AssumeRoleWithOIDC

更新时间:
复制 MD 格式

Queries a Security Token Service (STS) token to assume a Resource Access Management (RAM) role during role-based single sign-on (SSO) by using OpenID Connect (OIDC).

Operation description

Prerequisites

Try it now

您可以在OpenAPI Explorer中直接运行该接口,免去您计算签名的困扰。运行成功后,OpenAPI Explorer可以自动生成SDK代码示例。

Test

RAM authorization

No authorization for this operation. If you encounter issues with this operation, contact technical support.

Request parameters

Parameter

Type

Required

Description

Example

OIDCProviderArn

string

No

The Alibaba Cloud Resource Name (ARN) of the OIDC IdP.

You can view the ARN in the RAM console or by calling operations.

acs:ram::113511544585****:oidc-provider/TestOidcIdp

RoleArn

string

No

The ARN of the RAM role.

You can view the ARN in the RAM console or by calling operations.

acs:ram::113511544585****:role/testoidc

OIDCToken

string

No

The OIDC token that is issued by the external IdP.

It must be 4 to 20,000 characters in length.

Note

You must enter the original OIDC token (not the Base64-encoded token).

eyJraWQiOiJKQzl3eHpyaHFKMGd0****

Policy

string

No

The policy that specifies the permissions of the returned STS token. You can use this parameter to grant the STS token fewer permissions than the permissions granted to the RAM role.

  • If you specify this parameter, the permissions of the returned STS token are the permissions that are included in the value of this parameter and owned by the RAM role.

  • If you do not specify this parameter, the returned STS token has all the permissions of the RAM role.

The value must be 1 to 2,048 characters in length.

{"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}

DurationSeconds

integer

No

The validity period of the STS token. Unit: seconds.

Default value: 3600. Minimum value: 900. Maximum value: the value of the MaxSessionDuration parameter.

For more information about how to specify the MaxSessionDuration parameter, see CreateRole or UpdateRole.

3600

RoleSessionName

string

Yes

The custom name of the role session.

We recommend setting this to a user-specific identifier, such as a username. This name is included in ActionTrail logs to distinguish which user performed an action, which is essential for auditing.

The value can contain letters, digits, periods (.), at signs (@), hyphens (-), and underscores (_).

It must be 2 to 64 characters in length.

TestOidcAssumedRoleSession

Note

Anonymous users can call the AssumeRoleWithOIDC operation because authentication for this operation is performed based on OIDC tokens. Therefore, you do not need to specify the following common request parameters: SignatureSignatureMethodSignatureVersion, and AccessKeyId. For more information, see Common parameters.

Response elements

Parameter

Type

Description

Example

object

The response parameters.

RequestId

string

The request ID.

3D57EAD2-8723-1F26-B69C-F8707D8B565D

OIDCTokenInfo

object

The information about the OIDC token.

Subject

string

The subject of the OIDC token.

It corresponds to the value of the sub field in the OIDC token.

KryrkIdjylZb7agUgCEf****

Issuer

string

The URL of the issuer.

It corresponds to the value of the iss field in the OIDC token.

https://dev-xxxxxx.okta.com

ClientIds

string

The audience. If multiple audiences are returned, the audiences are separated by commas (,).

It corresponds to the value of the aud field in the OIDC token.

496271242565057****

ExpirationTime

string

The time when the OIDC token expires.

2021-10-20T04:27:09Z

IssuanceTime

string

The time when the OIDC token was issued.

2021-10-20T03:27:09Z

VerificationInfo

string

The verification information about the OIDC token. For more information, see Manage an OIDC IdP.

Success

AssumedRoleUser

object

The temporary identity that you use to assume the RAM role.

AssumedRoleId

string

The ID of the temporary identity that you use to assume the RAM role.

33157794895460****

Arn

string

The ARN of the temporary identity that you use to assume the RAM role.

acs:ram::113511544585****:role/testoidc/TestOidcAssumedRoleSession

Credentials

object

The access credentials.

SecurityToken

string

The STS token.

Note

The length of STS security tokens is variable. To avoid errors, do not set a maximum length for the token in your application.

CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz****

Expiration

string

The time when the STS token expires. It is displayed in UTC.

2021-10-20T04:27:09Z

AccessKeySecret

string

The AccessKey secret.

CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2****

AccessKeyId

string

The AccessKey ID.

STS.NUgYrLnoC37mZZCNnAbez****

SourceIdentity

string

The source identity of the principal that assumed the role.

When calling the AssumeRole operation, you can configure the SourceIdentity parameter to tag the session with their original identity. This value is immutable and persists throughout role-chaining sessions (where one role assumes another), providing a reliable way to trace actions back to the original user for auditing and security.

This parameter is returned only when you set SourceIdentity in the AssumeRole call.

Alice

Examples

Success response

JSON format

{
  "RequestId": "3D57EAD2-8723-1F26-B69C-F8707D8B565D",
  "OIDCTokenInfo": {
    "Subject": "KryrkIdjylZb7agUgCEf****",
    "Issuer": "https://dev-xxxxxx.okta.com",
    "ClientIds": "496271242565057****",
    "ExpirationTime": "2021-10-20T04:27:09Z",
    "IssuanceTime": "2021-10-20T03:27:09Z",
    "VerificationInfo": "Success"
  },
  "AssumedRoleUser": {
    "AssumedRoleId": "33157794895460****",
    "Arn": "acs:ram::113511544585****:role/testoidc/TestOidcAssumedRoleSession"
  },
  "Credentials": {
    "SecurityToken": "CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz****",
    "Expiration": "2021-10-20T04:27:09Z",
    "AccessKeySecret": "CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2****",
    "AccessKeyId": "STS.NUgYrLnoC37mZZCNnAbez****"
  },
  "SourceIdentity": "Alice"
}

Error codes

See for a complete list.

Release notes

See 变更详情 for a complete list.