GenerateAssetOperationToken - Bastionhost - Alibaba Cloud Documentation Center

Applies for an O\\\&M token.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-bastionhost:GenerateAssetOperationToken

get

*All Resource

*

None

Request parameters

Parameter	Type	Required	Description	Example
InstanceId	string	Yes	The ID of the bastion host for which you want to apply an O&M token. Note You can call the DescribeInstances operation to query the ID of the bastion host.	bastionhost-cn-st220aw****
RegionId	string	No	The region ID of the bastion host. Note For more information about the mapping between region IDs and region names, see Regions and zones.	cn-hangzhou
AssetType	string	Yes	The type of the asset for which you want to apply for an O&M token. Valid values: Host Database	Host
AssetId	string	Yes	The ID of the asset for which you want to apply for an O&M token.	11
AssetAccountId	string	No	The ID of the account whose assets the O&M token takes effect. Note You must specify at least one of the following parameters: AssetAccountId and AssetAccountName. If you specify both parameters, AssetAccountId takes precedence.	2
AssetAccountName	string	No	The name of the host account. If you use a custom account, enter a real account name. Note When both AssetAccountId and AssetAccountName are specified, AssetAccountId takes precedence.	root
AssetAccountPassword	string	No	The Base64-encoded password. This parameter is required if you want to apply for an O&M token for a custom account.	dGVzdHBhc3N3b3Jk
AssetAccountProtocolName	string	No	The name of the protocol. Valid values: SSH RDP Oracle PostgreSQL MySQL SQLServer	SSH
OperationMode	string	No	The O&M logon method. Valid values: WebToken: O&M token-based logon. Sso: local client-based logon. Note This parameter is available only for Bastionhost V3.2.44 and later. If you do not specify this parameter, the default value WebToken is used.	Sso
LoginAttribute	string	No	The logon attribute. If you set OperationMode to Sso and AssetAccountProtocolName to Oracle, you must specify this parameter. Valid values: SERVICENAME SID Note This parameter is available only for Bastionhost V3.2.44 and later.	SID
DatabaseSchema	string	No	The name of the database. If you set OperationMode to Sso and AssetAccountProtocolName to PostgreSQL or Oracle and you select Custom Account for the Database Account parameter, you must specify this parameter. Note This parameter is available only for bastion hosts that run V3.2.44 or later.	orcl
SsoClient	string	No	The type of the local client that you want to perform O&M operations on Linux assets. If you set OperationMode to Sso and AssetAccountProtocolName to SSH, you must specify this parameter. Valid values: ssh: Perform O&M operations on Linux assets by connecting to a bastion host from an SSH client. sftp: Perform O&M operations on Linux assets by connecting to a bastion host from a Secure File Transfer Protocol (SFTP) client. Note This parameter is available only for Bastionhost V3.2.44 and later.	ssh
OperationNote	string	No	The logon remarks. This parameter is required if an administrator enables the feature of logon remarks on the Control Policies page.	comment

Response elements

Element	Type	Description	Example
	object
AssetOperationToken	object	The data returned.
CountLeft	integer	The remaining number of times that you can use the O&M token.	1
ExpireTime	integer	The time when the O&M token expires. The value is a UNIX timestamp.	1709110797
HasCountLimit	boolean	Indicates whether the number of times that you can use the O&M token is limited.	true
MaxRenewCount	integer	The maximum number of renewals. A value of 0 indicates that renewal is not supported.	10
RenewCount	integer	The number of times the O&M token is renewed.	1
Token	string	The O&M token that you apply for.	NmYyMmEzNmMwYzljNGY******
TokenId	string	The ID of the O&M token.	1
SsoUrl	string	The single sign-on (SSO) URL.	sso://eyJOT0RFX0NPTU1PTiI6eyJNb2R******
RequestId	string	The request ID.	EC9BF0F4-8983-491A-BC8C-1B4DD94976DE

Examples

Success response

JSON format

{
  "AssetOperationToken": {
    "CountLeft": 1,
    "ExpireTime": 1709110797,
    "HasCountLimit": true,
    "MaxRenewCount": 10,
    "RenewCount": 1,
    "Token": "NmYyMmEzNmMwYzljNGY******",
    "TokenId": "1",
    "SsoUrl": "sso://eyJOT0RFX0NPTU1PTiI6eyJNb2R******"
  },
  "RequestId": "EC9BF0F4-8983-491A-BC8C-1B4DD94976DE"
}

Error codes

HTTP status code	Error code	Error message	Description
400	InvalidParameter	The argument is invalid.	The argument is invalid.
500	InternalError	An unknown error occurred.	An unknown error occurred.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.