This topic provides answers to some frequently asked questions about Resource Access Management (RAM) roles and Security Token Service (STS) tokens.

Why is the error message "You are not authorized to do this action. You should be authorized by RAM." reported when a RAM user attempts to access STS?

When a RAM user uses the API, a CLI, or an SDK to call the AssumeRole operation, the following error message may be returned:

Error message: You are not authorized to do this action. You should be authorized by RAM.

You can refer to the following information to troubleshoot the error:

Who is allowed to call the AssumeRole operation?

The AssumeRole operation can be called to obtain an STS token that is used to assume a RAM role. Only a RAM user or a RAM role can call this operation. An Alibaba Cloud account cannot call this operation.

What are the types of RAM roles? What entities can assume the types of RAM roles?

RAM roles are classified into the following types based on the trusted entity:

  • Alibaba Cloud account: RAM users of a trusted Alibaba Cloud account can assume this type of RAM role. RAM users that assume this type of RAM role can belong to their owner Alibaba Cloud accounts or other Alibaba Cloud accounts. This type of RAM role is used for cross-account access and temporary authorization.
  • Alibaba Cloud service: Alibaba Cloud services can assume this type of RAM role. This type of RAM role is used to authorize the access across Alibaba Cloud services. RAM roles that Elastic Compute Service (ECS) instances assume are categorized into this type of RAM role. In this case, the trusted entity is ECS. For more information, see Use RAM roles to access other Alibaba Cloud services.
  • IdP: Users of a trusted IdP can assume this type of RAM role. This type of RAM role is used to implement single sign-on (SSO) between Alibaba Cloud and a trusted IdP.

Can I specify the RAM role that a RAM user can assume?

Yes, you can specify the RAM role that a RAM user can assume. You can create a custom policy to specify the RAM role that a RAM user can assume. The following sample code provides an example of a custom policy:

{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Resource": "acs:ram:*:<account-id>:role/<role-name>"
        }
    ],
    "Version": "1"
}
Note
  • In this policy, the Resource element specifies the Alibaba Cloud Resource Name (ARN) of the RAM role. In this element, <account-id> specifies the Alibaba Cloud account and <role-name> specifies the name of the RAM role. For more information about how to view the ARN of a RAM role, see How do I find the ARN of the RAM role?
  • You can attach this policy to the RAM user to specify the RAM role that the RAM user can assume. For more information about how to attach a policy to a RAM user, see Grant permissions to the RAM user.

How do I view the ARN of a RAM role?

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the Roles page, click the name of the RAM role whose ARN you want to view.
  4. In the Basic Information section, view the ARN of the RAM role.  ARN of a RAM role

Is the number of STS API requests limited?

Yes, the number of STS API requests is limited. The AssumeRole operation can be called up to 100 times per second for each Alibaba Cloud account. API requests that are sent by using RAM users and RAM roles within the Alibaba Cloud account are also counted.

If the number of API requests exceeds the upper limit, one of the following error messages is returned for the excessive requests:

  • Error messages
    Error codeError message
    Throttling.ApiRequest was denied due to api flow control.
    Throttling.UserRequest was denied due to user flow control.
    ThrottlingRequest was denied due to flow control.
  • HTTP status code 302

If one of the preceding error messages or HTTP status code 302 is returned, reduce the number of concurrent STS API requests. If your services require a higher quota on concurrent STS API requests, you can submit a ticket to increase the quota.

What are the permissions of an STS token?

The permissions of an STS token are the permissions that are owned by the specified RAM role and included in the value that you specify for the Policy parameter when you call the AssumeRole operation.

Note If you do not specify the Policy parameter when you call the AssumeRole operation, the returned STS token has all the permissions of the specific RAM role.

What is the validity period of an STS token?

The validity period of an STS token ranges from 900 seconds to the maximum session duration that you specify. The default validity period is 3,600 seconds.

Note
  • You can configure the DurationSeconds parameter when you call the AssumeRole operation to specify the validity period of an STS token.
  • You can use the RAM console or call the API to configure the maximum session duration of a RAM role. For more information, see Specify the maximum session duration for a RAM role.

If I obtained multiple STS tokens at different points in time, are the old and new tokens valid at the same time?

Yes, the old and new tokens are valid at the same time. All STS tokens are valid before they expire.

What do I do if STS tokens are disclosed?

If the STS tokens that are obtained after a RAM user assumes a RAM role are disclosed, perform the following steps to disable the STS tokens:

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. Detach all policies from the RAM role.

    For more information, see Revoke permissions from a RAM role.

  3. Delete the RAM role.

    For more information, see Delete a RAM role.

    After the RAM role is deleted, the STS tokens that are not expired become invalid.

If you want to continue using the deleted RAM role, create a RAM role that has the same name and attach the same policies to the new RAM role.

What is the maximum length for an STS token?

Alibaba Cloud STS does not impose limits on the length of STS tokens. We strongly recommend that you do not specify a maximum length for STS tokens.