This topic provides answers to some frequently asked questions about Resource Access Management (RAM) roles and Security Token Service (STS) tokens.

What are the types of RAM roles?

RAM roles are classified into the following types based on the trusted entity:

  • Alibaba Cloud account
  • Alibaba Cloud service
  • Identity provider (IdP)

What entities can assume the three types of RAM role?

  • Alibaba Cloud account: RAM users of a trusted Alibaba Cloud account can assume this type of RAM role. RAM users that assume this type of RAM role can belong to their Alibaba Cloud accounts or other Alibaba Cloud accounts. This type of RAM role is used for cross-account access and temporary authorization.
  • Alibaba Cloud service: Alibaba Cloud services can assume this type of RAM role. This type of RAM role is used to authorize the access across Alibaba Cloud services. RAM roles that Elastic Compute Service (ECS) instances assume are categorized into this type of RAM role. In this case, the trusted entity is ECS. For more information, see Use RAM roles to access other Alibaba Cloud services.
  • IdP: Users of a trusted IdP can assume this type of RAM role. This type of RAM role is used to implement single sign-on (SSO) between Alibaba Cloud and a trusted IdP.

Can I specify the RAM role that a RAM user can assume?

Yes, you can specify the RAM role that a RAM user can assume. You can create a custom policy to specify the RAM role that a RAM user can assume. The following sample code provides an example of a custom policy:

{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Resource": "acs:ram:*:<account-id>:role/<role-name>"
        }
    ],
    "Version": "1"
}
Note
  • In this policy, the Resource element specifies the Alibaba Cloud Resource Name (ARN) of the RAM role. In this element, <account-id> specifies the Alibaba Cloud account and <role-name> specifies the name of the RAM role. For more information about how to view the ARN of a RAM role, see How do I find the ARN of the RAM role?
  • You can attach this policy to the RAM user to specify the RAM role that a RAM user can assume. For more information about how to attach a policy to a RAM user, see Grant permissions to a RAM user.

How do I view the ARN of a RAM role?

  1. To view the ARN of a RAM role, log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the Roles page, click the name of the RAM role whose ARN you want to view.
  4. In the Basic Information section, view the ARN of the RAM role.  ARN of a RAM role

Why does an error occur when a RAM user accesses STS?

When a RAM user uses the API, a CLI, or an SDK to call the AssumeRole operation, the following error message may be returned:

Error message: You are not authorized to do this action. You should be authorized by RAM.

The error message is returned because of the following causes:

  • The required policies are not granted to the RAM user. To resolve this issue, attach the AliyunSTSAssumeRoleAccess policy or a custom policy to the RAM user. For more information, see Can I specify the RAM role that a RAM user can assume?
  • The RAM user is not authorized to assume the RAM role. To resolve this issue, add the RAM user to the Principal element in the trust policy of the RAM role. For more information, see Edit the trust policy of a RAM role.

Is the number of STS API requests limited?

Yes, the number of STS API requests is limited. The AssumeRole operation can be called up to 6,000 times per minute for each Alibaba Cloud account. API requests that are sent by using RAM users and RAM roles within the Alibaba Cloud account are also counted. If the number of API requests exceeds 6,000, the following error message is returned for the excessive requests:

Request was denied due to user flow control

What are the permissions of an STS token?

The permissions of an STS token are the permissions that are owned by the specified RAM role and included in the value that you specify for the Policy parameter when you call the AssumeRole operation.

Note If you do not configure the Policy parameter when you call the AssumeRole operation, the returned STS token has all the permissions of the specific RAM role.

What is the validity period of an STS token?

The validity period of an STS token ranges from 900 seconds to the maximum session duration that you specify. The default validity period is 3,600 seconds.

Note
  • You can configure the DurationSeconds parameter when you call the AssumeRole operation to specify the validity period of an STS token.
  • You can use the RAM console or call the API to configure the maximum session duration of a RAM role. For more information, see Specify the maximum session duration for a RAM role.

If I obtained multiple STS tokens at different points in time, are the old and new tokens valid at the same time?

Yes, the old and new tokens are valid at the same time. All STS tokens are valid before they expire.

What do I do if STS tokens are disclosed?

If the STS tokens that are obtained after a RAM user assumes a RAM role are disclosed, perform the following steps to disable the STS tokens:

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. Detach all policies from the RAM role.

    For more information, see Remove permissions from a RAM role.

  3. Delete the RAM role.

    For more information, see Delete a RAM role.

    After the RAM role is deleted, the STS tokens that are not expired become invalid.

If you want to continue using the deleted RAM role, create a RAM role that has the same name and attach the same policies to the new RAM role.