Role assumption using role-based SSO

更新时间:
复制 MD 格式

During role-based single sign-on (SSO), you can call the AssumeRoleWithSAML operation to obtain a temporary identity for assuming a RAM role. The following sample event illustrates this process and explains the key fields.

Example

In the following example, a user named Alice@example.com assumed the testrole RAM role in the Alibaba Cloud account 159498693826**** at 14:05:20 on August 2, 2021 (UTC+8).

{
  "apiVersion": "2015-04-01",
  "requestId": "3462D6AF-4434-4690-8CAD-E54A",
  "eventType": "ApiCall",
  "userIdentity": {
    "accountId": "159498693826****",
    "type": "saml-user",
    "userName": "Alice@example.com"
  },
  "acsRegion": "cn-shanghai",
  "eventName": "AssumeRoleWithSAML",
  "requestParameters": {
    "AcsHost": "sts.aliyuncs.com",
    "SAMLAssertion": "****",
    "AcsProduct": "Sts",
    "RequestId": "3462D6AF-4434-4690-8CAD-E54A",
    "DurationSeconds": 3600,
    "HostId": "sts.aliyuncs.com",
    "SAMLProviderArn": "acs:ram::159498693826****:saml-provider/test",
    "RoleArn": "acs:ram::159498693826****:role/testrole"
  },
  "eventSource": "sts.aliyuncs.com",
  "serviceName": "Sts",
  "eventTime": "2021-08-02T06:05:20Z",
  "referencedResources": {
    "ACS::RAM::AccessKey": [
      "STS.NUQNP4PiGyckMsNiGELCs****"
    ]
  },
  "userAgent": "Jakarta Commons-HttpClient/3.1",
  "eventId": "3462D6AF-4434-4690-8CAD-****",
  "additionalEventData": {
    "Scheme": "https"
  },
  "responseElements": {
    "RequestId": "3462D6AF-4434-4690-8CAD-E54A",
    "SAMLAssertionInfo": {
      "SubjectType": "persis****",
      "Issuer": "https://sts.windows.net/d1ee1acd9a83906adg****/",
      "Recipient": "https://signin.aliyun.com/saml-role/sso",
      "Subject": "Alice@example.com"
    },
    "AssumedRoleUser": {
      "Arn": "acs:ram::159498693826****:role/testrole/Alice",
      "AssumedRoleId": "179432153826****:Alice"
    },
    "Credentials": {
      "AccessKeyId": "STS.NUQNP4PiGyckMsNiGELCs****",
      "AccessKeySecret": "Ss7sq2j0ZoJujZnmVgXcu6QT9e****",
      "Expiration": "2021-08-02T07:05:20Z"
    }
  },
  "errorCode": "",
  "errorMessage": "",
  "eventVersion": "1",
  "sourceIpAddress": "192.168.XX.XX"
}

Key fields in this example:

  • userIdentity.accountId: The Alibaba Cloud account ID that owns the RAM role. The value in this example is159498693826****.

  • userIdentity.type: The identity type of the requester. In this example, saml-user indicates a user from an enterprise identity provider.

  • userIdentity.userName: The username of the requester. The value in this example is Alice@example.com, which is the username used for role-based SSO.

  • eventName: The event name. In this example, AssumeRoleWithSAML indicates the operation that obtains a temporary identity to assume the role.

  • SAMLProviderArn: The Alibaba Cloud Resource Name (ARN) of the identity provider (IdP) created in Resource Access Management (RAM). The format is acs:ram::<account_ID>:saml-provider/<saml_provider_ID>. account_ID is the Alibaba Cloud account ID, and saml_provider_ID is the name of the IdP. The value in this example is acs:ram::159498693826****:saml-provider/test, which means the Alibaba Cloud account ID is 159498693826**** and the IdP name is test.

  • RoleArn: The ARN of the RAM role to assume. The format is acs:ram::<accountID>:role/<roleName>. accountID is the Alibaba Cloud account ID, and roleName is the name of the RAM role. The value in this example is acs:ram::159498693826****:role/testrole, which means the Alibaba Cloud account ID is 159498693826**** and the role name is testrole.

  • AssumedRoleUser: The temporary identity created for the assumed role. The value in this example is {"Arn": "acs:ram::159498693826****:role/testrole/Alice","AssumedRoleId": "179432153826****:Alice"}. This means the ARN of the temporary identity is acs:ram::159498693826****:role/testrole/Alice and the ID of the temporary identity is 179432153826****:Alice.

  • Credentials: The temporary access credential. The value in this example is {"AccessKeyId": "STS.NUQNP4PiGyckMsNiGELCs****","AccessKeySecret": "Ss7sq2j0ZoJujZnmVgXcu6QT9e****","Expiration": "2021-08-02T07:05:20Z"}. This means the AccessKey ID is STS.NUQNP4PiGyckMsNiGELCs****, the AccessKey secret is Ss7sq2j0ZoJujZnmVgXcu6QT9e****, and the expiration time is 2021-08-02T07:05:20Z.

  • referencedResources: The resources affected by the event. In this example, the value contains the temporary AccessKey ID created for the role assumption.

  • eventTime: The time when the event occurred, in UTC. In this example, 2021-08-02T06:05:20Z corresponds to 14:05:20 on August 2, 2021 (UTC+8).