All Products
Search
Document Center

AssumeRole

Last Updated: Feb 22, 2022

前提条件

请确保已为调用本API的RAM用户授予STS的管理权限(AliyunSTSAssumeRoleAccess)。否则会报错,报错信息如下:

You are not authorized to do this action. You should be authorized by RAM.

问题原因和解决方法如下:

QPS限制

本API每分钟最多调用6000次,且一个阿里云账号及该账号下的RAM用户、RAM角色共用这6000次。当请求量超过6000次时,超出部分会报错,报错信息如下:

Request was denied due to user flow control.

Debug

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Debug

Authorization information

There is currently no authorization information disclosed in the API

Request Parameters

RegionTypeRequiredDescriptionExample
DurationSecondsintegerNo
3600
PolicystringNo
{"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}
RoleArnstringYes
acs:ram::123456789012****:role/adminrole
RoleSessionNamestringYes
alice

return parameter

RegionTypeDescriptionExample
object
RequestIdstring
6894B13B-6D71-4EF5-88FA-F32781734A7F
AssumedRoleUserobject
AssumedRoleIdstring
34458433936495****:alice
Arnstring
acs:ram::123456789012****:role/adminrole/alice
Credentialsobject

访问凭证。

SecurityTokenstring
********
Expirationstring
2015-04-09T11:52:19Z
AccessKeySecretstring
wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****
AccessKeyIdstring
STS.L4aBSCSJVMuKg5U1****

Sample Code

Request example

https://sts.aliyuncs.com/?Action=AssumeRole
&DurationSeconds=3600
&RoleArn=acs:ram::123456789012****:role/adminrole
&RoleSessionName=alice
&公共请求参数

Sample Success Response

JSONFormat

{
  "Credentials": {
    "AccessKeyId": "STS.L4aBSCSJVMuKg5U1****",
    "AccessKeySecret": "wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****",
    "Expiration": "2015-04-09T11:52:19Z",
    "SecurityToken": "********"
  },
  "AssumedRoleUser": {
    "Arn": "acs:ram::123456789012****:role/adminrole/alice",
    "AssumedRoleId": "34458433936495****:alice"
  },
  "RequestId": "6894B13B-6D71-4EF5-88FA-F32781734A7F"
}

XMLFormat

<AssumeRoleResponse>
    <Credentials>
        <AccessKeyId>STS.L4aBSCSJVMuKg5U1****</AccessKeyId>
        <AccessKeySecret>wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****</AccessKeySecret>
        <Expiration>2015-04-09T11:52:19Z</Expiration>
        <SecurityToken>********</SecurityToken>
    </Credentials>
    <AssumedRoleUser>
        <Arn>acs:ram::123456789012****:role/adminrole/alice</Arn>
        <AssumedRoleId>34458433936495****:alice</AssumedRoleId>
    </AssumedRoleUser>
    <RequestId>6894B13B-6D71-4EF5-88FA-F32781734A7F</RequestId>
</AssumeRoleResponse>

Error Codes

HttpCodeError CodesError Message
400InvalidParameter.DurationSecondsThe Min/Max value of DurationSeconds is 15min/1hr.
400InvalidParameter.ExternalIdThe parameter ExternalId is wrongly formed.
400InvalidParameter.RoleArnThe parameter RoleArn is wrongly formed.
400InvalidParameter.RoleSessionNameThe parameter RoleSessionName is wrongly formed.
400InvalidParameter.SerialNumberThe parameter SerialNumber is wrongly formed.
400InvalidParameter.TokenCodeThe parameter TokenCode is wrongly formed.
400InvalidParameter.PolicyGrammarThe parameter Policy has not passed grammar check.
400InvalidParameter.PolicySizeThe size of Policy must be smaller than 1024 bytes.
400InvalidParameter.ContentTypeThe ContentType request header must be either "application/json" or "application/x-www-form-urlencoded".
403NoPermissionYou are not authorized to do this action. You should be authorized by RAM.
403AuthenticationFail.ApiUsernameThe specified api username is not legal.
403AuthenticationFail.ApiPasswordThe specified api password is not legal.
403NoPermissionNo permission perform sts:AssumeRole on this Role. Maybe you are not authorized to perform sts:AssumeRole or the specified role does not trust you
403NoPermissionRoles may not be assumed by root accounts.
404EntityNotExist.RoleThe specified Role not exists .
500InternalErrorSTS Server Internal Error happened, please send the RequestId to us.

accessError CenterSee more error codes.