Call the STS AssumeRole operation by using the Python SDK to obtain temporary credentials for assuming a RAM role.
Step 1: Review the API documentation
Check the API overview and locate the AssumeRole operation. Review the request parameters and required permissions.
Step 2: Create a RAM user and grant permissions
Identity
Call this API as a RAM user or RAM role. Alibaba Cloud accounts (primary accounts) are not supported. Identities.
This example uses a RAM user.
Log on to the RAM console and create a RAM user. Create a RAM user.
Credentials
Go to the details page of the target RAM user. On the Authentication tab, in the User AccessKeys section, click Create AccessKey. Create an AccessKey.
A RAM user's AccessKey secret is displayed only once upon creation and cannot be retrieved later. Save it securely.
Permissions
-
On the Users page in the RAM console, find the target RAM user and click Actions in the Grant Permissions column.
-
In the search box, enter
stsand select the AliyunSTSAssumeRoleAccess system policy.This policy grants permission to call the STS AssumeRole operation.
-
Click OK to complete the authorization.
Step 3: Create a RAM role
Log on to the RAM console and create a RAM role with an Alibaba Cloud account as the trusted entity. Select the current account or another account:
-
Current Account: To allow a RAM user in the current Alibaba Cloud account to assume this role, select Current Account.
-
Other Account: To allow RAM users from another Alibaba Cloud account to assume this role, select Other Account and enter the other account ID. Use this for cross-account access scenarios.
The RAM user from Step 2 assumes this role, so set the trusted entity to the ID of the Alibaba Cloud account to which the RAM user from Step 2 belongs. Create a RAM role whose trusted entity is an Alibaba Cloud account.
You can also Modify the trust policy of a RAM role to change which RAM users can assume it.
Step 4: Make the API call
This example uses the Python SDK. Other language SDKs are also available: STS SDK. You can also use other Call methods.
Set up Python environment
Download and install Python 3.
Run python --version to verify the installation.
Configure environment variables
This example stores the AccessKey pair in environment variables instead of hardcoding them. Configure environment variables on Linux, macOS, and Windows.
Install dependencies
pip install alibabacloud_credentials
pip install alibabacloud_sts20150401==1.1.3
pip install alibabacloud_tea_console
Download sample code
-
In the OpenAPI Portal, log in as the RAM user from Step 2 and open the AssumeRole debugging URL.
-
Enter the request parameters and click Initiate Call.
For RoleArn, enter the ARN of the RAM role from Step 3. How do I view the ARN of a RAM role?
-
On the SDK Sample tab, select the Python tab and click Download Project.
-
Extract the package and go to the alibabacloud_sample directory.
Run sample code
Run the following command:
python sample.py
Sample output:
"headers": {
"date": "Thu, 17 Aug 2023 10:17:04 GMT",
"content-type": "application/json;charset=utf-8",
"content-length": "846",
"connection": "keep-alive",
"keep-alive": "timeout=25",
"access-control-allow-origin": "*",
"access-control-expose-headers": "*",
"x-acs-request-id": "79E360B6-FAC5-5B18-8081-BC0F8E90A238",
"x-acs-trace-id": "b2fb071a47e03e6d6cd507fd05438021",
"etag": "8bZ4pA7U/ulImlQiwhQnxXw6"
},
"statusCode": 200,
"body": {
"AssumedRoleUser": {
"Arn": "acs:ram::151266687691****:role/test-role/test",
"AssumedRoleId": "30081280744271****:test"
},
"Credentials": {
"AccessKeyId": "STS.NTdbdgE5zgL2qcb5pAify****",
"AccessKeySecret": "Fyk6ab1xfCFn88hXFxzV44QnF6cDi9T2PiTJgsqU****",
"Expiration": "2023-08-17T11:17:04Z",
"SecurityToken": "CAIS7AF1q6Ft5B2yfSjIr5fRKd7TqOpb0ISgUnocHLFUE6eDM****"
},
"RequestId": "79E360B6-FAC5-5B18-8081-BC0F8E90A238"
}
}