Obtain an STS token
This article explains how an agent uses Agent Identity to obtain a Security Token Service (STS) token, then uses that token to call Alibaba Cloud services such as ECS, OSS, and VPC. Using Agent Identity removes the need to embed long-lived AccessKey credentials inside the agent.
Workflow
The agent obtains and uses an STS token in three stages:
Complete inbound authentication. The agent calls one of the Agent Identity service's
GetWorkloadAccessToken*operations through the Agent Identity SDK to obtain a Workload Access Token. The most common form of inbound authentication uses a JSON Web Token (JWT) issued by an external identity provider.Exchange the Workload Access Token for an STS token. The SDK calls the Agent Identity service's
AssumeRoleForWorkloadIdentityoperation, presenting the Workload Access Token to assume the runtime RAM role associated with the Workload Identity. Agent Identity returns temporary security credentials — an STS token containing anAccessKeyId, anAccessKeySecret, and aSecurityToken.Call Alibaba Cloud OpenAPI. The agent uses the STS token to call Alibaba Cloud OpenAPI on behalf of the runtime RAM role, securely accessing services such as ECS, OSS, and VPC.
Prerequisites
Before the agent can obtain an STS token, set up Workload Identity and grant the runtime role the permissions it needs:
The operator account that performs the setup must have the
AliyunAgentIdentityFullAccesspermission policy attached.Create a Workload Identity in the Agent Identity console, or by using the Agent Identity CLI. When you use the CLI, a runtime RAM role is created with the same name, in the form
agentidentityrole-${workloadIdentityName}.In the RAM console, attach a permission policy to the runtime RAM role that grants access to the Alibaba Cloud services the agent needs to call. For example, attach
AliyunVPCFullAccess(a system policy) so the agent can manage VPCs.
Use the SDK to obtain a token
After the prerequisites are in place, the agent obtains STS tokens through a decorator. Annotate any function that calls Alibaba Cloud OpenAPI with @requires_sts_token. When the function is invoked, the Agent Identity SDK transparently completes inbound authentication, retrieves a Workload Access Token, exchanges it for an STS token, and injects the token into the function parameter you name.
The following Python example shows an agent calling the Alibaba Cloud VPC API to create a VPC:
from typing import Optional
from agent_identity_python_sdk.core.decorators import get_region, requires_sts_token
from agent_identity_python_sdk.model import STSCredential
from alibabacloud_vpc20160428.client import Client as Vpc20160428Client
from alibabacloud_tea_openapi import models as open_api_models
from alibabacloud_vpc20160428 import models as vpc_20160428_models
@requires_sts_token(
inject_param_name="sts_credential"
)
def create_vpc(
name: str,
region_id: str,
cidr_block: str,
sts_credential: Optional[STSCredential] = None,
):
# Initialize the Alibaba Cloud OpenAPI client with the STS credential.
config = open_api_models.Config(
access_key_id=sts_credential.access_key_id,
access_key_secret=sts_credential.access_key_secret,
security_token=sts_credential.security_token,
)
config.endpoint = f'vpc.{region_id}.aliyuncs.com'
client = Vpc20160428Client(config)
# Call the OpenAPI to create a VPC.
request = vpc_20160428_models.CreateVpcRequest(
region_id=region_id,
cidr_block=cidr_block,
vpc_name=name,
description='This is a test VPC.'
)
response = client.create_vpc(request)For the complete runnable sample, see fetch-sts-token sample.
FAQ
How can I tell whether an STS token was issued by Agent Identity?
An STS token issued by Agent Identity carries the caller agent's identity: both the Workload Identity and the inbound user identity, so that those signals can be used for permission control and auditing. Tokens issued by the Alibaba Cloud STS service (for example, the token a RAM user receives when calling AssumeRole) do not carry this context.
When an agent calls Alibaba Cloud OpenAPI (for example, CreateVpc) with an Agent Identity-issued STS token, the corresponding ActionTrail event includes an externalIdentityContext block under userIdentity.sessionContext. The block records the Workload Identity ARN and the inbound user information:
{
...
"userIdentity": {
"type": "assumed-role",
...
"sessionContext": {
"externalIdentityContext": {
"agentidentityWorkloadIdentityArn": "acs:agentidentity:cn-beijing:<account_id>:workloadidentitydirectory/default/workloadidentity/<workload-identity-name>",
"agentidentityInboundJwtClaimIss": "https://<oauth.yourcompany.com>",
"agentidentityInboundJwtClaimSub": "iiCsOvhjNZX/hK0x1jl9****"
}
}
}
...
"eventName": "CreateVpc"
}If the externalIdentityContext block is present, the call was authenticated through Agent Identity. If it is absent, the STS token was obtained directly from the Alibaba Cloud STS service.