This topic provides the log of a sample event in which a RAM user queried ActionTrail events by assuming a RAM role. This topic also describes the key fields involved in the event log.
Example
The following example shows that a RAM user of the Alibaba Cloud account whose ID is 175498693826**** queried ActionTrail events by assuming the custom-role-for-actiontrail RAM role that belongs to the Alibaba Cloud account whose ID is 159498693826**** at 08:00:00 on January 1, 2021, UTC+8.
{
"apiVersion": "2020-07-06",
"requestId": "3462D6AF-4434-4690-8CAD-E54A",
"eventType": "ApiCall",
"userIdentity": {
"accessKeyId": "STS.NUQNP4PiGyckMsNiGELCs****",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-01-01T00:00:00Z"
}
},
"accountId": "159498693826****",
"principalId": "34359792600393****:u1",
"type": "assumed-role",
"userName": "custom-role-for-actiontrail:u1"
},
"acsRegion": "cn-hangzhou",
"eventName": "LookupEvents",
"requestParameters": {
"stsTokenPrincipalName": "custom-role-for-actiontrail/u1",
"AcsHost": "actiontrail.cn-hangzhou.aliyuncs.com",
"ServiceCode": "actiontrail",
"AcsProduct": "Actiontrail",
"RequestId": "3462D6AF-4434-4690-8CAD-E54A",
"Region": "cn-hangzhou",
"LookupAttribute.1.Value": "Write",
"RegionId": "cn-hangzhou",
"HostId": "actiontrail.cn-hangzhou.aliyuncs.com",
"stsTokenPlayerUid": 175498693826****,
"LookupAttribute.1.Key": "EventRW"
},
"eventSource": "actiontrail.cn-hangzhou.aliyuncs.com",
"serviceName": "Actiontrail",
"eventTime": "2021-01-01T00:00:00Z",
"userAgent": "AlibabaCloud (Mac OS X; x86_64) Java/1.8.0_252-b09 Core/4.4.6 HTTPClient/ApacheHttpClient",
"eventId": "3462D6AF-4434-4690-8CAD-****",
"additionalEventData": {
"Scheme": "http"
},
"errorCode": "",
"errorMessage": "",
"eventVersion": "1",
"sourceIpAddress": "192.168.XX.XX"
}The sample event log contains the following key fields:
userIdentity.accountId: the ID of the Alibaba Cloud account of the requester. The value in this example is159498693826****, which indicates the ID of the Alibaba Cloud account to which the RAM role belongs.userIdentity.principalId: the ID of the requester. The value is in the format of{roleId}:{sessionName}.roleIdindicates the ID of the RAM role.sessionNameindicates the name that was specified when the requester assumed the RAM role. The value in this example is34359792600393****:u1.34359792600393****indicates the ID of the RAM role.u1indicates the role name specified when the requester assumed the RAM role.userIdentity.type: the type of the identity of the requester. The value in this example isassumed-role, which indicates that the requester performs operations by assuming the RAM role.userIdentity.userName: the username of the requester. The value is in the format of{roleName}:{sessionName}.roleNameindicates the name of the RAM role.sessionNameindicates the name that was specified when the requester assumed the RAM role. The value in this example iscustom-role-for-actiontrail:u1.custom-role-for-actiontrailindicates the name of the RAM role.u1indicates the role name specified when the requester assumed the RAM role.Notecustom-role-for-actiontrailis the name of a custom RAM role for ActionTrail. The role can be assumed by the requester to query ActionTrail events.userIdentity.creationDate: the time when the event occurred, in UTC. The value in the example is2021-01-01T00:00:00Z, which indicates that the event occurred at 08:00:00 on January 1, 2021, in UTC+8.requestParameters.stsTokenPlayerUid: the ID of the Alibaba Cloud account to which the RAM user belongs. The value in the example is175498693826****, which indicates that the RAM user of the Alibaba Cloud account whose ID is175498693826****assumed the RAM role that belongs to the Alibaba Cloud account whose ID is159498693826****.