This topic describes how to call a Security Token Service (STS) operation to obtain an STS token that can be used to assume a Resource Access Management (RAM) role.
Step 1: View the API documentation
To assume a RAM role, call the AssumeRole operation. For more information, see List of operations by function. For more information about the information and permissions that are required to call this operation, see AssumeRole.
Step 2: Create a RAM user and grant permissions to the RAM user
Identities
You can use a RAM user or RAM role to call this operation. You cannot use an Alibaba Cloud account to call this operation. For information about the differences among the identities, see the "Identity, credential, and authorization" section of the Identity, credential, and authorization topic.
In this example, a RAM user is used to call this operation.
Log on to the RAM console and create a RAM user. For more information, see Create a RAM user.
Credentials
Go to the details page of the RAM user. In the User AccessKeys section of the Authentication tab, click Create AccessKey to create an AccessKey pair. For more information, see Create an AccessKey pair.
The AccessKey secret of a RAM user is displayed only when the RAM user is created. You cannot view the AccessKey secret after the RAM user is created. Note down the AccessKey secret and keep it confidential.
Authorization
On the Users page in the RAM console, find the RAM user that you want to manage and click Add Permissions in the Actions column.
Enter the keyword
stsin the search box and select the AliyunSTSAssumeRoleAccess system policy.AliyunSTSAssumeRoleAccess: grants the required permissions to call the AssumeRole operation of Security Token Service (STS).
Click OK to complete the authorization.
Step 3: Create a RAM role
Log on to the RAM console and create a RAM role whose trusted entity is an Alibaba Cloud account. The trusted Alibaba Cloud account can be the current Alibaba Cloud account or another Alibaba Cloud account:
Current Alibaba Cloud Account: If you want a RAM user that belongs to your Alibaba Cloud account to assume the RAM role, select Current Alibaba Cloud Account.
Other Alibaba Cloud Account: If you want a RAM user that belongs to a different Alibaba Cloud account to assume the RAM role, select Other Alibaba Cloud Account and enter the ID of the Alibaba Cloud account. This option is provided to authorize different Alibaba Cloud accounts.
In this example, you must use the RAM user that is created in Step 2 to assume the RAM role. Therefore, you must set the trusted Alibaba Cloud account to the ID of the Alibaba Cloud account to which the RAM user created in Step 2 belongs. For more information, see Create a RAM role for a trusted Alibaba Cloud account.
You can also modify the trust policy that is attached to the RAM role to change the RAM user that can assume the RAM role. For more information, see Edit the trust policy of a RAM role.
Step 4: Call the operation
In this example, STS SDK for Python is used to call this operation. You can use SDKs for other programming languages in a similar way. For more information, see STS SDKs. You can use other methods to call operations based on your business requirements. For more information, see Overview.
Prepare a Python environment
Download and install Python 3.
After you install Python 3, enter python --version in the terminal to check the version of Python 3.
Configure environment variables
In this example, environment variables are configured to manage the AccessKey pair and prevent security risks that are caused by hard-coding the AccessKey pair into your business code.
Linux and macOS
Replace
<access_key_id>and<access_key_secret>in the following command with your actual AccessKey ID and AccessKey secret.
export ALIBABA_CLOUD_ACCESS_KEY_ID=<access_key_id>
export ALIBABA_CLOUD_ACCESS_KEY_SECRET=<access_key_secret>Windows
Create the following system environment variables: ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET. Set the ALIBABA_CLOUD_ACCESS_KEY_ID variable to your actual AccessKey ID and the ALIBABA_CLOUD_ACCESS_KEY_SECRET variable to your actual AccessKey secret. Then, restart the Windows operating system.
Install dependencies
pip install alibabacloud_credentials
pip install alibabacloud_sts20150401==1.1.3
pip install alibabacloud_tea_consoleDownload the sample code
In OpenAPI Explorer, use the RAM user that is created in Step 2 to call the AssumeRole operation.
Enter the request parameters and click Initiate Call to check whether the debugging is successful.
Set RoleArn in the request parameters to the Alibaba Cloud Resource Name (ARN) of the RAM role that is created in Step 3. For more information about how to view the ARN of a RAM role, see How do I view the ARN of a RAM role? .
On the Python tab of the SDK Sample Code tab, click Download Project to download the sample code package of CloudSSO SDK for Python.
Decompress the sample code package on your computer and go to the alibabacloud_sample directory.
Run the sample code
Run the following command:
python sample.pyThe following command output is displayed:
"headers": {
"date": "Thu, 17 Aug 2023 10:17:04 GMT",
"content-type": "application/json;charset=utf-8",
"content-length": "846",
"connection": "keep-alive",
"keep-alive": "timeout=25",
"access-control-allow-origin": "*",
"access-control-expose-headers": "*",
"x-acs-request-id": "79E360B6-FAC5-5B18-8081-BC0F8E90A238",
"x-acs-trace-id": "b2fb071a47e03e6d6cd507fd05438021",
"etag": "8bZ4pA7U/ulImlQiwhQnxXw6"
},
"statusCode": 200,
"body": {
"AssumedRoleUser": {
"Arn": "acs:ram::151266687691****:role/test-role/test",
"AssumedRoleId": "30081280744271****:test"
},
"Credentials": {
"AccessKeyId": "STS.NTdbdgE5zgL2qcb5pAify****",
"AccessKeySecret": "Fyk6ab1xfCFn88hXFxzV44QnF6cDi9T2PiTJgsqU****",
"Expiration": "2023-08-17T11:17:04Z",
"SecurityToken": "CAIS7AF1q6Ft5B2yfSjIr5fRKd7TqOpb0ISgUnocHLFUE6eDM****"
},
"RequestId": "79E360B6-FAC5-5B18-8081-BC0F8E90A238"
}
}