前提条件
请确保已为调用本API的RAM用户授予STS的管理权限(AliyunSTSAssumeRoleAccess)。否则会报错,报错信息如下:
You are not authorized to do this action. You should be authorized by RAM.
问题原因和解决方法如下:
- 该RAM用户缺少允许STS扮演角色的权限策略:请为该RAM用户添加系统策略(AliyunSTSAssumeRoleAccess)或自定义策略。更多信息,请参见为RAM用户授权和能否指定RAM用户具体可以扮演哪个RAM角色。
- RAM角色的信任策略不包含您正在使用的RAM用户,即RAM角色不允许该RAM用户扮演:请为RAM角色添加允许该RAM用户扮演的信任策略。更多信息,请参见修改RAM角色的信任策略。
QPS限制
本API每分钟最多调用6000次,且一个阿里云账号及该账号下的RAM用户、RAM角色共用这6000次。当请求量超过6000次时,超出部分会报错,报错信息如下:
Request was denied due to user flow control.
Debug
DebugAuthorization information
There is currently no authorization information disclosed in the API
Request Parameters
| Region | Type | Required | Description | Example |
|---|---|---|---|---|
| DurationSeconds | integer | No | 3600 | |
| Policy | string | No | {"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"} | |
| RoleArn | string | Yes | acs:ram::123456789012****:role/adminrole | |
| RoleSessionName | string | Yes | alice |
return parameter
Sample Code
Request example
https://sts.aliyuncs.com/?Action=AssumeRole
&DurationSeconds=3600
&RoleArn=acs:ram::123456789012****:role/adminrole
&RoleSessionName=alice
&公共请求参数
Sample Success Response
JSONFormat
{
"Credentials": {
"AccessKeyId": "STS.L4aBSCSJVMuKg5U1****",
"AccessKeySecret": "wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****",
"Expiration": "2015-04-09T11:52:19Z",
"SecurityToken": "********"
},
"AssumedRoleUser": {
"Arn": "acs:ram::123456789012****:role/adminrole/alice",
"AssumedRoleId": "34458433936495****:alice"
},
"RequestId": "6894B13B-6D71-4EF5-88FA-F32781734A7F"
}XMLFormat
<AssumeRoleResponse>
<Credentials>
<AccessKeyId>STS.L4aBSCSJVMuKg5U1****</AccessKeyId>
<AccessKeySecret>wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****</AccessKeySecret>
<Expiration>2015-04-09T11:52:19Z</Expiration>
<SecurityToken>********</SecurityToken>
</Credentials>
<AssumedRoleUser>
<Arn>acs:ram::123456789012****:role/adminrole/alice</Arn>
<AssumedRoleId>34458433936495****:alice</AssumedRoleId>
</AssumedRoleUser>
<RequestId>6894B13B-6D71-4EF5-88FA-F32781734A7F</RequestId>
</AssumeRoleResponse>Error Codes
| HttpCode | Error Codes | Error Message |
|---|---|---|
| 400 | InvalidParameter.DurationSeconds | The Min/Max value of DurationSeconds is 15min/1hr. |
| 400 | InvalidParameter.ExternalId | The parameter ExternalId is wrongly formed. |
| 400 | InvalidParameter.RoleArn | The parameter RoleArn is wrongly formed. |
| 400 | InvalidParameter.RoleSessionName | The parameter RoleSessionName is wrongly formed. |
| 400 | InvalidParameter.SerialNumber | The parameter SerialNumber is wrongly formed. |
| 400 | InvalidParameter.TokenCode | The parameter TokenCode is wrongly formed. |
| 400 | InvalidParameter.PolicyGrammar | The parameter Policy has not passed grammar check. |
| 400 | InvalidParameter.PolicySize | The size of Policy must be smaller than 1024 bytes. |
| 400 | InvalidParameter.ContentType | The ContentType request header must be either "application/json" or "application/x-www-form-urlencoded". |
| 403 | NoPermission | You are not authorized to do this action. You should be authorized by RAM. |
| 403 | AuthenticationFail.ApiUsername | The specified api username is not legal. |
| 403 | AuthenticationFail.ApiPassword | The specified api password is not legal. |
| 403 | NoPermission | No permission perform sts:AssumeRole on this Role. Maybe you are not authorized to perform sts:AssumeRole or the specified role does not trust you |
| 403 | NoPermission | Roles may not be assumed by root accounts. |
| 404 | EntityNotExist.Role | The specified Role not exists . |
| 500 | InternalError | STS Server Internal Error happened, please send the RequestId to us. |
accessError CenterSee more error codes.