Request Cloud Account Role STS Credentials via IDaaS - Identity as a Service - Alibaba Cloud - Identity as a Service

Gets temporary access credentials for a CloudAccountRole.

Operation description

This API uses an IDaaS-issued access token for authentication and authorization.

The provided access token must be authorized to call the "Obtain Cloud Account Role Access Credential" operation of the IDaaS built-in Privileged Access Management (PAM) application.

Note

The corresponding scope is urn:cloud:idaas:pam|cloud_account_role:obtain_access_credential.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

No authorization for this operation. If you encounter issues with this operation, contact technical support.

Request syntax

GET /v2/{instanceId}/cloudAccountRoles/_/actions/obtainAccessCredential HTTP/1.1

Path Parameters

Parameter	Type	Required	Description	Example
instanceId	string	Yes	The instance ID.	idaas_ue2jvisn35ea5lmthk267xxxxx

Request parameters

Parameter	Type	Required	Description	Example
Authorization	string	Yes	The authentication credentials. The value must be in the format: Bearer ${access_token}. Note Provide the access token issued by IDaaS.	Bearer xxxxxx
cloudAccountRoleExternalId	string	Yes	The external ID of the cloud account role.	acs:ram::xxx:role/role-test

Response elements

Element	Type	Description	Example
	object	The response object.
cloudAccountId	string	The cloud account ID.	ca_01kmegjc11qa1txxxxx
cloudAccountRoleId	string	The ID of the cloud account role.	carole_01kmek49aqxxxx
cloudAccountRoleName	string	The name of the cloud account role.	role-test
cloudAccountRoleExternalId	string	The external ID of the cloud account role.	acs:ram::xxx:role/role-test
cloudAccountVendorType	string	The type of the cloud account. Valid value: `alibaba_cloud`: Alibaba Cloud Valid values: alibaba_cloud :	alibaba_cloud
cloudAccountRoleAccessCredential	object	The temporary access credential that can be used to assume the cloud account role.
accessCredentialExpiresAt	integer	The expiration time of the temporary access credential. This value is a Unix timestamp in seconds.	1767196800
alibabaCloudStsToken	object	The temporary credentials (STS token) for assuming an Alibaba Cloud RAM role. Note This parameter is returned only when the cloud account type associated with the cloud account role is `alibaba_cloud`.
accessKeyId	string	The access key ID.	STS.NUgYrLnoC37mZZCNnAbez****
accessKeySecret	string	The access key secret.	CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2****
securityToken	string	The security token.	CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz****
expiration	string	The time when the token expires. The time is specified in UTC and formatted as `YYYY-MM-DDThh:mm:ssZ`.	2021-10-20T04:27:09Z
awsStsToken	object
accessKeyId	string
secretAccessKey	string
sessionToken	string
expiration	string

Examples

Success response

JSON format

{
  "cloudAccountId": "ca_01kmegjc11qa1txxxxx",
  "cloudAccountRoleId": "carole_01kmek49aqxxxx",
  "cloudAccountRoleName": "role-test",
  "cloudAccountRoleExternalId": "acs:ram::xxx:role/role-test",
  "cloudAccountVendorType": "alibaba_cloud",
  "cloudAccountRoleAccessCredential": {
    "accessCredentialExpiresAt": 1767196800,
    "alibabaCloudStsToken": {
      "accessKeyId": "STS.NUgYrLnoC37mZZCNnAbez****",
      "accessKeySecret": "CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2****",
      "securityToken": "CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz****",
      "expiration": "2021-10-20T04:27:09Z"
    },
    "awsStsToken": {
      "accessKeyId": "",
      "secretAccessKey": "",
      "sessionToken": "",
      "expiration": ""
    }
  }
}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.