All Products
Search

This Product

    ActionTrail:Query ActionTrail events by assuming a RAM role

    Document Center

    ActionTrail:Query ActionTrail events by assuming a RAM role

    Last Updated:Jun 16, 2026

    A sample ActionTrail event log demonstrates what is recorded when a RAM user queries events by assuming a RAM role. Key fields in the event log are explained.

    Example

    The following example shows an event that occurred at 08:00:00 on January 1, 2021 (UTC+8). In this event, a Resource Access Management (RAM) user of Alibaba Cloud account 175498693826**** queried ActionTrail events by assuming the custom-role-for-actiontrail role of Alibaba Cloud account 159498693826****.

    {
  "apiVersion": "2020-07-06",
  "requestId": "3462D6AF-4434-4690-8CAD-E54A",
  "eventType": "ApiCall",
  "userIdentity": {
    "accessKeyId": "STS.NUQNP4PiGyckMsNiGELCs****",
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2021-01-01T00:00:00Z"
      }
    },
    "accountId": "159498693826****",
    "principalId": "34359792600393****:u1",
    "type": "assumed-role",
    "userName": "custom-role-for-actiontrail:u1"
  },
  "acsRegion": "cn-hangzhou",
  "eventName": "LookupEvents",
  "requestParameters": {
    "stsTokenPrincipalName": "custom-role-for-actiontrail/u1",
    "AcsHost": "actiontrail.cn-hangzhou.aliyuncs.com",
    "ServiceCode": "actiontrail",
    "AcsProduct": "Actiontrail",
    "RequestId": "3462D6AF-4434-4690-8CAD-E54A",
    "Region": "cn-hangzhou",
    "LookupAttribute.1.Value": "Write",
    "RegionId": "cn-hangzhou",
    "HostId": "actiontrail.cn-hangzhou.aliyuncs.com",
    "stsTokenPlayerUid": 175498693826****,
    "LookupAttribute.1.Key": "EventRW"
  },
  "eventSource": "actiontrail.cn-hangzhou.aliyuncs.com",
  "serviceName": "Actiontrail",
  "eventTime": "2021-01-01T00:00:00Z",
  "userAgent": "AlibabaCloud (Mac OS X; x86_64) Java/1.8.0_252-b09 Core/4.4.6 HTTPClient/ApacheHttpClient",
  "eventId": "3462D6AF-4434-4690-8CAD-****",
  "additionalEventData": {
    "Scheme": "http"
  },
  "errorCode": "",
  "errorMessage": "",
  "eventVersion": "1",
  "sourceIpAddress": "192.168.XX.XX"
}

    Key fields in this example:

    • userIdentity.accountId: The Alibaba Cloud account ID of the requester. In this example, the value is 159498693826****. This is the ID of the account to which the assumed RAM role belongs.

    • userIdentity.principalId: The ID of the requester. The format is {roleId}:{sessionName}, where roleId is the ID of the assumed RAM role and sessionName is the custom name specified for the role session. The value in this example is 34359792600393****:u1. This means that the ID of the assumed RAM role is 34359792600393**** and the session name is u1.

    • userIdentity.type: The identity type of the requester. The value assumed-role indicates that the access was made by assuming a RAM role.

    • userIdentity.userName: The username of the requester. The format is {roleName}:{sessionName}, where roleName is the name of the assumed role and sessionName is the custom name specified for the role session. The value in this example is custom-role-for-actiontrail:u1. This means that the name of the assumed RAM role is custom-role-for-actiontrail and the session name is u1.

      Note

      custom-role-for-actiontrail is a custom role for ActionTrail that has permissions to query ActionTrail events.

    • userIdentity.creationDate: The time in UTC when the event occurred. For example, 2021-01-01T00:00:00Z indicates 08:00:00 on January 1, 2021 (UTC+8).

    • requestParameters.stsTokenPlayerUid: The ID of the Alibaba Cloud account to which the principal that assumed the role belongs. A value of 175498693826**** indicates that a RAM user of Alibaba Cloud account 175498693826**** assumed a RAM role that belongs to account 159498693826****.