this example, an Alibaba Cloud account is used as the trusted entity of the RAM role.
  • requestParameters.RoleArn: the ARN of the RAM role that was assumed by the RAM user. The value in the example is acs:ram::193875730500****:role/aliyunosstokengeneratorrole. 193875730500**** indicates the ID of the Alibaba Cloud account to which the RAM role belongs. aliyunosstokengeneratorrole indicates the name of the RAM role.
  • referencedResources: the one or more resources that are related to the event. The value in the example is {"ACS::RAM::AccessKey": ["STS.NTobFuYYn6EBxAVhC18ta****"]}, which indicates the STS.NTobFuYYn6EBxAVhC18ta**** temporary identity credential.
  • eventTime: the time when the event occurred in UTC. The value in the example is 2021-08-05T08:03:31Z, which indicates 16:03:31 on August 05, 2021, UTC+8.

Obtain a temporary identity as an enterprise user by using role-based SSO

The following sample event log indicates that the enterprise user whose username is Alice obtained a temporary identity by using role-based SSO at 16:04:56 on August 05, 2021, UTC+8. The enterprise user used role-based SSO to assume the cruisetestrole RAM role of the Alibaba Cloud account whose ID is 189186630579**** 

{
  "eventId": "66FDD0F9-3546-567A-8964-2BD734198356",
  "eventVersion": 1,
  "responseElements": {
    "RequestId": "66FDD0F9-3546-567A-8964-2BD734198356",
    "SAMLAssertionInfo": {
      "SubjectType": "transient",
      "Issuer": "https://testidp/saml",
      "Recipient": "https://signin.aliyun.com/saml-role/sso",
      "Subject": "Alice"
    },
    "AssumedRoleUser": {
      "Arn": "acs:ram::189186630579****:role/cruisetestrole/cruisetest",
      "AssumedRoleId": "37924473051351****:cruisetest"
    },
    "Credentials": {
      "AccessKeyId": "STS.NUTNKhGR8BR3QL9sJkSHp****",
      "AccessKeySecret": "gS09k8a8fDwwgR0ey9IeCFuNfr****",
      "Expiration": "2021-08-05T09:04:56Z"
    }
  },
  "eventSource": "sts.aliyuncs.com",
  "requestParameters": {
    "AcsHost": "sts.aliyuncs.com",
    "SAMLAssertion": "***",
    "AcsProduct": "Sts",
    "RequestId": "66FDD0F9-3546-567A-8964-2BD734198356",
    "DurationSeconds": 3600,
    "HostId": "sts.aliyuncs.com",
    "SAMLProviderArn": "acs:ram::189186630579****:saml-provider/mockedIdp",
    "RoleArn": "acs:ram::189186630579****:role/cruisetestrole"
  },
  "sourceIpAddress": "192.168.XX.XX",
  "userAgent": "Jakarta Commons-HttpClient/3.1",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::RAM::AccessKey": [
      "STS.NUTNKhGR8BR3QL9sJkSHp****"
    ]
  },
  "userIdentity": {
    "accountId": "189186630579****",
    "samlProviderName": "mockedIdp",
    "type": "saml-user",
    "userName": "Alice",
    "samlIssuer": "https://testidp/saml"
  },
  "serviceName": "Sts",
  "additionalEventData": {
    "Scheme": "https",
    "CallerBid": "26842"
  },
  "apiVersion": "2015-04-01",
  "requestId": "66FDD0F9-3546-567A-8964-2BD734198356",
  "eventTime": "2021-08-05T08:04:56Z",
  "isGlobal": false,
  "acsRegion": "cn-shanghai",
  "eventName": "AssumeRoleWithSAML"
}

The sample event log contains the following key fields:

  • userIdentity.type: the identity type of the requester. The value in the example is saml-user, which indicates a user of an enterprise-specific identity system.
  • userIdentity.userName: the username of the enterprise user.
  • requestParameters.RoleArn: the ARN of the RAM role that was assumed by the enterprise user. The value in the example is cs:ram::189186630579****:role/cruisetestrole. 189186630579**** indicates the ID of the Alibaba Cloud account to which the RAM role belongs. cruisetestrole indicates the name of the RAM role.
  • referencedResources: the one or more resources that are related to the event. The value in the example is {"ACS::RAM::AccessKey": ["STS.NUTNKhGR8BR3QL9sJkSHp****"]}, which indicates the STS.NUTNKhGR8BR3QL9sJkSHp**** temporary identity credential.
  • serviceName: the name of the Alibaba Cloud service related to the event. The value in the example is Sts, which indicates STS.
  • eventName: the name of the event. The value in the example is AssumeRoleWithSAML, which indicates that a temporary identity was obtained by using role-based SSO.
  • eventTime: the time when the event occurred in UTC. The value in the example is 2021-08-05T08:04:56Z, which indicates 16:04:56 on August 05, 2021, UTC+8.