ObtainCloudAccountRoleAccessCredential - Identity as a Service

Obtains a temporary access credential for a cloud account role.

Operation description

This API uses an access token issued by IDaaS for identity authentication and authorization.

Ensure that the provided access token is authorized to obtain cloud role access credentials. This authorization is required to access the built-in Privileged Access Management (PAM) application in IDaaS.

Note

The scope is urn:cloud:idaas:pam|cloud_account_role:obtain_access_credential.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

No authorization for this operation. If you encounter issues with this operation, contact technical support.

Request syntax

GET /v2/{instanceId}/cloudAccountRoles/_/actions/obtainAccessCredential HTTP/1.1

Path Parameters

Parameter	Type	Required	Description	Example
instanceId	string	Yes	The instance ID.	idaas_ue2jvisn35ea5lmthk267xxxxx

Request parameters

Parameter	Type	Required	Description	Example
Authorization	string	Yes	The authentication information. The format is `Bearer ${access_token}`. Note Enter the access token issued by IDaaS.	Bearer xxxxxx
cloudAccountRoleExternalId	string	Yes	The external ID of the cloud role.	acs:ram::xxx:role/role-test

Response elements

Element	Type	Description	Example
	object
cloudAccountId	string	The ID of the Alibaba Cloud account.	ca_01kmegjc11qa1txxxxx
cloudAccountRoleId	string	The ID of the cloud role.	carole_01kmek49aqxxxx
cloudAccountRoleName	string	The name of the cloud role.	role-test
cloudAccountRoleExternalId	string	The external ID of the cloud role.	acs:ram::xxx:role/role-test
cloudAccountVendorType	string	The type of the cloud account. Valid values: `alibaba_cloud`: Alibaba Cloud Valid values: alibaba_cloud : alibaba_cloud	alibaba_cloud
cloudAccountRoleAccessCredential	object	The temporary access credential that can be used to assume the cloud role.
accessCredentialExpiresAt	integer	The expiration time of the temporary access credential for the cloud role. It is a UNIX timestamp in seconds.	1767196800
alibabaCloudStsToken	object	The temporary identity credential (Security Token Service (STS) token) used to assume an Alibaba Cloud RAM role. Note This parameter is returned only when the cloud account associated with the cloud role is an Alibaba Cloud account (`alibaba_cloud`).
accessKeyId	string	The AccessKey ID.	STS.NUgYrLnoC37mZZCNnAbez****
accessKeySecret	string	The AccessKey secret.	CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2****
securityToken	string	The security token.	CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz****
expiration	string	The expiration time of the token. The time is in UTC.	2021-10-20T04:27:09Z

Examples

Success response

JSON format

{
  "cloudAccountId": "ca_01kmegjc11qa1txxxxx",
  "cloudAccountRoleId": "carole_01kmek49aqxxxx",
  "cloudAccountRoleName": "role-test",
  "cloudAccountRoleExternalId": "acs:ram::xxx:role/role-test",
  "cloudAccountVendorType": "alibaba_cloud",
  "cloudAccountRoleAccessCredential": {
    "accessCredentialExpiresAt": 1767196800,
    "alibabaCloudStsToken": {
      "accessKeyId": "STS.NUgYrLnoC37mZZCNnAbez****",
      "accessKeySecret": "CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2****",
      "securityToken": "CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz****",
      "expiration": "2021-10-20T04:27:09Z"
    }
  }
}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.