Alibaba Cloud Security Token Service (STS) allows you to manage temporary credentials to your Alibaba Cloud resources. Resource Access Management (RAM) provides RAM users and RAM roles. A RAM role does not have permanent identity credentials. A RAM role can only be assumed by using an issued STS token to access Alibaba Cloud resources. When the STS token is issued, you can specify a validity period and access permissions for the STS token.
Functions and features
Use an STS token to assume a RAM role
An authorized RAM user can use an AccessKey pair to call the AssumeRole operation. This way, the RAM user obtains an STS token of a RAM role and can use the STS token to access Alibaba Cloud resources.
This method is used to implement cross-account access and temporary authorization. For more information, see Assume a RAM role, Use a RAM role to grant permissions across Alibaba Cloud accounts, and Use an STS token for authorizing a mobile app to access Alibaba Cloud resources.
Obtain an STS Token for role-based single sign-on (SSO)
You can call the AssumeRoleWithSAML or AssumeRoleWithOIDC operation to obtain an STS token of a RAM role to implement role-based SSO. For more information, see Overview or Overview of OIDC-based SSO.
STS tokens help reduce the risks of AccessKey pair leaks. An AccessKey pair is a long-term credential for a RAM user.
STS tokens are temporary credentials. You can specify the validity period for STS tokens. After STS tokens expire, they become invalid. Therefore, you do not need to rotate the STS tokens on a regular basis.
You can attach custom policies to STS tokens for flexible and fine-grained authorization.
A physical identity that has a fixed ID and credential information. A RAM user represents a person or an application.
For more information, see Overview of RAM users and Create a RAM user.
A virtual identity to which policies can be attached. RAM roles do not have logon passwords or AccessKey pairs. A RAM role must be assumed by a trusted entity. The trust entity can be a RAM user, an Alibaba Cloud service, or an identity provider (IdP). If a trusted entity assumes a RAM role, the trusted entity can obtain and use an STS token of the RAM role to access the resources on which the RAM role has permissions.
RAM roles are classified into the following types based on trusted entities:
For more information, see RAM role overview, Create a RAM role for a trusted Alibaba Cloud account, Create a RAM role for a trusted IdP, and Create a RAM role for a trusted Alibaba Cloud service.
Alibaba Cloud Resource Name (ARN) of a RAM role
The ARN of a RAM role is the globally unique resource identifier of the RAM role. ARNs follow the ARN naming conventions that are provided by Alibaba Cloud. For example, the ARN of the devops RAM role that belongs to an Alibaba Cloud account is
An entity that is entrusted to assume a RAM role. You must specify a trusted entity when you create a RAM role. Only trusted entities can assume the RAM role. A trusted entity can be an Alibaba Cloud account, an Alibaba Cloud service, or an IdP.
A set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. A policy is a type of simple language specification that describes a set of permissions. One or more policies can be attached to a RAM role. A RAM role without a policy cannot access Alibaba Cloud resources.
A method for entities to obtain STS tokens of RAM roles. An entity user can call the AssumeRole STS API operation to obtain the STS token of a RAM role. Then, the entity user can use the STS token to call API operations of Alibaba Cloud services.
Services that work with STS
For more information, see Services that work with STS.