This topic covers the key concepts, configuration methods, access control policies, typical use cases, and troubleshooting methods for SourceIdentity.
What is SourceIdentity?
SourceIdentity is an identifier that you can set for the current session when you call an OpenAPI operation to assume a RAM role and obtain temporary credentials (an STS token).
SourceIdentity serves two main purposes:
-
Trace identities in complex scenarios such as role chaining
Role chaining occurs when a RAM identity (or a role SSO user) assumes a role to obtain a role session, and then uses that session to assume another role, for example, User A → Role B → Role C. The RAM roles in a role chain can belong to the same Alibaba Cloud account or different accounts (cross-account).
In a role assumption scenario, you can set
RoleSessionNameto audit the source identity. However, in a role chaining scenario,RoleSessionNamecan be changed during multiple role assumptions, making it difficult to trace the original user.Once
SourceIdentityis set at the beginning of a role chain, its value persists and cannot be changed within the role session. This ensures that the original user can be traced through logs, even after multiple role assumptions.For a detailed example of how
SourceIdentityworks in role chaining, see Role chaining example. -
Apply fine-grained access control to highly privileged roles
Administrators can configure fine-grained permissions based on the value or presence of
SourceIdentity. This control is especially useful when multiple identities share a role.For example, an administrator can use a condition key in a policy to require that a specific
SourceIdentityvalue must be set when assuming a role. This can restrict a highly privileged role or core resources to be accessible only by specific source identities.
Setting SourceIdentity
Set SourceIdentity by calling one of the following three Security Token Service (STS) API operations when assuming a role.
AssumeRole
When you call the AssumeRole API operation, specify the source identity information by using the SourceIdentity parameter. For example, you can set it to Alice. This method is suitable for standard role assumption scenarios where a RAM user or a RAM role assumes another role.
After a successful call, SourceIdentity is returned as a top-level field in the response. The following code provides a sample response:
{
"RequestId": "6894B13B-6D71-4EF5-88FA-F3278173****",
"AssumedRoleUser": {
"AssumedRoleId": "34458433936495****:alice",
"Arn": "acs:ram::123456789012****:role/alice"
},
"Credentials": {
"SecurityToken": "********",
"Expiration": "2015-04-09T11:52:19Z",
"AccessKeySecret": "wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****",
"AccessKeyId": "STS.L4aBSCSJVMuKg5U1****"
},
"SourceIdentity": "Alice"
}
For more information about how to call this operation, see AssumeRole - Obtain temporary credentials for an assumed role.
AssumeRoleWithSAML
In a SAML role-based SSO scenario, the value of SourceIdentity is provided by the identity provider (IdP) in the SAML assertion.
You need to configure a SAML attribute in your IdP and map it to a user's identifier, such as their username. The name of this attribute must be https://www.aliyun.com/SAML-Role/Attributes/SourceIdentity.
After the configuration is complete, the SAML response issued by the IdP contains the following SAML assertion (assuming the user's UPN prefix is mapped to the SourceIdentity value):
<Attribute Name="https://www.aliyun.com/SAML-Role/Attributes/SourceIdentity">
<AttributeValue>upn_prefix</AttributeValue>
</Attribute>
The response for a successful call is the same as that for the AssumeRole operation. For more information about how to call this operation, see Obtain temporary credentials for an assumed role during SAML role-based SSO.
AssumeRoleWithOIDC
In an OIDC role-based SSO scenario, the value of SourceIdentity is provided by the IdP as a claim in the ID token (also known as an OIDC token).
You need to configure a custom ID token claim in your IdP and map it to a user's identifier, such as their username. The name of this claim must be https://www.aliyun.com/source_identity. For example:
After the configuration is complete, the ID token issued by the IdP contains the following claim (assuming that the user's UPN prefix is mapped to the SourceIdentity value):
{
"https://www.aliyun.com/source_identity": "upn_prefix"
}
The response for a successful call is the same as that for the AssumeRole operation. For more information about how to call this operation, see AssumeRoleWithOIDC - Obtain temporary credentials for an assumed role during OIDC role-based SSO.
Format requirements
-
The value must be 2 to 64 characters in length.
-
The value can contain letters, digits, and the following special characters:
=,,,.,@,-, and_. -
You cannot use prefixes reserved by Alibaba Cloud, such as
acs:,aliyun:, oralibabacloud:.
Permissions and condition control
You can use a combination of identity-based policies and trust policies to control the use of SourceIdentity.
Actions
|
Parameter |
Type |
Scope |
Description |
|
|
Action |
|
Grants permission to set |
Example of action configuration
To allow an identity (a RAM user or role) to set SourceIdentity when calling AssumeRole, you must grant the sts:SetSourceIdentity permission in both the identity-based policy of the principal and the trust policy of the target role. This is done by adding sts:SetSourceIdentity to the Action block.
-
Example of an identity-based policy (granted to the caller):
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole", "sts:SetSourceIdentity" ], "Resource": "acs:ram::ACCOUNT_ID:role/TARGET_ROLE" } ] } -
Example of a trust policy (configured on the role to be assumed):
{ "Statement": [ { "Action": [ "sts:AssumeRole", "sts:SetSourceIdentity" ], "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::ACCOUNT_ID:root" ] } } ], "Version": "1" }
Role SSO action configuration
When you assume a role by calling the AssumeRoleWithSAML or AssumeRoleWithOIDC operations, grant the sts:SetSourceIdentity permission only in the target role's trust policy. The following policy is an example for SAML role-based SSO:
{
"Statement": [
{
"Action": [
"sts:AssumeRole",
"sts:SetSourceIdentity"
],
"Condition": {
"StringEquals": {
"saml:recipient": [
"https://signin.aliyun.com/saml-role/sso"
]
}
},
"Effect": "Allow",
"Principal": {
"Federated": [
"acs:ram::ACCOUNT_ID:saml-provider/PROVIDER_NAME"
]
}
}
],
"Version": "1"
}
If you configure the SourceIdentity attribute in your IdP, you must include the sts:SetSourceIdentity action in the trust policies of all roles associated with that IdP. Otherwise, SSO sign-in attempts will fail.
Condition keys
|
Parameter |
Type |
Scope |
Description |
|
|
Condition key |
|
Associates one or more |
|
|
Condition key (global) |
|
Associates one or more |
Currently, the acs:SourceIdentity condition key is evaluated only in STS policies.
The difference between the sts:SourceIdentity and acs:SourceIdentity condition keys is as follows:
-
sts:SourceIdentitymatches theSourceIdentityattribute in the role assumption request. -
acs:SourceIdentitymatches theSourceIdentityattribute that exists in the role session (including the STS token) after a successful role assumption.
For the initial role assumption, you must use the sts:SourceIdentity condition key in your policies, including identity-based policies and trust policies. At this stage, no valid role session exists, so using the acs:SourceIdentity condition key at this stage will cause the assumption to fail.
Example of condition control
By using the sts:SourceIdentity condition key in a policy's Condition block, you can require a specific SourceIdentity value to be passed when a role is assumed. You can configure conditions in either or both of the following policy types:
-
Set a condition in an identity-based policy: Restricts the identity to setting a specific
SourceIdentityvalue when assuming a particular role. -
Set a condition in a trust policy: Restricts any identity to setting a specific
SourceIdentityvalue when assuming this role.
The sts:SetSourceIdentity action must also be included in the policy's Action block for the condition to take effect.
After a RAM user signs in to the console, they cannot use the Switch Role feature to assume a role that requires SourceIdentity to be set. This is because the console does not support entering this parameter.
Assume there is a highly privileged RAM role for the production environment named prod-role. An administrator needs to implement the following controls:
-
Only RAM users Alice and Bob can assume
prod-role. -
When assuming
prod-role,SourceIdentitymust be set, and its value must match the username of the user assuming the role. For example, when Alice assumes the role, she can set the value toaliceoralice@exampledomain.com.
Step 1: Configure the trust policy for prod-role
This policy ensures that only Alice and Bob can assume this role, and the request must include a SourceIdentity value that begins with alice or bob.
{
"Statement": [
{
"Action": [
"sts:AssumeRole",
"sts:SetSourceIdentity"
],
"Condition": {
"StringLike": {
"sts:SourceIdentity": [
"alice*",
"bob*"
]
}
},
"Effect": "Allow",
"Principal": {
"RAM": [
"acs:ram::ACCOUNT_ID:user/alice",
"acs:ram::ACCOUNT_ID:user/bob"
]
}
}
],
"Version": "1"
}
Step 2: Configure identity-based policies for users Alice and Bob
The following policies grant Alice and Bob permission to assume prod-role and enforce that they set a SourceIdentity that matches their respective usernames in the request.
-
Identity-based policy for Alice
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole", "sts:SetSourceIdentity" ], "Resource": "acs:ram::ACCOUNT_ID:role/prod-role", "Condition": { "StringLike": { "sts:SourceIdentity": [ "alice*" ] } } } ] } -
Identity-based policy for Bob
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole", "sts:SetSourceIdentity" ], "Resource": "acs:ram::ACCOUNT_ID:role/prod-role", "Condition": { "StringLike": { "sts:SourceIdentity": [ "bob*" ] } } } ] }
Condition control for role SSO
Assume that the dev-role role can only be assumed through SAML role-based SSO, and only by users with employee IDs employeeid-alice and employeeid-bob. The IdP includes the user's employee ID as the value of SourceIdentity in the SAML assertion.
The trust policy for dev-role is configured as follows:
{
"Statement": [
{
"Action": [
"sts:AssumeRole",
"sts:SetSourceIdentity"
],
"Condition": {
"StringEquals": {
"saml:recipient": [
"https://signin.aliyun.com/saml-role/sso"
],
"sts:SourceIdentity": [
"employeeid-alice",
"employeeid-bob"
]
}
},
"Effect": "Allow",
"Principal": {
"Federated": [
"acs:ram::ACCOUNT_ID:saml-provider/PROVIDER_NAME"
]
}
}
],
"Version": "1"
}
Recommendations for using condition control
-
Test before you deploy to production: Do not enable mandatory
SourceIdentitypolicies directly in a production environment. This includes any identity-based policy or trust policy that contains thests:SourceIdentitycondition key. We recommend that you first use a test role and policy to validate the configuration. After you confirm it works as expected, you can gradually apply it to your production environment. -
Communicate in advance: Before enabling mandatory policies, inform all relevant users how to use
SourceIdentityand what values are allowed to prevent workflow disruptions.
Role chaining example
Scenario
A CI/CD automation tool such as Jenkins runs with a RAM role named automation-role. This role can be assumed by developers such as Alice and Bob.
A developer, such as Alice, uses the tool to deploy an application to an OSS Bucket in the production environment. The deployment action requires assuming a more privileged role, deploy-role, which has write permissions to the OSS Bucket.
Alice, Bob, and automation-role belong to Alibaba Cloud account A, while deploy-role belongs to Alibaba Cloud account B.
Business requirement and workflow
The goal is to allow automation-role to assume deploy-role only when Alice is the original caller. Any request from another user, such as Bob, must be denied.
The workflow is as follows:
-
Alice calls the
AssumeRoleoperation to assumeautomation-roleand setsSourceIdentitytoalicein the request. -
After
automation-roleobtains an STS token, it calls theAssumeRoleoperation again to assumedeploy-role. TheSourceIdentityvalue is automatically passed along. -
The trust policy of
deploy-rolechecks if the incomingSourceIdentityisalice. If the validation passes, the role assumption is allowed.
Policy configuration steps
Step 1: Modify the trust policy of deploy-role
This policy allows assumption requests only from automation-role in account A, and only if the SourceIdentity value is alice.
{
"Statement": [
{
"Action": [
"sts:AssumeRole",
"sts:SetSourceIdentity"
],
"Condition": {
"StringEquals": {
"acs:SourceIdentity": [
"alice"
]
}
},
"Effect": "Allow",
"Principal": {
"RAM": [
"acs:ram::ACCOUNT_A_ID:role/automation-role"
]
}
}
],
"Version": "1"
}
The trust policy above uses the acs:SourceIdentity condition key instead of sts:SourceIdentity. This ensures that the deploy-role accepts access requests only from the automation-role role and only if the SourceIdentity in the role session is already set to alice.
Step 2: Modify the permission and trust policies of automation-role
-
Identity-based policy: Allows the
automation-rolerole to assume thedeploy-rolerole in account B.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole", "sts:SetSourceIdentity" ], "Resource": "acs:ram::ACCOUNT_B_ID:role/deploy-role" } ] } -
Trust policy: Allows Alice and Bob to assume
automation-role.{ "Statement": [ { "Action": [ "sts:AssumeRole", "sts:SetSourceIdentity" ], "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::ACCOUNT_A_ID:user/alice", "acs:ram::ACCOUNT_A_ID:user/bob" ] } } ], "Version": "1" }
Step 3: Modify the identity-based policies for Alice and Bob
Allow them to assume the automation-role role and enforce that they set a SourceIdentity value that exactly matches their username.
-
Identity-based policy for Alice
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole", "sts:SetSourceIdentity" ], "Resource": "acs:ram::ACCOUNT_A_ID:role/automation-role", "Condition": { "StringEquals": { "sts:SourceIdentity": [ "alice" ] } } } ] } -
Identity-based policy for Bob
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole", "sts:SetSourceIdentity" ], "Resource": "acs:ram::ACCOUNT_A_ID:role/automation-role", "Condition": { "StringEquals": { "sts:SourceIdentity": [ "bob" ] } } } ] }
SourceIdentity in ActionTrail
You can find the SourceIdentity field in ActionTrail audit logs for identity tracing.
-
In
AssumeRole*event logs:SourceIdentityappears in theresponseElementsandrequestParametersfields.{ "eventId": "9BCD28D0-7FDB-5BF2-9302-CDA6CCC5****", "eventVersion": 1, "responseElements": { "SourceIdentity": "alice", "RequestId": "9BCD28D0-7FDB-5BF2-9302-CDA6CCC5****", ... }, ... "requestParameters": { "SourceIdentity": "alice", "X-Acs-Request-Id": "9BCD28D0-7FDB-5BF2-9302-CDA6CCC5****", ... }, "serviceName": "Sts", "eventName": "AssumeRole", ... }
-
In event logs for accessing cloud resources:
SourceIdentityappears in theuserIdentity.sessionContextfield.{ "eventId": "46B5B0A1-19F7-5A56-BE2C-0BCFE5F8****", "userIdentity": { "sessionContext": { "sourceIdentity": "alice", ... }, "type": "assumed-role", ... }, "serviceName": "Ecs", "eventName": "DescribeInstances", ... }
Troubleshooting
The most common issue when configuring SourceIdentity is insufficient permissions. The following sections describe two typical error scenarios and their solutions.
Scenario 1: Identity-based policy issue
Error Message:
{
"RequestId": "AC9DDEC1-3E1F-50B8-A2D1-BAA155FD****",
"Code": "NoPermission",
"Message": "You are not authorized to do this action. You should be authorized by RAM.",
"AccessDeniedDetail": {
"PolicyType": "AccountLevelIdentityBasedPolicy",
"AuthAction": "sts:SetSourceIdentity",
...
}
}
Cause:
-
"PolicyType": "AccountLevelIdentityBasedPolicy"indicates that the error is caused by the caller's identity-based policy. -
"AuthAction": "sts:SetSourceIdentity"indicates that permission for thests:SetSourceIdentityaction is missing.
Solution: Ask your administrator to check the caller's identity-based policy and ensure the following:
-
The policy includes
"Action": "sts:SetSourceIdentity". -
The policy's
Resourcescope includes the target role you are trying to assume. -
If the policy contains a
Condition, confirm that theSourceIdentityvalue in your request meets the condition.
Scenario 2: Trust policy issue
Error Message:
{
"RequestId": "ECC91EE1-0EB0-5E79-B3F5-E54FD8B9****",
"Code": "NoPermission",
"Message": "You are not authorized to do this action. You should be authorized by RAM.",
"AccessDeniedDetail": {
"PolicyType": "AssumeRolePolicy",
"AuthAction": "sts:SetSourceIdentity",
...
}
}
Cause:
-
"PolicyType": "AssumeRolePolicy"indicates that the error is caused by the target role's trust policy. -
"AuthAction": "sts:SetSourceIdentity"indicates that the target role does not trust thests:SetSourceIdentityaction.
Solution: Ask your administrator to check the target role's trust policy and ensure the following:
-
The policy includes
"Action": "sts:SetSourceIdentity". -
If the policy contains a
Condition, confirm that theSourceIdentityvalue in your request meets the condition.
General troubleshooting advice
-
Narrow down the scope: If you encounter a permission issue when setting
SourceIdentity, try removing theSourceIdentityparameter and assuming the role again. If the action succeeds, the problem is likely with the permission settings related toSourceIdentity. -
Analyze the error message: Read the
AccessDeniedDetailsection of the error message, especially thePolicyTypefield. It can help you quickly determine whether the issue is with an identity-based policy or a trust policy. -
Use diagnostic tools: If you only have the
RequestId, you can use the OpenAPI Explorer tool. Enter theRequestId, and the system will return detailed diagnostic information to help you pinpoint the permission issue. For example:A diagnostic result shows an ErrorCode of
NoPermissionand an ErrorMessage ofYou are not authorized to do this action. You should be authorized by RAM.. The permission check conclusion is Not authorized by identity-based policy (account-level) for the actionsts:SetSourceIdentity. The solution suggests granting the RAM user the system policyAliyunSTSAssumeRoleAccess, which is associated withsts:SetSourceIdentity, or creating a custom policy. -
Compare the policy and the request: After locating the policy, check that its
ResourceandConditionsettings match your API request parameters, such as the target roleARNand theSourceIdentityvalue.
For more information about troubleshooting permission issues, see How to troubleshoot access denied errors.