What is STS? - Resource Access Management - Alibaba Cloud Documentation Center

Alibaba Cloud Security Token Service (STS) allows you to manage temporary credentials to your Alibaba Cloud resources. Resource Access Management (RAM) provides RAM users and RAM roles. A RAM role does not have permanent identity credentials. A RAM role can only be assumed by using an issued STS token to access Alibaba Cloud resources. When the STS token is issued, you can specify a validity period and access permissions for the STS token.

Functions and features

Use an STS token to assume a RAM role
An authorized RAM user can use an AccessKey pair to call the AssumeRole operation. This way, the RAM user obtains an STS token of a RAM role and can use the STS token to access Alibaba Cloud resources.
This method is used to implement cross-account access and temporary authorization. For more information, see Assume a RAM role, Use a RAM role to grant permissions across Alibaba Cloud accounts, and Use an STS token for authorizing a mobile app to access Alibaba Cloud resources.
Obtain an STS Token for role-based single sign-on (SSO)
You can call the AssumeRoleWithSAML or AssumeRoleWithOIDC operation to obtain an STS token of a RAM role to implement role-based SSO. For more information, see Overview or Overview of OIDC-based SSO.

Benefits

STS tokens help reduce the risks of AccessKey pair leaks. An AccessKey pair is a long-term credential for a RAM user.
STS tokens are temporary credentials. You can specify the validity period for STS tokens. After STS tokens expire, they become invalid. Therefore, you do not need to rotate the STS tokens on a regular basis.
You can attach custom policies to STS tokens for flexible and fine-grained authorization.

Terms

Term	Description
RAM user	A physical identity that has a fixed ID and credential information. A RAM user represents a person or an application. An Alibaba Cloud account can create multiple RAM users. RAM users can be used to represent employees, systems, and applications within an enterprise. RAM users do not own resources. Fees that are generated by RAM users are billed to the Alibaba Cloud accounts to which the RAM users belong. RAM users do not receive individual bills and cannot make payments. RAM users are visible only to the Alibaba Cloud account to which they belong. Before RAM users can log on to the Alibaba Cloud Management Console or call operations, they must be authorized by Alibaba Cloud accounts. After authorization, RAM users can manage resources that are owned by the Alibaba Cloud accounts. For more information, see Overview of RAM users and Create a RAM user.
RAM role	A virtual identity to which policies can be attached. RAM roles do not have logon passwords or AccessKey pairs. A RAM role must be assumed by a trusted entity. The trust entity can be a RAM user, an Alibaba Cloud service, or an identity provider (IdP). If a trusted entity assumes a RAM role, the trusted entity can obtain and use an STS token of the RAM role to access the resources on which the RAM role has permissions. RAM roles are classified into the following types based on trusted entities: Alibaba Cloud account: RAM users of a trusted Alibaba Cloud account can assume this type of RAM role. RAM users that assume this type of RAM role can belong to their own Alibaba Cloud accounts or other Alibaba Cloud accounts. This type of RAM role is used for cross-account access and temporary authorization. Alibaba Cloud service: Alibaba Cloud services can assume this type of RAM role. This type of RAM role is used to authorize Alibaba Cloud services to manage your resources. IdP: Users of a trusted IdP can assume this type of RAM role. This type of RAM role is used to implement SSO between Alibaba Cloud and a trusted IdP. For more information, see RAM role overview, Create a RAM role for a trusted Alibaba Cloud account, Create a RAM role for a trusted IdP, and Create a RAM role for a trusted Alibaba Cloud service.
Alibaba Cloud Resource Name (ARN) of a RAM role	The ARN of a RAM role is the globally unique resource identifier of the RAM role. ARNs follow the ARN naming conventions that are provided by Alibaba Cloud. For example, the ARN of the devops RAM role that belongs to an Alibaba Cloud account is `acs:ram::123456789012**:role/samplerole`. After you create a RAM role, you can click the RAM role name and find the ARN of the RAM role in the Basic Information** section.
trusted entity	An entity that is entrusted to assume a RAM role. You must specify a trusted entity when you create a RAM role. Only trusted entities can assume the RAM role. A trusted entity can be an Alibaba Cloud account, an Alibaba Cloud service, or an IdP.
policy	A set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. A policy is a type of simple language specification that describes a set of permissions. One or more policies can be attached to a RAM role. A RAM role without a policy cannot access Alibaba Cloud resources.
role assuming	A method for entities to obtain STS tokens of RAM roles. An entity user can call the AssumeRole STS API operation to obtain the STS token of a RAM role. Then, the entity user can use the STS token to call API operations of Alibaba Cloud services.

Services that work with STS

For more information, see Services that work with STS.