Obtains a Security Token Service (STS) token to assume a Resource Access Management (RAM) role during role-based single sign-on (SSO) by using OpenID Connect (OIDC).



OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes AssumeRoleWithOIDC

The operation that you want to perform. Set the value to AssumeRoleWithOIDC.

OIDCProviderArn String Yes acs:ram::113511544585****:oidc-provider/TestOidcIdp

The Alibaba Cloud Resource Name (ARN) of the OIDC IdP.

You can view the ARN in the RAM console or by calling operations.

RoleArn String Yes acs:ram::113511544585****:role/testoidc

The ARN of the RAM role.

You can view the ARN in the RAM console or by calling operations.

OIDCToken String Yes eyJraWQiOiJKQzl3eHpyaHFKMGd0****

The OIDC token that is issued by the external IdP.

The OIDC token must be 4 to 20,000 characters in length.

Note You must enter the original OIDC token. You do not need to enter the Base64-encoded OIDC token.
Policy String No null

The policy that specifies the permissions of the returned STS token. You can use this parameter to grant the STS token fewer permissions than the permissions granted to the RAM role.

  • If you specify this parameter, the permissions of the returned STS token are the permissions that are included in the value of this parameter and owned by the RAM role.
  • If you do not specify this parameter, the returned STS token has all the permissions of the RAM role.

The value must be 1 to 1,024 characters in length.

DurationSeconds Long No 3600

The validity period of the STS token. Unit: seconds.

Default value: 3600. Minimum value: 900. Maximum value: the value of the MaxSessionDuration parameter.

For more information about how to specify MaxSessionDuration, see CreateRole or UpdateRole.

RoleSessionName String No TestOidcAssumedRoleSession

The custom name of the role session.

Set this parameter based on your business requirements. In most cases, you can set this parameter to the identity of the user who calls the operation. For example, specify a username. In ActionTrail logs, you can distinguish the users who assume the same RAM role to perform operations based on the value of the RoleSessionName parameter. This way, you can perform user-specific auditing.

The value can contain letters, digits, periods (.), at signs (@), hyphens (-), and underscores (_).

The value must be 2 to 64 characters in length.

Note Anonymous users can call the AssumeRoleWithOIDC operation because authentication for this operation is performed based on OIDC tokens. Therefore, you do not need to specify the following common parameters: Signature, SignatureMethod, SignatureVersion, and AccessKeyId.

Response parameters

Parameter Type Example Description
RequestId String 3D57EAD2-8723-1F26-B69C-F8707D8B565D

The ID of the request.

OIDCTokenInfo Object

The information about the OIDC token.

Subject String KryrkIdjylZb7agUgCEf****

The subject,

which is represented by the sub field in the OIDC Token.

Issuer String https://dev-xxxxxx.okta.com

The URL of the issuer,

which is represented by the iss field in the OIDC Token.

ClientIds String 496271242565057****

The audience. If multiple audiences are returned, the audiences are separated by commas (,).

The audience is represented by the aud field in the OIDC Token.

AssumedRoleUser Object

The temporary identity that you use to assume the RAM role.

AssumedRoleId String 33157794895460****

The ID of the temporary identity that you use to assume the RAM role.

Arn String acs:ram::113511544585****:role/testoidc/TestOidcAssumedRoleSession

The ARN of the temporary identity that you use to assume the RAM role.

Credentials Object

The access credentials.

SecurityToken String CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz****

The security token.

Expiration String 2021-10-20T04:27:09Z

The time when the STS token expires. The time is displayed in UTC.

AccessKeySecret String CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2****

The AccessKey secret.

AccessKeyId String STS.NUgYrLnoC37mZZCNnAbez****

The AccessKey ID.


Sample requests

&Policy={"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}
&<Common request parameters>

Sample success responses

XML format

HTTP/1.1 200 OK

<?xml version="1.0" encoding="UTF-8" ?>

JSON format

HTTP/1.1 200 OK

  "RequestId" : "3D57EAD2-8723-1F26-B69C-F8707D8B565D",
  "OIDCTokenInfo" : {
    "Subject" : "KryrkIdjylZb7agUgCEf****",
    "Issuer" : "https://dev-xxxxxx.okta.com",
    "ClientIds" : "496271242565057****"
  "AssumedRoleUser" : {
    "AssumedRoleId" : "33157794895460****",
    "Arn" : "acs:ram::113511544585****:role/testoidc/TestOidcAssumedRoleSession"
  "Credentials" : {
    "SecurityToken" : "CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz****",
    "Expiration" : "2021-10-20T04:27:09Z",
    "AccessKeySecret" : "CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2****",
    "AccessKeyId" : "STS.NUgYrLnoC37mZZCNnAbez****"

Error codes

For a list of error codes, visit the API Error Center.