- Role assuming
- Requester identity
JetBrains PluginOperation Description
Prerequisites
You cannot use an Alibaba Cloud account to call this operation. The requester of this operation can only be a RAM user or RAM role. Make sure that the AliyunSTSAssumeRoleAccess policy is attached to the requester. After this policy is attached to the requester, the requester has the management permissions on STS.
If you do not attach the AliyunSTSAssumeRoleAccess policy to the requester, the following error message is returned:
You are not authorized to do this action. You should be authorized by RAM.
You can refer to the following information to troubleshoot the error:
- Cause of the error: The policy that is required to assume a RAM role is not attached to the requester. To resolve this issue, attach the AliyunSTSAssumeRoleAccess policy or a custom policy to the requester. For more information, see Can I specify the RAM role that a RAM user can assume? and Grant permissions to a RAM user.
- Cause of the error: The requester is not authorized to assume the RAM role. To resolve this issue, add the requester to the Principal element in the trust policy of the RAM role For more information, see Edit the trust policy of a RAM role.
Best practices
An STS token is valid for a period of time after it is issued, and the number of STS tokens that can be issued within an interval is also limited. Therefore, we recommend that you configure a proper validity period for an STS token and repeatedly use the token within this period. This prevents frequent issuing of STS tokens from adversely affecting your services if a large number of requests are sent. For more information about the limit, see Is the number of STS API requests limited? You can configure the DurationSeconds parameter to specify a validity period for an STS token.
When you upload or download Object Storage Service (OSS) objects on mobile devices, a large number of STS API requests are sent. In this case, repeated use of an STS token may not meet your business requirements. To avoid the limit on STS API requests from affecting access to OSS, you can add a signature to the URL of an OSS object. For more information, see Add signatures to URLs and Obtain signature information from the server and upload data to OSS.
Request Parameters
| Field Name | Field Details |
|---|---|
DurationSecondsinteger<int64> | The validity period of the STS token. Unit: seconds.View Details... Notice
The field type is Long, and the precision may be lost during serialization/deserialization. Please note that the value must not be greater than 9007199254740991. Example:3600 |
Policystring | The policy that specifies the permissions of the returned STS token. You can use this parameter to grant the STS token fewer permissions than the permissions granted to the RAM role.View Details... Example:{"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"} |
RoleArnstring | The Alibaba Cloud Resource Name (ARN) of the RAM role.View Details... Example:acs:ram::123456789012****:role/adminrole |
RoleSessionNamestring | The custom name of the role session.View Details... Example:alice |
ExternalIdstring | The external ID of the RAM role.View Details... Example:abcd1234 |
Request Description
For more information about common request parameters, see Common parameters.
Response Parameters
| Field Name | Field Details |
|---|---|
RequestIdstring | The ID of the request. Example:6894B13B-6D71-4EF5-88FA-F32781734A7F |
AssumedRoleUserobject | The temporary identity that you use to assume the RAM role. |
Credentialsobject | The STS credentials. |
| Change time | Change content summary | operation | |
|---|---|---|---|
| 2022-09-27 | changeError code 400 |