Queries a Security Token Service (STS) token to assume a Resource Access Management (RAM) role during role-based single sign-on (SSO) by using OpenID Connect (OIDC).
Operation description
Prerequisites
An OIDC token is obtained from an external identity provider (IdP).
An OIDC IdP is created in the RAM console. For more information, see Manage an OIDC IdP or CreateOIDCProvider.
A RAM role whose trusted entity is an OIDC IdP is created in the RAM console. For more information, see Create a RAM role for a trusted IdP or CreateRole.
Try it now
您可以在OpenAPI Explorer中直接运行该接口,免去您计算签名的困扰。运行成功后,OpenAPI Explorer可以自动生成SDK代码示例。
Test
RAM authorization
Request parameters
Parameter | Type | Required | Description | Example |
OIDCProviderArn | string | No | The Alibaba Cloud Resource Name (ARN) of the OIDC IdP. You can view the ARN in the RAM console or by calling operations.
| acs:ram::113511544585****:oidc-provider/TestOidcIdp |
RoleArn | string | No | The ARN of the RAM role. You can view the ARN in the RAM console or by calling operations.
| acs:ram::113511544585****:role/testoidc |
OIDCToken | string | No | The OIDC token that is issued by the external IdP. It must be 4 to 20,000 characters in length. Note You must enter the original OIDC token (not the Base64-encoded token). | eyJraWQiOiJKQzl3eHpyaHFKMGd0**** |
Policy | string | No | The policy that specifies the permissions of the returned STS token. You can use this parameter to grant the STS token fewer permissions than the permissions granted to the RAM role.
The value must be 1 to 2,048 characters in length. | {"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"} |
DurationSeconds | integer | No | The validity period of the STS token. Unit: seconds. Default value: 3600. Minimum value: 900. Maximum value: the value of the For more information about how to specify the | 3600 |
RoleSessionName | string | Yes | The custom name of the role session. We recommend setting this to a user-specific identifier, such as a username. This name is included in ActionTrail logs to distinguish which user performed an action, which is essential for auditing. The value can contain letters, digits, periods (.), at signs (@), hyphens (-), and underscores (_). It must be 2 to 64 characters in length. | TestOidcAssumedRoleSession |
Anonymous users can call the AssumeRoleWithOIDC operation because authentication for this operation is performed based on OIDC tokens. Therefore, you do not need to specify the following common request parameters: Signature, SignatureMethod, SignatureVersion, and AccessKeyId. For more information, see Common parameters.
Response elements
Parameter | Type | Description | Example |
object | The response parameters. | ||
RequestId | string | The request ID. | 3D57EAD2-8723-1F26-B69C-F8707D8B565D |
| OIDCTokenInfo | object | The information about the OIDC token. | |
Subject | string | The subject of the OIDC token. It corresponds to the value of the | KryrkIdjylZb7agUgCEf**** |
Issuer | string | The URL of the issuer. It corresponds to the value of the | https://dev-xxxxxx.okta.com |
ClientIds | string | The audience. If multiple audiences are returned, the audiences are separated by commas (,). It corresponds to the value of the | 496271242565057**** |
ExpirationTime | string | The time when the OIDC token expires. | 2021-10-20T04:27:09Z |
IssuanceTime | string | The time when the OIDC token was issued. | 2021-10-20T03:27:09Z |
VerificationInfo | string | The verification information about the OIDC token. For more information, see Manage an OIDC IdP. | Success |
| AssumedRoleUser | object | The temporary identity that you use to assume the RAM role. | |
AssumedRoleId | string | The ID of the temporary identity that you use to assume the RAM role. | 33157794895460**** |
Arn | string | The ARN of the temporary identity that you use to assume the RAM role. | acs:ram::113511544585****:role/testoidc/TestOidcAssumedRoleSession |
| Credentials | object | The access credentials. | |
SecurityToken | string | The STS token. Note The length of STS security tokens is variable. To avoid errors, do not set a maximum length for the token in your application. | CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz**** |
Expiration | string | The time when the STS token expires. It is displayed in UTC. | 2021-10-20T04:27:09Z |
AccessKeySecret | string | The AccessKey secret. | CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2**** |
AccessKeyId | string | The AccessKey ID. | STS.NUgYrLnoC37mZZCNnAbez**** |
SourceIdentity | string | The source identity of the principal that assumed the role. When calling the This parameter is returned only when you set | Alice |
Examples
Success response
JSON format
{
"RequestId": "3D57EAD2-8723-1F26-B69C-F8707D8B565D",
"OIDCTokenInfo": {
"Subject": "KryrkIdjylZb7agUgCEf****",
"Issuer": "https://dev-xxxxxx.okta.com",
"ClientIds": "496271242565057****",
"ExpirationTime": "2021-10-20T04:27:09Z",
"IssuanceTime": "2021-10-20T03:27:09Z",
"VerificationInfo": "Success"
},
"AssumedRoleUser": {
"AssumedRoleId": "33157794895460****",
"Arn": "acs:ram::113511544585****:role/testoidc/TestOidcAssumedRoleSession"
},
"Credentials": {
"SecurityToken": "CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz****",
"Expiration": "2021-10-20T04:27:09Z",
"AccessKeySecret": "CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2****",
"AccessKeyId": "STS.NUgYrLnoC37mZZCNnAbez****"
},
"SourceIdentity": "Alice"
}Error codes
See for a complete list.
Release notes
See 变更详情 for a complete list.