操作审计支持查询阿里云STS(Security Token Service)相关事件。您可以快速查询STS事件并获取事件发生的时间、地域、临时身份等信息。本文为您举例说明STS相关事件。
RAM用户通过控制台调用STS切换角色身份
以下示例表示,在北京时间2021年08月05日15:59:47,RAM用户Alice调用AssumeRole接口通过扮演阿里云账号127812487797****下的cna-manager-test-role角色获取了一个临时身份。
{
"eventId": "FC410992-13D4-5D33-89A7-D8F4100CEE6B",
"eventVersion": 1,
"responseElements": {
"RequestId": "FC410992-13D4-5D33-89A7-D8F4100CEE6B",
"AssumedRoleUser": {
"Arn": "acs:ram::127812487797****:role/cna-manager-test-role/169074",
"AssumedRoleId": "33618118978621****:169074"
},
"Credentials": {
"AccessKeyId": "STS.NUQ79dzjpMPxYesi1YY5U****",
"AccessKeySecret": "gS09k8a8fDwwgR0ey9IeCFuNfr****",
"Expiration": "2021-08-05T08:59:47Z"
}
},
"eventSource": "sts.aliyuncs.com",
"requestParameters": {
"AcsHost": "sts.aliyuncs.com",
"AcsProduct": "Sts",
"RequestId": "FC410992-13D4-5D33-89A7-D8F4100CEE6B",
"RoleSessionName": 169074,
"RegionId": "cn-hangzhou",
"HostId": "sts.aliyuncs.com",
"RoleArn": "acs:ram::127812487797****:role/cna-manager-test-role"
},
"sourceIpAddress": "192.168.XX.XX",
"userAgent": "AlibabaCloud (Linux; amd64) Java/1.8.0_152-b187 Core/4.5.17 HTTPClient/ApacheHttpClient",
"eventType": "ApiCall",
"referencedResources": {
"ACS::RAM::AccessKey": [
"STS.NUQ79dzjpMPxYesi1YY5U****"
]
},
"userIdentity": {
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-05T07:59:46Z"
}
},
"accountId": "146411043369****",
"principalId": "21336811218169****",
"type": "ram-user",
"userName": "Alice"
},
"serviceName": "Sts",
"additionalEventData": {
"Scheme": "https",
"CallerBid": "26842"
},
"apiVersion": "2015-04-01",
"requestId": "FC410992-13D4-5D33-89A7-D8F4100CEE6B",
"eventTime": "2021-08-05T07:59:47Z",
"isGlobal": false,
"acsRegion": "cn-hangzhou",
"eventName": "AssumeRole"
}示例中关键字段含义如下:
userIdentity.type:请求者的身份类型。取值为ram-user,表示RAM用户。userIdentity.userName:请求者的RAM用户名称。serviceName:事件相关的阿里云服务名称。取值为Sts,表示STS。eventName:事件名称。取值为AssumeRole,表示获取一个扮演该角色的临时身份,此处RAM用户扮演的是受信实体为阿里云账号类型的RAM角色。requestParameters.RoleArn:扮演角色的ARN信息。取值为acs:ram::127812487797****:role/cna-manager-test-role,127812487797****表示角色所属的阿里云账号ID,cna-manager-test-role表示角色名称。referencedResources:事件影响的资源列表。取值为{"ACS::RAM::AccessKey": ["STS.NUQ79dzjpMPxYesi1YY5U****"]},表示扮演角色获取的临时身份凭证STS.NUQ79dzjpMPxYesi1YY5U****。eventTime:事件发生的时间(UTC格式)。取值为2021-08-05T07:59:47Z,表示北京时间2021年08月05日15:59:47。
RAM用户通过调用SDK获取临时访问令牌
以下示例表示,在北京时间2021年08月05日16:03:31,RAM用户Alice调用AssumeRole接口通过扮演阿里云账号193875730500****下的aliyunosstokengeneratorrole角色获取了一个临时身份。
{
"eventId": "B936D2EE-05DC-5AC1-9163-48F0DE28B963",
"eventVersion": 1,
"responseElements": {
"RequestId": "B936D2EE-05DC-5AC1-9163-48F0DE28B963",
"AssumedRoleUser": {
"Arn": "acs:ram::193875730500****:role/aliyunosstokengeneratorrole/X5wpmS6EgkM080aE0Kym****",
"AssumedRoleId": "30815480203992****:X5wpmS6EgkM080aE0Kym****"
},
"Credentials": {
"AccessKeyId": "STS.NTobFuYYn6EBxAVhC18ta****",
"AccessKeySecret": "gS09k8a8fDwwgR0ey9IeCFuNfr****",
"Expiration": "2021-08-05T09:03:31Z"
}
},
"eventSource": "sts.cn-hangzhou.aliyuncs.com",
"requestParameters": {
"Policy": {
"Version": "1",
"Statement": [
{
"Condition": {},
"Action": [
"oss:PutObject"
],
"Resource": [
"acs:oss:*:*:taowo/image/disucss/2021/8/5/xNodqHMtGkX9arNrAkrz4d****/*",
"acs:oss:*:*:taowo/video/disucss/2021/8/5/xNodqHMtGkX9arNrAkrz4d****/*",
"acs:oss:*:*:taowo/sound/disucss/2021/8/5/xNodqHMtGkX9arNrAkrz4d****/*"
],
"Effect": "Allow"
}
]
},
"AcsHost": "sts.cn-hangzhou.aliyuncs.com",
"AcsProduct": "Sts",
"RequestId": "B936D2EE-05DC-5AC1-9163-48F0DE28B963",
"RoleSessionName": "X5wpmS6EgkM080aE0Kym****",
"Region": "cn-hangzhou",
"SignatureType": "",
"RegionId": "cn-hangzhou",
"HostId": "sts.cn-hangzhou.aliyuncs.com",
"RoleArn": "acs:ram::193875730500****:role/aliyunosstokengeneratorrole"
},
"sourceIpAddress": "192.168.XX.XX",
"userAgent": "AlibabaCloud (Linux 3.10.0-1127.19.1.el7.x86_64;x86_64) Python/3.8.8 Core/2.13.32 python-requests/2.18.3",
"eventType": "ApiCall",
"referencedResources": {
"ACS::RAM::AccessKey": [
"STS.NTobFuYYn6EBxAVhC18ta****"
]
},
"userIdentity": {
"accessKeyId": "LTAI2jP0BF0f****",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-05T08:03:31Z"
}
},
"accountId": "193875730500****",
"principalId": "21365465900895****",
"type": "ram-user",
"userName": "Alice"
},
"serviceName": "Sts",
"additionalEventData": {
"Scheme": "https",
"CallerBid": "26842"
},
"apiVersion": "2015-04-01",
"requestId": "B936D2EE-05DC-5AC1-9163-48F0DE28B963",
"eventTime": "2021-08-05T08:03:31Z",
"isGlobal": false,
"acsRegion": "cn-hangzhou",
"eventName": "AssumeRole"
}示例中关键字段含义如下:
userIdentity.accessKeyId:发起API调用的AccessKey ID。取值为LTAI2jP0BF0f****。userIdentity.principalId:AK所属的账号ID。取值为21365465900895****。userIdentity.type:请求者的身份类型。取值为ram-user,表示RAM用户。serviceName:事件相关的阿里云服务名称。取值为Sts,表示STS。eventName:事件名称。取值为AssumeRole,表示获取一个扮演该角色的临时身份,此处RAM用户扮演的是受信实体为阿里云账号类型的RAM角色。requestParameters.RoleArn:扮演角色的ARN信息。取值为acs:ram::193875730500****:role/aliyunosstokengeneratorrole,193875730500****表示角色所属的阿里云账号ID,aliyunosstokengeneratorrole表示角色名称。referencedResources:事件影响的资源列表。取值为{"ACS::RAM::AccessKey": ["STS.NTobFuYYn6EBxAVhC18ta****"]},表示扮演角色获取的临时身份凭证为test@example.onaliyun.com。eventTime:事件发生的时间(UTC格式)。取值为2021-08-05T08:03:31Z,表示北京时间2021年08月05日16:03:31。
企业用户通过角色SSO获取阿里云角色身份
以下示例表示,在北京时间2021年08月05日16:04:56,企业用户Alice调用AssumeRoleWithSAML接口通过角色SSO扮演189186630579****账号下的cruisetestrole角色获取了一个临时身份。
{
"eventId": "66FDD0F9-3546-567A-8964-2BD734198356",
"eventVersion": 1,
"responseElements": {
"RequestId": "66FDD0F9-3546-567A-8964-2BD734198356",
"SAMLAssertionInfo": {
"SubjectType": "transient",
"Issuer": "https://testidp/saml",
"Recipient": "https://signin.aliyun.com/saml-role/sso",
"Subject": "Alice"
},
"AssumedRoleUser": {
"Arn": "acs:ram::189186630579****:role/cruisetestrole/cruisetest",
"AssumedRoleId": "37924473051351****:cruisetest"
},
"Credentials": {
"AccessKeyId": "STS.NUTNKhGR8BR3QL9sJkSHp****",
"AccessKeySecret": "gS09k8a8fDwwgR0ey9IeCFuNfr****",
"Expiration": "2021-08-05T09:04:56Z"
}
},
"eventSource": "sts.aliyuncs.com",
"requestParameters": {
"AcsHost": "sts.aliyuncs.com",
"SAMLAssertion": "***",
"AcsProduct": "Sts",
"RequestId": "66FDD0F9-3546-567A-8964-2BD734198356",
"DurationSeconds": 3600,
"HostId": "sts.aliyuncs.com",
"SAMLProviderArn": "acs:ram::189186630579****:saml-provider/mockedIdp",
"RoleArn": "acs:ram::189186630579****:role/cruisetestrole"
},
"sourceIpAddress": "192.168.XX.XX",
"userAgent": "Jakarta Commons-HttpClient/3.1",
"eventType": "ApiCall",
"referencedResources": {
"ACS::RAM::AccessKey": [
"STS.NUTNKhGR8BR3QL9sJkSHp****"
]
},
"userIdentity": {
"accountId": "189186630579****",
"samlProviderName": "mockedIdp",
"type": "saml-user",
"userName": "Alice",
"samlIssuer": "https://testidp/saml"
},
"serviceName": "Sts",
"additionalEventData": {
"Scheme": "https",
"CallerBid": "26842"
},
"apiVersion": "2015-04-01",
"requestId": "66FDD0F9-3546-567A-8964-2BD734198356",
"eventTime": "2021-08-05T08:04:56Z",
"isGlobal": false,
"acsRegion": "cn-shanghai",
"eventName": "AssumeRoleWithSAML"
}示例中关键字段含义如下:
userIdentity.type:请求者的身份类型。取值为saml-user,表示企业自有身份的用户。userIdentity.userName:发起角色SSO的企业用户的用户名。requestParameters.RoleArn:扮演角色的ARN信息。取值为cs:ram::189186630579****:role/cruisetestrole,189186630579****表示角色所属的阿里云账号ID,cruisetestrole表示角色名称。referencedResources:事件影响的资源列表。取值为{"ACS::RAM::AccessKey": ["STS.NUTNKhGR8BR3QL9sJkSHp****"]},表示扮演角色获取的临时身份凭证为STS.NUTNKhGR8BR3QL9sJkSHp****。serviceName:事件相关的阿里云服务名称。取值为Sts,表示STS。eventName:事件名称。取值为AssumeRoleWithSAML,表示通过角色SSO获取阿里云角色身份。eventTime:事件发生的时间(UTC格式)。取值为2021-08-05T08:04:56Z,表示北京时间2021年08月05日16:04:56。