Identity as a Service:AK-free access with RAM

How it works

The end-to-end flow consists of four stages:

1. Create an OIDC IdP in RAM — register your IDaaS M2M application as a trusted identity provider.

2. Create an OIDC IdP role — define a RAM role the M2M application can assume, and set trust policy conditions.

3. Grant permissions to the role — attach the policies your application needs.

4. Get an M2M token, then exchange it for STS credentials — use the IDaaS token endpoint to get an OIDC token, then call AssumeRoleWithOIDC to obtain temporary credentials.

Prerequisites

Before you begin, ensure that you have:

• Configured an M2M application in IDaaS. See M2M applications

• RAM administrator access to the RAM console

Create an OIDC IdP

1. Log on to the RAM console as a RAM administrator.Log on to the RAM console as a RAM administrator.

2. In the left navigation pane, choose Integrations > SSO.

3. On the Role-based SSO tab, click OIDC, then click Create IdP.

4. Configure the identity provider parameters:

   If your IdP is scheduled for certificate rotation, generate a fingerprint for the new certificate and add it to the OIDC IdP configuration before the rotation. Wait at least one day before rotating. After confirming that AssumeRoleWithOIDC succeeds with the new certificate, delete the old fingerprint.

   Parameter	Description
   IdP name	Must be unique within the Alibaba Cloud account. The name is independent of IDaaS. Follow RAM naming rules.
   Issuer URL	The unique identifier that your IDaaS M2M application assigns to itself as an OAuth 2.0 issuer. RAM uses this URL to verify that incoming tokens were issued by the correct party. Copy this value from the Issuer field in your IDaaS M2M application's general configuration.
   Fingerprint	The TLS certificate fingerprint of the issuer URL endpoint. After entering the Issuer URL, click Get Fingerprint — RAM accesses the issuer address to calculate the fingerprint automatically. Also calculate it locally using OpenSSL and compare the two values. If they differ, the issuer URL may be under attack. Confirm the URL before proceeding. See Get the fingerprint of an OIDC IdP using OpenSSL.
   Client ID	The unique identifier issued to your application when it was registered with IDaaS. RAM checks that the aud field of incoming OIDC tokens matches this client ID before exchanging the token for STS credentials. A single OIDC IdP supports up to 50 client IDs. Copy this value from the Audience Identifier field in your IDaaS M2M application's server-side configuration.
   Earliest issuance time allowed	OIDC tokens issued before this cutoff cannot be exchanged for STS credentials. Default: 12 hours. Valid range: 1–168 hours.
   Description	Optional description of the identity provider.

5. Click Create IdP.

Create an OIDC IdP role

1. In the RAM console, choose Roles > Create Role > Identity Provider > Switch to Policy Editor.

   

2. In the policy editor, add the identity provider you created.

   

3. In the Add entity dialog, select the identity provider, then click OK.

   

4. RAM generates default oidc:iss and oidc:aud conditions for the trust policy. Edit, delete, or add conditions as needed. Currently, RAM OIDC supports only three condition keys: oidc:iss, oidc:aud, and oidc:sub. To restrict which M2M application server can assume this role, add an oidc:sub condition. Set the Condition value to the client_id of the M2M application server. For more information, see Basic elements of an access policy.

   

   

5. Click OK to save the conditions, enter a name for the role in the Create role dialog, then click OK.

   

Grant permissions to the role

On the role details page, click Grant permission and attach the policies your M2M application needs.

Get an M2M token

The M2M token is a short-lived OIDC access token issued by IDaaS using the OAuth 2.0 client credentials flow. You exchange this token for STS credentials in the next step.

Before running the request, locate the following values in your IDaaS M2M application:

Using curl

curl --location --request POST \
  'https://<YOUR_SERVER_ISSUER_ENDPOINT>.aliyunidaas.com/api/v2/iauths_system/oauth2/token' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'client_id=<YOUR_APP_CLIENT_ID>' \
  --data-urlencode 'client_secret=<YOUR_APP_CLIENT_SECRET>' \
  --data-urlencode 'grant_type=client_credentials' \
  --data-urlencode 'scope=<YOUR_SERVER_AUD_IDENTIFIER>|.all'

The scope value uses the format <audience-identifier>|.all. The .all suffix is a predefined scope identifier in IDaaS that requests all available permissions under the specified audience.

A successful response returns a JSON object containing the access_token. This token is your M2M token.

Using Postman

Set the request method to POST, the URL to https://<YOUR_SERVER_ISSUER_ENDPOINT>.aliyunidaas.com/api/v2/iauths_system/oauth2/token, and the body parameters to the same values listed above.

Get temporary STS credentials

Use the AssumeRoleWithOIDC API to exchange the M2M token for temporary STS credentials. For background on STS, see What is STS?.

1. Go to the AssumeRoleWithOIDC API page in the OpenAPI portal.

2. Enter the required parameters:

   Parameter	Where to find it
   OIDCProviderArn	Go to the Basic information page of the OIDC IdP role that you created and obtain the ARN from the Trust policy section.
   RoleArn	Open the OIDC IdP role you created in RAM. Copy the ARN from the Basic information page.
   OIDCToken	The access_token value from the M2M token response.
   RoleSessionName	A custom name for this session, used for identification only.

3. Click Initiate call to get the STS credentials.

   For the full AssumeRoleWithOIDC API reference, see AssumeRoleWithOIDC — Obtain temporary identity credentials to assume a role for OIDC role-based SSO.

What's next

• AssumeRoleWithOIDC — Obtain temporary identity credentials to assume a role for OIDC role-based SSO

• Basic elements of an access policy

• What is STS?

• M2M applications