Obtains a Security Token Service (STS) token to assume a Resource Access Management (RAM) role during role-based single sign-on (SSO) by using OpenID Connect (OIDC).
Prerequisites
- An OIDC token is obtained from an external identity provider (IdP).
- An OIDC IdP is created in the RAM console. For more information, see Create an OIDC IdP or CreateOIDCProvider.
- A RAM role whose trusted entity is an OIDC IdP is created in the RAM console. For more information, see Create a RAM role for a trusted IdP or CreateRole.
Debugging
Request parameters
Parameter | Type | Required | Example | Description |
---|---|---|---|---|
Action | String | Yes | AssumeRoleWithOIDC |
The operation that you want to perform. Set the value to AssumeRoleWithOIDC. |
OIDCProviderArn | String | Yes | acs:ram::113511544585****:oidc-provider/TestOidcIdp |
The Alibaba Cloud Resource Name (ARN) of the OIDC IdP. You can view the ARN in the RAM console or by calling operations.
|
RoleArn | String | Yes | acs:ram::113511544585****:role/testoidc |
The ARN of the RAM role. You can view the ARN in the RAM console or by calling operations.
|
OIDCToken | String | Yes | eyJraWQiOiJKQzl3eHpyaHFKMGd0**** |
The OIDC token that is issued by the external IdP. The OIDC token must be 4 to 20,000 characters in length. Note You must enter the original OIDC token. You do not need to enter the Base64-encoded
OIDC token.
|
Policy | String | No | null |
The policy that specifies the permissions of the returned STS token. You can use this parameter to grant the STS token fewer permissions than the permissions granted to the RAM role.
The value must be 1 to 1,024 characters in length. |
DurationSeconds | Long | No | 3600 |
The validity period of the STS token. Unit: seconds. Default value: 3600. Minimum value: 900. Maximum value: the value of the For more information about how to specify |
RoleSessionName | String | No | TestOidcAssumedRoleSession |
The custom name of the role session. Set this parameter based on your business requirements. In most cases, you can set this parameter to the identity of the user who calls the operation. For example, specify a username. In ActionTrail logs, you can distinguish the users who assume the same RAM role to perform operations based on the value of the RoleSessionName parameter. This way, you can perform user-specific auditing. The value can contain letters, digits, periods (.), at signs (@), hyphens (-), and underscores (_). The value must be 2 to 64 characters in length. |
Signature
, SignatureMethod
, SignatureVersion
, and AccessKeyId
.
Response parameters
Parameter | Type | Example | Description |
---|---|---|---|
RequestId | String | 3D57EAD2-8723-1F26-B69C-F8707D8B565D |
The ID of the request. |
OIDCTokenInfo | Object |
The information about the OIDC token. |
|
Subject | String | KryrkIdjylZb7agUgCEf**** |
The subject, which is represented by the |
Issuer | String | https://dev-xxxxxx.okta.com |
The URL of the issuer, which is represented by the |
ClientIds | String | 496271242565057**** |
The audience. If multiple audiences are returned, the audiences are separated by commas (,). The audience is represented by the |
AssumedRoleUser | Object |
The temporary identity that you use to assume the RAM role. |
|
AssumedRoleId | String | 33157794895460**** |
The ID of the temporary identity that you use to assume the RAM role. |
Arn | String | acs:ram::113511544585****:role/testoidc/TestOidcAssumedRoleSession |
The ARN of the temporary identity that you use to assume the RAM role. |
Credentials | Object |
The access credentials. |
|
SecurityToken | String | CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz**** |
The security token. |
Expiration | String | 2021-10-20T04:27:09Z |
The time when the STS token expires. The time is displayed in UTC. |
AccessKeySecret | String | CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2**** |
The AccessKey secret. |
AccessKeyId | String | STS.NUgYrLnoC37mZZCNnAbez**** |
The AccessKey ID. |
Examples
Sample requests
https://sts.aliyuncs.com/?Action=AssumeRoleWithOIDC
&OIDCProviderArn=acs:ram::113511544585****:oidc-provider/TestOidcIdp
&RoleArn=acs:ram::113511544585****:role/testoidc
&OIDCToken=eyJraWQiOiJKQzl3eHpyaHFKMGd0****
&Policy={"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}
&DurationSeconds=3600
&RoleSessionName=TestOidcAssumedRoleSession
&<Common request parameters>
Sample success responses
XML
format
HTTP/1.1 200 OK
Content-Type:application/xml
<?xml version="1.0" encoding="UTF-8" ?>
<AssumeRoleWithOIDCResponse>
<RequestId>3D57EAD2-8723-1F26-B69C-F8707D8B565D</RequestId>
<OIDCTokenInfo>
<Subject>KryrkIdjylZb7agUgCEf****</Subject>
<Issuer>https://dev-xxxxxx.okta.com</Issuer>
<ClientIds>496271242565057****</ClientIds>
</OIDCTokenInfo>
<AssumedRoleUser>
<AssumedRoleId>33157794895460****</AssumedRoleId>
<Arn>acs:ram::113511544585****:role/testoidc/TestOidcAssumedRoleSession</Arn>
</AssumedRoleUser>
<Credentials>
<SecurityToken>CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz****</SecurityToken>
<Expiration>2021-10-20T04:27:09Z</Expiration>
<AccessKeySecret>CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2****</AccessKeySecret>
<AccessKeyId>STS.NUgYrLnoC37mZZCNnAbez****</AccessKeyId>
</Credentials>
</AssumeRoleWithOIDCResponse>
JSON
format
HTTP/1.1 200 OK
Content-Type:application/json
{
"RequestId" : "3D57EAD2-8723-1F26-B69C-F8707D8B565D",
"OIDCTokenInfo" : {
"Subject" : "KryrkIdjylZb7agUgCEf****",
"Issuer" : "https://dev-xxxxxx.okta.com",
"ClientIds" : "496271242565057****"
},
"AssumedRoleUser" : {
"AssumedRoleId" : "33157794895460****",
"Arn" : "acs:ram::113511544585****:role/testoidc/TestOidcAssumedRoleSession"
},
"Credentials" : {
"SecurityToken" : "CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz****",
"Expiration" : "2021-10-20T04:27:09Z",
"AccessKeySecret" : "CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2****",
"AccessKeyId" : "STS.NUgYrLnoC37mZZCNnAbez****"
}
}
Error codes
For a list of error codes, visit the API Error Center.