All Products
Search

This Product

    ActionTrail:STS

    Document Center

    ActionTrail:STS

    Last Updated:Mar 28, 2025

    ActionTrail records the events that are related to Alibaba Cloud Security Token Service (STS). You can query the details of an STS-related event to obtain information such as the time when the event occurred, the region where the event occurred, and the temporary identity involved. This topic provides the logs of three sample STS-related events and describes the key fields included in the event logs.

    Obtain a temporary identity as a RAM user in the console

    In the following example, the Resource Access Management (RAM) user whose username is Alice obtained a temporary identity by calling the AssumeRole operation at 15:59:47 on August 05, 2021 (UTC+8). The RAM user assumed the cna-manager-test-role role of the Alibaba Cloud account whose ID is 127812487797****. 

    {
  "eventId": "FC410992-13D4-5D33-89A7-D8F4100CEE6B",
  "eventVersion": 1,
  "responseElements": {
    "RequestId": "FC410992-13D4-5D33-89A7-D8F4100CEE6B",
    "AssumedRoleUser": {
      "Arn": "acs:ram::127812487797****:role/cna-manager-test-role/169074",
      "AssumedRoleId": "33618118978621****:169074"
    },
    "Credentials": {
      "AccessKeyId": "STS.****************",
      "AccessKeySecret": "gS09k8a8fDwwgR0ey9IeCFuNfr****",
      "Expiration": "2021-08-05T08:59:47Z"
    }
  },
  "eventSource": "sts.aliyuncs.com",
  "requestParameters": {
    "AcsHost": "sts.aliyuncs.com",
    "AcsProduct": "Sts",
    "RequestId": "FC410992-13D4-5D33-89A7-D8F4100CEE6B",
    "RoleSessionName": 169074,
    "RegionId": "cn-hangzhou",
    "HostId": "sts.aliyuncs.com",
    "RoleArn": "acs:ram::127812487797****:role/cna-manager-test-role"
  },
  "sourceIpAddress": "192.168.XX.XX",
  "userAgent": "AlibabaCloud (Linux; amd64) Java/1.8.0_152-b187 Core/4.5.17 HTTPClient/ApacheHttpClient",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::RAM::AccessKey": [
      "STS.NUQ79dzjpMPxYesi1YY5U****"
    ]
  },
  "userIdentity": {
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2021-08-05T07:59:46Z"
      }
    },
    "accountId": "146411043369****",
    "principalId": "21336811218169****",
    "type": "ram-user",
    "userName": "Alice"
  },
  "serviceName": "Sts",
  "additionalEventData": {
    "Scheme": "https",
    "CallerBid": "26842"
  },
  "apiVersion": "2015-04-01",
  "requestId": "FC410992-13D4-5D33-89A7-D8F4100CEE6B",
  "eventTime": "2021-08-05T07:59:47Z",
  "isGlobal": false,
  "acsRegion": "cn-hangzhou",
  "eventName": "AssumeRole"
}

    The sample event log contains the following key fields:

    • userIdentity.type: the identity type of the requester. The value in the example is ram-user, which indicates a RAM user.

    • userIdentity.userName: the username of the RAM user.

    • serviceName: the name of the Alibaba Cloud service related to the event. The value in the example is Sts, which indicates STS.

    • eventName: the name of the event. The value in the example is AssumeRole, which indicates that a RAM user obtained a temporary identity by assuming a RAM role. The trusted entity of the RAM role is an Alibaba Cloud account.

    • requestParameters.RoleArn: the Alibaba Cloud Resource Name (ARN) of the RAM role that is assumed by the RAM user. The value in the example is acs:ram::127812487797****:role/cna-manager-test-role. 127812487797**** indicates the ID of the Alibaba Cloud account to which the RAM role belongs, and cna-manager-test-role indicates the name of the RAM role.

    • referencedResources: the resources that are involved in the event. The value in the example is {"ACS::RAM::AccessKey": ["STS.NUQ79dzjpMPxYesi1YY5U****"]}, which indicates the temporary identity with a credential of STS.NUQ79dzjpMPxYesi1YY5U****.

    • eventTime: the time when the event occurred in UTC. The value in the example is 2021-08-05T07:59:47Z, which indicates 15:59:47 on August 05, 2021 (UTC+8).

    Obtain a temporary identity as a RAM user by calling the AssumeRole operation

    In the following example, the RAM user whose username is Alice obtained a temporary identity by calling the AssumeRole operation at 16:03:31 on August 05, 2021 (UTC+8). The RAM user assumed the aliyunosstokengeneratorrole role of the Alibaba Cloud account whose ID is 193875730500****. 

    {
  "eventId": "B936D2EE-05DC-5AC1-9163-48F0DE28B963",
  "eventVersion": 1,
  "responseElements": {
    "RequestId": "B936D2EE-05DC-5AC1-9163-48F0DE28B963",
    "AssumedRoleUser": {
      "Arn": "acs:ram::193875730500****:role/aliyunosstokengeneratorrole/X5wpmS6EgkM080aE0Kym****",
      "AssumedRoleId": "30815480203992****:X5wpmS6EgkM080aE0Kym****"
    },
    "Credentials": {
      "AccessKeyId": "STS.****************",
      "AccessKeySecret": "gS09k8a8fDwwgR0ey9IeCFuNfr****",
      "Expiration": "2021-08-05T09:03:31Z"
    }
  },
  "eventSource": "sts.cn-hangzhou.aliyuncs.com",
  "requestParameters": {
    "Policy": {
      "Version": "1",
      "Statement": [
        {
          "Condition": {},
          "Action": [
            "oss:PutObject"
          ],
          "Resource": [
            "acs:oss:*:*:taowo/image/disucss/2021/8/5/xNodqHMtGkX9arNrAkrz4d****/*",
            "acs:oss:*:*:taowo/video/disucss/2021/8/5/xNodqHMtGkX9arNrAkrz4d****/*",
            "acs:oss:*:*:taowo/sound/disucss/2021/8/5/xNodqHMtGkX9arNrAkrz4d****/*"
          ],
          "Effect": "Allow"
        }
      ]
    },
    "AcsHost": "sts.cn-hangzhou.aliyuncs.com",
    "AcsProduct": "Sts",
    "RequestId": "B936D2EE-05DC-5AC1-9163-48F0DE28B963",
    "RoleSessionName": "X5wpmS6EgkM080aE0Kym****",
    "Region": "cn-hangzhou",
    "SignatureType": "",
    "RegionId": "cn-hangzhou",
    "HostId": "sts.cn-hangzhou.aliyuncs.com",
    "RoleArn": "acs:ram::193875730500****:role/aliyunosstokengeneratorrole"
  },
  "sourceIpAddress": "192.168.XX.XX",
  "userAgent": "AlibabaCloud (Linux 3.10.0-1127.19.1.el7.x86_64;x86_64) Python/3.8.8 Core/2.13.32 python-requests/2.18.3",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::RAM::AccessKey": [
      "STS.NTobFuYYn6EBxAVhC18ta****"
    ]
  },
  "userIdentity": {
    "accessKeyId": "LTAI****************",
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2021-08-05T08:03:31Z"
      }
    },
    "accountId": "193875730500****",
    "principalId": "21365465900895****",
    "type": "ram-user",
    "userName": "Alice"
  },
  "serviceName": "Sts",
  "additionalEventData": {
    "Scheme": "https",
    "CallerBid": "26842"
  },
  "apiVersion": "2015-04-01",
  "requestId": "B936D2EE-05DC-5AC1-9163-48F0DE28B963",
  "eventTime": "2021-08-05T08:03:31Z",
  "isGlobal": false,
  "acsRegion": "cn-hangzhou",
  "eventName": "AssumeRole"
}

    The sample event log contains the following key fields:

    • userIdentity.accessKeyId: the AccessKey ID that is used to initiate the API call. The value in the example is LTAI****************.

    • userIdentity.principalId: the ID of the account to which the AccessKey pair belongs. The value in the example is 21365465900895****.

    • userIdentity.type: the identity type of the requester. The value in the example is ram-user, which indicates a RAM user.

    • serviceName: the name of the Alibaba Cloud service related to the event. The value in the example is Sts, which indicates STS.

    • eventName: the name of the event. The value in the example is AssumeRole, which indicates that a RAM user obtained a temporary identity by assuming a RAM role. The trusted entity of the RAM role is an Alibaba Cloud account.

    • requestParameters.RoleArn: the ARN of the RAM role that is assumed by the RAM user. The value in the example is acs:ram::193875730500****:role/aliyunosstokengeneratorrole. 193875730500**** indicates the ID of the Alibaba Cloud account to which the RAM role belongs, and aliyunosstokengeneratorrole indicates the name of the RAM role.

    • referencedResources: the resources that are involved in the event. The value in the example is {"ACS::RAM::AccessKey": ["STS.NTobFuYYn6EBxAVhC18ta****"]}, which indicates the temporary identity with a credential of test@example.onaliyun.com.

    • eventTime: the time when the event occurred in UTC. The value in the example is 2021-08-05T08:03:31Z, which indicates 16:03:31 on August 05, 2021 (UTC+8).

    Obtain a temporary identity as an enterprise user by using role-based SSO

    In the following example, the enterprise user whose username is Alice obtained a temporary identity by calling the AssumeRoleWithSAML operation at 16:04:56 on August 05, 2021 (UTC+8). The enterprise user used role-based SSO to assume the cruisetestrole role of the Alibaba Cloud account whose ID is 189186630579****. 

    {
  "eventId": "66FDD0F9-3546-567A-8964-2BD734198356",
  "eventVersion": 1,
  "responseElements": {
    "RequestId": "66FDD0F9-3546-567A-8964-2BD734198356",
    "SAMLAssertionInfo": {
      "SubjectType": "transient",
      "Issuer": "https://testidp/saml",
      "Recipient": "https://signin.aliyun.com/saml-role/sso",
      "Subject": "Alice"
    },
    "AssumedRoleUser": {
      "Arn": "acs:ram::189186630579****:role/cruisetestrole/cruisetest",
      "AssumedRoleId": "37924473051351****:cruisetest"
    },
    "Credentials": {
      "AccessKeyId": "STS.****************",
      "AccessKeySecret": "gS09k8a8fDwwgR0ey9IeCFuNfr****",
      "Expiration": "2021-08-05T09:04:56Z"
    }
  },
  "eventSource": "sts.aliyuncs.com",
  "requestParameters": {
    "AcsHost": "sts.aliyuncs.com",
    "SAMLAssertion": "***",
    "AcsProduct": "Sts",
    "RequestId": "66FDD0F9-3546-567A-8964-2BD734198356",
    "DurationSeconds": 3600,
    "HostId": "sts.aliyuncs.com",
    "SAMLProviderArn": "acs:ram::189186630579****:saml-provider/mockedIdp",
    "RoleArn": "acs:ram::189186630579****:role/cruisetestrole"
  },
  "sourceIpAddress": "192.168.XX.XX",
  "userAgent": "Jakarta Commons-HttpClient/3.1",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::RAM::AccessKey": [
      "STS.NUTNKhGR8BR3QL9sJkSHp****"
    ]
  },
  "userIdentity": {
    "accountId": "189186630579****",
    "samlProviderName": "mockedIdp",
    "type": "saml-user",
    "userName": "Alice",
    "samlIssuer": "https://testidp/saml"
  },
  "serviceName": "Sts",
  "additionalEventData": {
    "Scheme": "https",
    "CallerBid": "26842"
  },
  "apiVersion": "2015-04-01",
  "requestId": "66FDD0F9-3546-567A-8964-2BD734198356",
  "eventTime": "2021-08-05T08:04:56Z",
  "isGlobal": false,
  "acsRegion": "cn-shanghai",
  "eventName": "AssumeRoleWithSAML"
}

    The sample event log contains the following key fields:

    • userIdentity.type: the identity type of the requester. The value in the example is saml-user, which indicates a user of an enterprise-specific identity system.

    • userIdentity.userName: the username of the enterprise user.

    • requestParameters.RoleArn: the ARN of the RAM role that is assumed by the RAM user. The value in the example is cs:ram::189186630579****:role/cruisetestrole. 189186630579**** indicates the ID of the Alibaba Cloud account to which the RAM role belongs, and cruisetestrole indicates the name of the RAM role.

    • referencedResources: the resources that are involved in the event. The value in the example is {"ACS::RAM::AccessKey": ["STS.NUTNKhGR8BR3QL9sJkSHp****"]}, which indicates the temporary identity with a credential of STS.NUTNKhGR8BR3QL9sJkSHp****.

    • serviceName: the name of the Alibaba Cloud service related to the event. The value in the example is Sts, which indicates STS.

    • eventName: the name of the event. The value in the example is AssumeRoleWithSAML, which indicates that a temporary identity is obtained by using role-based SSO.

    • eventTime: the time when the event occurred in UTC. The value in the example is 2021-08-05T08:04:56Z, which indicates 16:04:56 on August 05, 2021 (UTC+8).