Action Trail支援查詢阿里雲STS(Security Token Service)相關事件。您可以快速查詢STS事件並擷取事件發生的時間、地區、臨時身份等資訊。本文為您舉例說明STS相關事件。
RAM使用者通過控制台調用STS切換角色身份
以下樣本表示,在北京時間2021年08月05日15:59:47,RAM使用者Alice調用AssumeRole介面通過扮演阿里雲帳號127812487797****下的cna-manager-test-role角色擷取了一個臨時身份。
{
"eventId": "FC410992-13D4-5D33-89A7-D8F4100CEE6B",
"eventVersion": 1,
"responseElements": {
"RequestId": "FC410992-13D4-5D33-89A7-D8F4100CEE6B",
"AssumedRoleUser": {
"Arn": "acs:ram::127812487797****:role/cna-manager-test-role/169074",
"AssumedRoleId": "33618118978621****:169074"
},
"Credentials": {
"AccessKeyId": "STS.NUQ79dzjpMPxYesi1YY5U****",
"AccessKeySecret": "gS09k8a8fDwwgR0ey9IeCFuNfr****",
"Expiration": "2021-08-05T08:59:47Z"
}
},
"eventSource": "sts.aliyuncs.com",
"requestParameters": {
"AcsHost": "sts.aliyuncs.com",
"AcsProduct": "Sts",
"RequestId": "FC410992-13D4-5D33-89A7-D8F4100CEE6B",
"RoleSessionName": 169074,
"RegionId": "cn-hangzhou",
"HostId": "sts.aliyuncs.com",
"RoleArn": "acs:ram::127812487797****:role/cna-manager-test-role"
},
"sourceIpAddress": "192.168.XX.XX",
"userAgent": "AlibabaCloud (Linux; amd64) Java/1.8.0_152-b187 Core/4.5.17 HTTPClient/ApacheHttpClient",
"eventType": "ApiCall",
"referencedResources": {
"ACS::RAM::AccessKey": [
"STS.NUQ79dzjpMPxYesi1YY5U****"
]
},
"userIdentity": {
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-05T07:59:46Z"
}
},
"accountId": "146411043369****",
"principalId": "21336811218169****",
"type": "ram-user",
"userName": "Alice"
},
"serviceName": "Sts",
"additionalEventData": {
"Scheme": "https",
"CallerBid": "26842"
},
"apiVersion": "2015-04-01",
"requestId": "FC410992-13D4-5D33-89A7-D8F4100CEE6B",
"eventTime": "2021-08-05T07:59:47Z",
"isGlobal": false,
"acsRegion": "cn-hangzhou",
"eventName": "AssumeRole"
}樣本中關鍵字段含義如下:
userIdentity.type:要求者的身份類型。取值為ram-user,表示RAM使用者。userIdentity.userName:要求者的RAM使用者名稱稱。serviceName:事件相關的阿里雲服務名稱。取值為Sts,表示STS。eventName:事件名稱。取值為AssumeRole,表示擷取一個扮演該角色的臨時身份,此處RAM使用者扮演的是受信實體為阿里雲帳號類型的RAM角色。requestParameters.RoleArn:扮演角色的ARN資訊。取值為acs:ram::127812487797****:role/cna-manager-test-role,127812487797****表示角色所屬的阿里雲帳號ID,cna-manager-test-role表示角色名稱。referencedResources:事件影響的資源清單。取值為{"ACS::RAM::AccessKey": ["STS.NUQ79dzjpMPxYesi1YY5U****"]},表示扮演角色擷取的臨時身份憑證STS.NUQ79dzjpMPxYesi1YY5U****。eventTime:事件發生的時間(UTC格式)。取值為2021-08-05T07:59:47Z,表示北京時間2021年08月05日15:59:47。
RAM使用者通過調用SDK擷取臨時存取權杖
以下樣本表示,在北京時間2021年08月05日16:03:31,RAM使用者Alice調用AssumeRole介面通過扮演阿里雲帳號193875730500****下的aliyunosstokengeneratorrole角色擷取了一個臨時身份。
{
"eventId": "B936D2EE-05DC-5AC1-9163-48F0DE28B963",
"eventVersion": 1,
"responseElements": {
"RequestId": "B936D2EE-05DC-5AC1-9163-48F0DE28B963",
"AssumedRoleUser": {
"Arn": "acs:ram::193875730500****:role/aliyunosstokengeneratorrole/X5wpmS6EgkM080aE0Kym****",
"AssumedRoleId": "30815480203992****:X5wpmS6EgkM080aE0Kym****"
},
"Credentials": {
"AccessKeyId": "STS.NTobFuYYn6EBxAVhC18ta****",
"AccessKeySecret": "gS09k8a8fDwwgR0ey9IeCFuNfr****",
"Expiration": "2021-08-05T09:03:31Z"
}
},
"eventSource": "sts.cn-hangzhou.aliyuncs.com",
"requestParameters": {
"Policy": {
"Version": "1",
"Statement": [
{
"Condition": {},
"Action": [
"oss:PutObject"
],
"Resource": [
"acs:oss:*:*:taowo/image/disucss/2021/8/5/xNodqHMtGkX9arNrAkrz4d****/*",
"acs:oss:*:*:taowo/video/disucss/2021/8/5/xNodqHMtGkX9arNrAkrz4d****/*",
"acs:oss:*:*:taowo/sound/disucss/2021/8/5/xNodqHMtGkX9arNrAkrz4d****/*"
],
"Effect": "Allow"
}
]
},
"AcsHost": "sts.cn-hangzhou.aliyuncs.com",
"AcsProduct": "Sts",
"RequestId": "B936D2EE-05DC-5AC1-9163-48F0DE28B963",
"RoleSessionName": "X5wpmS6EgkM080aE0Kym****",
"Region": "cn-hangzhou",
"SignatureType": "",
"RegionId": "cn-hangzhou",
"HostId": "sts.cn-hangzhou.aliyuncs.com",
"RoleArn": "acs:ram::193875730500****:role/aliyunosstokengeneratorrole"
},
"sourceIpAddress": "192.168.XX.XX",
"userAgent": "AlibabaCloud (Linux 3.10.0-1127.19.1.el7.x86_64;x86_64) Python/3.8.8 Core/2.13.32 python-requests/2.18.3",
"eventType": "ApiCall",
"referencedResources": {
"ACS::RAM::AccessKey": [
"STS.NTobFuYYn6EBxAVhC18ta****"
]
},
"userIdentity": {
"accessKeyId": "LTAI2jP0BF0f****",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-05T08:03:31Z"
}
},
"accountId": "193875730500****",
"principalId": "21365465900895****",
"type": "ram-user",
"userName": "Alice"
},
"serviceName": "Sts",
"additionalEventData": {
"Scheme": "https",
"CallerBid": "26842"
},
"apiVersion": "2015-04-01",
"requestId": "B936D2EE-05DC-5AC1-9163-48F0DE28B963",
"eventTime": "2021-08-05T08:03:31Z",
"isGlobal": false,
"acsRegion": "cn-hangzhou",
"eventName": "AssumeRole"
}樣本中關鍵字段含義如下:
userIdentity.accessKeyId:發起API調用的AccessKey ID。取值為LTAI2jP0BF0f****。userIdentity.principalId:AK所屬的帳號ID。取值為21365465900895****。userIdentity.type:要求者的身份類型。取值為ram-user,表示RAM使用者。serviceName:事件相關的阿里雲服務名稱。取值為Sts,表示STS。eventName:事件名稱。取值為AssumeRole,表示擷取一個扮演該角色的臨時身份,此處RAM使用者扮演的是受信實體為阿里雲帳號類型的RAM角色。requestParameters.RoleArn:扮演角色的ARN資訊。取值為acs:ram::193875730500****:role/aliyunosstokengeneratorrole,193875730500****表示角色所屬的阿里雲帳號ID,aliyunosstokengeneratorrole表示角色名稱。referencedResources:事件影響的資源清單。取值為{"ACS::RAM::AccessKey": ["STS.NTobFuYYn6EBxAVhC18ta****"]},表示扮演角色擷取的臨時身份憑證為test@example.onaliyun.com。eventTime:事件發生的時間(UTC格式)。取值為2021-08-05T08:03:31Z,表示北京時間2021年08月05日16:03:31。
企業使用者通過角色SSO擷取阿里雲角色身份
以下樣本表示,在北京時間2021年08月05日16:04:56,企業使用者Alice調用AssumeRoleWithSAML介面通過角色SSO扮演189186630579****帳號下的cruisetestrole角色擷取了一個臨時身份。
{
"eventId": "66FDD0F9-3546-567A-8964-2BD734198356",
"eventVersion": 1,
"responseElements": {
"RequestId": "66FDD0F9-3546-567A-8964-2BD734198356",
"SAMLAssertionInfo": {
"SubjectType": "transient",
"Issuer": "https://testidp/saml",
"Recipient": "https://signin.aliyun.com/saml-role/sso",
"Subject": "Alice"
},
"AssumedRoleUser": {
"Arn": "acs:ram::189186630579****:role/cruisetestrole/cruisetest",
"AssumedRoleId": "37924473051351****:cruisetest"
},
"Credentials": {
"AccessKeyId": "STS.NUTNKhGR8BR3QL9sJkSHp****",
"AccessKeySecret": "gS09k8a8fDwwgR0ey9IeCFuNfr****",
"Expiration": "2021-08-05T09:04:56Z"
}
},
"eventSource": "sts.aliyuncs.com",
"requestParameters": {
"AcsHost": "sts.aliyuncs.com",
"SAMLAssertion": "***",
"AcsProduct": "Sts",
"RequestId": "66FDD0F9-3546-567A-8964-2BD734198356",
"DurationSeconds": 3600,
"HostId": "sts.aliyuncs.com",
"SAMLProviderArn": "acs:ram::189186630579****:saml-provider/mockedIdp",
"RoleArn": "acs:ram::189186630579****:role/cruisetestrole"
},
"sourceIpAddress": "192.168.XX.XX",
"userAgent": "Jakarta Commons-HttpClient/3.1",
"eventType": "ApiCall",
"referencedResources": {
"ACS::RAM::AccessKey": [
"STS.NUTNKhGR8BR3QL9sJkSHp****"
]
},
"userIdentity": {
"accountId": "189186630579****",
"samlProviderName": "mockedIdp",
"type": "saml-user",
"userName": "Alice",
"samlIssuer": "https://testidp/saml"
},
"serviceName": "Sts",
"additionalEventData": {
"Scheme": "https",
"CallerBid": "26842"
},
"apiVersion": "2015-04-01",
"requestId": "66FDD0F9-3546-567A-8964-2BD734198356",
"eventTime": "2021-08-05T08:04:56Z",
"isGlobal": false,
"acsRegion": "cn-shanghai",
"eventName": "AssumeRoleWithSAML"
}樣本中關鍵字段含義如下:
userIdentity.type:要求者的身份類型。取值為saml-user,表示企業自有身份的使用者。userIdentity.userName:發起角色SSO的企業使用者的使用者名稱。requestParameters.RoleArn:扮演角色的ARN資訊。取值為cs:ram::189186630579****:role/cruisetestrole,189186630579****表示角色所屬的阿里雲帳號ID,cruisetestrole表示角色名稱。referencedResources:事件影響的資源清單。取值為{"ACS::RAM::AccessKey": ["STS.NUTNKhGR8BR3QL9sJkSHp****"]},表示扮演角色擷取的臨時身份憑證為STS.NUTNKhGR8BR3QL9sJkSHp****。serviceName:事件相關的阿里雲服務名稱。取值為Sts,表示STS。eventName:事件名稱。取值為AssumeRoleWithSAML,表示通過角色SSO擷取阿里雲角色身份。eventTime:事件發生的時間(UTC格式)。取值為2021-08-05T08:04:56Z,表示北京時間2021年08月05日16:04:56。