summaryrefslogtreecommitdiff
path: root/data/en_us/sts/2015-04-01
diff options
context:
space:
mode:
authorZhineng Li <im@zhineng.li>2026-07-12 17:11:17 +0800
committerZhineng Li <im@zhineng.li>2026-07-12 17:11:17 +0800
commit1c7f908ce09f98fdcbf79ed2a8ae21be60eaa634 (patch)
tree5f0857666365b7e40cdaa3733ebe1f3ba9e13c67 /data/en_us/sts/2015-04-01
parent7347bac4ab7e136157fc94777e6cf87ef9e08599 (diff)
downloadafterglow-metadata-full-1c7f908ce09f98fdcbf79ed2a8ae21be60eaa634.tar.gz
afterglow-metadata-full-1c7f908ce09f98fdcbf79ed2a8ae21be60eaa634.zip
update APIs 20260712
Diffstat (limited to 'data/en_us/sts/2015-04-01')
-rw-r--r--data/en_us/sts/2015-04-01/api-docs.php1193
1 files changed, 476 insertions, 717 deletions
diff --git a/data/en_us/sts/2015-04-01/api-docs.php b/data/en_us/sts/2015-04-01/api-docs.php
index 7feb9cb..7bd8498 100644
--- a/data/en_us/sts/2015-04-01/api-docs.php
+++ b/data/en_us/sts/2015-04-01/api-docs.php
@@ -1,28 +1,16 @@
<?php return [
'version' => '1.0',
- 'info' => [
- 'style' => 'RPC',
- 'product' => 'Sts',
- 'version' => '2015-04-01',
- ],
+ 'info' => ['style' => 'RPC', 'product' => 'Sts', 'version' => '2015-04-01'],
'directories' => [
[
- 'id' => 120773,
- 'title' => 'Role assuming',
+ 'children' => ['AssumeRole', 'AssumeRoleWithSAML', 'AssumeRoleWithOIDC'],
'type' => 'directory',
- 'children' => [
- 'AssumeRole',
- 'AssumeRoleWithSAML',
- 'AssumeRoleWithOIDC',
- ],
+ 'title' => 'Role assumption',
],
[
- 'id' => 120777,
- 'title' => 'Requester identity',
+ 'children' => ['GetCallerIdentity'],
'type' => 'directory',
- 'children' => [
- 'GetCallerIdentity',
- ],
+ 'title' => 'Caller identity',
],
],
'components' => [
@@ -31,242 +19,146 @@
'apis' => [
'AssumeRole' => [
'summary' => 'Obtains a Security Token Service (STS) token to assume a Resource Access Management (RAM) role.',
- 'methods' => [
- 'post',
- 'get',
- ],
- 'schemes' => [
- 'https',
- ],
+ 'methods' => ['post', 'get'],
+ 'schemes' => ['https'],
'security' => [
[
'AK' => [],
],
],
'operationType' => 'readAndWrite',
- 'systemTags' => [
- 'operationType' => 'get',
- 'riskType' => 'high',
- 'chargeType' => 'free',
- ],
+ 'systemTags' => ['operationType' => 'get', 'riskType' => 'high', 'chargeType' => 'free'],
'parameters' => [
[
'name' => 'DurationSeconds',
'in' => 'query',
- 'schema' => [
- 'description' => 'The validity period of the STS token. Unit: seconds.'."\n"
- ."\n"
- .'Minimum value: 900. Maximum value: the value of the `MaxSessionDuration` parameter. Default value: 3600.'."\n"
- ."\n"
- .'You can call the CreateRole or UpdateRole operation to configure the `MaxSessionDuration` parameter. For more information, see [CreateRole](~~28710~~) or [UpdateRole](~~28712~~).'."\n",
- 'type' => 'integer',
- 'format' => 'int64',
- 'required' => false,
- 'example' => '3600',
- ],
+ 'schema' => ['description' => 'The validity period of the STS token. Unit: seconds.'."\n"
+ ."\n"
+ .'Minimum value: 900. Maximum value: the value of the `MaxSessionDuration` parameter. Default value: 3600.'."\n"
+ ."\n"
+ .'You can call the CreateRole or UpdateRole operation to configure the `MaxSessionDuration` parameter. For more information, see [CreateRole](~~28710~~) and [UpdateRole](~~28712~~).', 'type' => 'integer', 'format' => 'int64', 'required' => false, 'title' => '', 'example' => '3600'],
],
[
'name' => 'Policy',
'in' => 'query',
- 'schema' => [
- 'description' => 'The policy that specifies the permissions of the returned STS token. You can use this parameter to grant the STS token fewer permissions than the permissions granted to the RAM role.'."\n"
- ."\n"
- .'* If you specify this parameter, the permissions of the returned STS token are the permissions that are included in the value of this parameter and owned by the RAM role.'."\n"
- .'* If you do not specify this parameter, the returned STS token has all the permissions of the RAM role.'."\n"
- ."\n"
- .'The value must be 1 to 2,048 characters in length.'."\n"
- ."\n"
- .'For more information about policy elements and sample policies, see [Policy elements](~~93738~~) and [Overview of sample policies](~~210969~~).'."\n",
- 'type' => 'string',
- 'required' => false,
- 'example' => '{"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}',
- ],
+ 'schema' => ['description' => 'The policy that specifies the permissions of the returned STS token. This allows you to implement more fine-grained access control.'."\n"
+ ."\n"
+ .'- If you specify this parameter, the permissions of the returned STS token are the intersection of the permissions defined in this policy and the permissions granted by the role\'s policy.'."\n"
+ .'- If you do not specify this parameter, the returned STS token has all the permissions of the RAM role.'."\n"
+ ."\n"
+ .'The value must be 1 to 2,048 characters in length.'."\n"
+ ."\n"
+ .'For more information about policy elements and sample policies, see [Policy elements](~~93738~~) and [Overview of sample policies](~~210969~~).', 'type' => 'string', 'required' => false, 'title' => '', 'example' => '{"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}'],
],
[
'name' => 'RoleArn',
'in' => 'query',
- 'schema' => [
- 'description' => 'The Alibaba Cloud Resource Name (ARN) of the RAM role.'."\n"
- ."\n"
- .'The trusted entity of the RAM role is an Alibaba Cloud account. For more information, see [Create a RAM role for a trusted Alibaba Cloud account](~~93691~~) or [CreateRole](~~28710~~).'."\n"
- ."\n"
- .'Format: `acs:ram::<account_id>:role/<role_name>`.'."\n"
- ."\n"
- .'You can view the ARN in the RAM console or by calling operations. The following items describe the validity periods of storage addresses:'."\n"
- ."\n"
- .'* For more information about how to view the ARN in the RAM console, see [How do I find the ARN of the RAM role?](~~39744~~)'."\n"
- .'* For more information about how to view the ARN by calling operations, see [ListRoles](~~28713~~) or [GetRole](~~28711~~).'."\n",
- 'type' => 'string',
- 'required' => true,
- 'example' => 'acs:ram::123456789012****:role/adminrole',
- ],
+ 'schema' => ['description' => 'The Alibaba Cloud Resource Name (ARN) of the RAM role.'."\n"
+ ."\n"
+ .'The trusted entity of the RAM role is an Alibaba Cloud account. For more information, see [Create a RAM role for a trusted Alibaba Cloud account](~~93691~~) and [CreateRole](~~28710~~).'."\n"
+ ."\n"
+ .'Format: `acs:ram::<account_id>:role/<role_name>`.'."\n"
+ ."\n"
+ .'You can view the ARNs of RAM roles by using the RAM console or by calling API operations.'."\n"
+ ."\n"
+ .'- For more information about how to view the ARN of a RAM role in the RAM console, see the "How do I view the ARN of a RAM role?" section of the [FAQ about RAM roles and STS tokens](~~39744~~) topic.'."\n"
+ .'- For more information about how to view the ARN by calling operations, see [ListRoles](~~28713~~) and [GetRole](~~28711~~).', 'type' => 'string', 'required' => true, 'title' => '', 'example' => 'acs:ram::123456789012****:role/adminrole'],
],
[
'name' => 'RoleSessionName',
'in' => 'query',
- 'schema' => [
- 'description' => 'The custom name of the role session.'."\n"
- ."\n"
- .'Set this parameter based on your business requirements. In most cases, you can set this parameter to the identity of the API caller. For example, you can specify a username. You can specify `RoleSessionName` to identify API callers that assume the same RAM role in ActionTrail logs. This allows you to track the users that perform the operations.'."\n"
- ."\n"
- .'The value must be 2 to 64 characters in length and can contain letters, digits, and the following special characters: `. @ - _`.'."\n",
- 'type' => 'string',
- 'required' => true,
- 'example' => 'alice',
- ],
+ 'schema' => ['description' => 'The name of the role session.'."\n"
+ ."\n"
+ .'The value is user-defined. In most cases, you can set this parameter to the identity of the user who calls the operation. For example, you can specify a username. You can specify `RoleSessionName` to identify API callers that assume the same RAM role in ActionTrail logs. This allows you to track the users that perform the operations.'."\n"
+ ."\n"
+ .'The name must be 2 to 64 characters in length, and can contain letters, digits, and the following special characters: `. @ - _`.', 'type' => 'string', 'required' => true, 'title' => '', 'example' => 'alice'],
],
[
'name' => 'ExternalId',
'in' => 'query',
- 'schema' => [
- 'description' => 'The external ID of the RAM role.'."\n"
- ."\n"
- .'This parameter is provided by an external party and is used to prevent the confused deputy problem. For more information, see [Use ExternalId to prevent the confused deputy problem](~~2361741~~).'."\n"
- ."\n"
- .'The value must be 2 to 1,224 characters in length and can contain letters, digits, and the following special characters: `= , . @ : / - _`. The regular expression for this parameter is `[\\w+=,.@:\\/-]*`.'."\n",
- 'type' => 'string',
- 'required' => false,
- 'example' => 'abcd1234',
- ],
+ 'schema' => ['description' => 'The external ID of the RAM role.'."\n"
+ ."\n"
+ .'The value of this parameter is provided by an external party and is used to prevent the confused deputy issue. For more information, see [Use external IDs to prevent the confused deputy issue](~~2361741~~).'."\n"
+ ."\n"
+ .'The ID must be 2 to 1,224 characters in length, and can contain letters, digits, and the following special characters: `= , . @ : / - _`. The regular expression for this parameter is `[\\w+=,.@:\\/-]*`.', 'type' => 'string', 'required' => false, 'title' => '', 'example' => 'abcd1234'],
],
[
'name' => 'SourceIdentity',
'in' => 'query',
- 'schema' => [
- 'type' => 'string',
- ],
+ 'schema' => ['type' => 'string', 'description' => 'The source identity information.'."\n"
+ ."\n"
+ .'When a user assumes a role, the source identity of the user can be specified as the initial identity of a session. The specified source identity persists throughout the role session and cannot be changed. This ensures operation traceability and security.'."\n"
+ ."\n"
+ .'The value must be 2 to 64 characters in length, and can contain letters, digits, and the following special characters: `=,.@-_`. The regular expression for this parameter is `[\\w+=,.@-]*`. The value cannot start with `acs:`, `aliyun:`, or `alibabacloud:`. These prefixes are internally used within Alibaba Cloud.', 'required' => false, 'title' => '', 'example' => 'Alice'],
],
],
'responses' => [
200 => [
'headers' => [],
'schema' => [
- 'description' => 'The response parameters.'."\n",
+ 'description' => 'The response parameters.',
'type' => 'object',
'properties' => [
- 'RequestId' => [
- 'description' => 'The ID of the request.'."\n",
- 'type' => 'string',
- 'example' => '6894B13B-6D71-4EF5-88FA-F32781734A7F',
- ],
+ 'RequestId' => ['description' => 'The request ID.', 'type' => 'string', 'title' => '', 'example' => '6894B13B-6D71-4EF5-88FA-F32781734A7F'],
'AssumedRoleUser' => [
- 'description' => 'The temporary identity that you use to assume the RAM role.'."\n",
+ 'description' => 'The temporary identity that you use to assume the RAM role.',
'type' => 'object',
'properties' => [
- 'AssumedRoleId' => [
- 'description' => 'The ID of the temporary identity that you use to assume the RAM role.'."\n",
- 'type' => 'string',
- 'example' => '34458433936495****:alice',
- ],
- 'Arn' => [
- 'description' => 'The ARN of the temporary identity that you use to assume the RAM role.'."\n",
- 'type' => 'string',
- 'example' => 'acs:ram::123456789012****:role/adminrole/alice',
- ],
+ 'AssumedRoleId' => ['description' => 'The ID of the temporary identity that you use to assume the RAM role.', 'type' => 'string', 'title' => '', 'example' => '34458433936495****:alice'],
+ 'Arn' => ['description' => 'The ARN of the temporary identity that you use to assume the RAM role.', 'type' => 'string', 'title' => '', 'example' => 'acs:ram::123456789012****:role/adminrole/alice'],
],
+ 'title' => '',
+ 'example' => '',
],
'Credentials' => [
- 'description' => 'The STS credentials.'."\n",
+ 'description' => 'The STS credentials.',
'type' => 'object',
'properties' => [
- 'SecurityToken' => [
- 'description' => 'The STS token.'."\n"
- ."\n"
- .'> Alibaba Cloud STS does not impose limits on the length of STS tokens. We strongly recommend that you do not specify a maximum length for STS tokens.'."\n",
- 'type' => 'string',
- 'example' => '********',
- ],
- 'Expiration' => [
- 'description' => 'The time when the STS token expires. The time is displayed in UTC.'."\n",
- 'type' => 'string',
- 'example' => '2015-04-09T11:52:19Z',
- ],
- 'AccessKeySecret' => [
- 'description' => 'The AccessKey secret.'."\n",
- 'type' => 'string',
- 'example' => 'wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****',
- ],
- 'AccessKeyId' => [
- 'description' => 'The AccessKey ID.'."\n",
- 'type' => 'string',
- 'example' => 'STS.L4aBSCSJVMuKg5U1****',
- ],
+ 'SecurityToken' => ['description' => 'The STS token.'."\n"
+ ."\n"
+ .'> Alibaba Cloud STS does not impose limits on the length of STS tokens. We recommend that you do not specify a maximum length for STS tokens.', 'type' => 'string', 'title' => '', 'example' => '********'],
+ 'Expiration' => ['description' => 'The time when the STS token expires. The time is displayed in UTC.', 'type' => 'string', 'title' => '', 'example' => '2015-04-09T11:52:19Z'],
+ 'AccessKeySecret' => ['description' => 'The AccessKey secret.', 'type' => 'string', 'title' => '', 'example' => 'wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****'],
+ 'AccessKeyId' => ['description' => 'The AccessKey ID.', 'type' => 'string', 'title' => '', 'example' => 'STS.L4aBSCSJVMuKg5U1****'],
],
+ 'title' => '',
+ 'example' => '',
],
- 'SourceIdentity' => [
- 'type' => 'string',
- ],
+ 'SourceIdentity' => ['type' => 'string', 'description' => 'The source identity information.'."\n"
+ ."\n"
+ .'When a user assumes a role, the source identity of the user can be specified as the initial identity of a session. The specified source identity persists throughout the role session and cannot be changed. This ensures operation traceability and security.'."\n"
+ ."\n"
+ .'If the SourceIdentity parameter was not specified in the request, this field is omitted from the response.', 'title' => '', 'example' => 'Alice'],
],
+ 'title' => '',
+ 'example' => '',
],
],
],
'errorCodes' => [
400 => [
- [
- 'errorCode' => 'InvalidParameter.DurationSeconds',
- 'errorMessage' => 'The Min/Max value of DurationSeconds is 15min/1hr.',
- ],
- [
- 'errorCode' => 'InvalidParameter.ExternalId',
- 'errorMessage' => 'The parameter ExternalId is wrongly formed.',
- ],
- [
- 'errorCode' => 'InvalidParameter.RoleArn',
- 'errorMessage' => 'The parameter RoleArn is wrongly formed.',
- ],
- [
- 'errorCode' => 'InvalidParameter.RoleSessionName',
- 'errorMessage' => 'The parameter RoleSessionName is wrongly formed.',
- ],
- [
- 'errorCode' => 'InvalidParameter.SerialNumber',
- 'errorMessage' => 'The parameter SerialNumber is wrongly formed.',
- ],
- [
- 'errorCode' => 'InvalidParameter.TokenCode',
- 'errorMessage' => 'The parameter TokenCode is wrongly formed.',
- ],
- [
- 'errorCode' => 'InvalidParameter.PolicyGrammar',
- 'errorMessage' => 'The parameter Policy has not passed grammar check.',
- ],
- [
- 'errorCode' => 'InvalidParameter.PolicySize',
- 'errorMessage' => 'The size of Policy must be smaller than 2048 bytes.',
- ],
- [
- 'errorCode' => 'InvalidParameter.ContentType',
- 'errorMessage' => 'The ContentType request header must be either "application/json" or "application/x-www-form-urlencoded".',
- ],
+ ['errorCode' => 'InvalidParameter.DurationSeconds', 'errorMessage' => 'The Min/Max value of DurationSeconds is 15min/1hr.', 'description' => 'DurationSeconds parameter is illegal, DurationSeconds minimum value is 15 minutes, maximum value is 1 hour'],
+ ['errorCode' => 'InvalidParameter.ExternalId', 'errorMessage' => 'The parameter ExternalId is wrongly formed.', 'description' => 'Parameters'],
+ ['errorCode' => 'InvalidParameter.RoleArn', 'errorMessage' => 'The parameter RoleArn is wrongly formed.', 'description' => 'Parameters'],
+ ['errorCode' => 'InvalidParameter.RoleSessionName', 'errorMessage' => 'The parameter RoleSessionName is wrongly formed.', 'description' => ''],
+ ['errorCode' => 'InvalidParameter.SerialNumber', 'errorMessage' => 'The parameter SerialNumber is wrongly formed.', 'description' => ''],
+ ['errorCode' => 'InvalidParameter.TokenCode', 'errorMessage' => 'The parameter TokenCode is wrongly formed.', 'description' => ''],
+ ['errorCode' => 'InvalidParameter.PolicyGrammar', 'errorMessage' => 'The parameter Policy has not passed grammar check.', 'description' => 'Parameter Policy syntax format check failed'],
+ ['errorCode' => 'InvalidParameter.PolicySize', 'errorMessage' => 'The size of Policy must be smaller than 2048 bytes.', 'description' => 'The policy parameter is invalid. The policy length must be less than 2048 bytes.'],
+ ['errorCode' => 'InvalidParameter.ContentType', 'errorMessage' => 'The ContentType request header must be either "application/json" or "application/x-www-form-urlencoded".', 'description' => ''],
],
403 => [
- [
- 'errorCode' => 'NoPermission',
- 'errorMessage' => 'You are not authorized to do this action. You should be authorized by RAM.',
- ],
- [
- 'errorCode' => 'AuthenticationFail.ApiUsername',
- 'errorMessage' => 'The specified api username is not legal.',
- ],
- [
- 'errorCode' => 'AuthenticationFail.ApiPassword',
- 'errorMessage' => 'The specified api password is not legal.',
- ],
+ ['errorCode' => 'NoPermission', 'errorMessage' => 'You are not authorized to do this action. You should be authorized by RAM.', 'description' => ''],
+ ['errorCode' => 'AuthenticationFail.ApiUsername', 'errorMessage' => 'The specified api username is not legal.', 'description' => ''],
+ ['errorCode' => 'AuthenticationFail.ApiPassword', 'errorMessage' => 'The specified api password is not legal.', 'description' => ''],
],
[
- [
- 'errorCode' => 'EntityNotExist.Role',
- 'errorMessage' => 'The specified Role not exists .',
- ],
+ ['errorCode' => 'EntityNotExist.Role', 'errorMessage' => 'The specified Role not exists .', 'description' => ''],
],
500 => [
- [
- 'errorCode' => 'InternalError',
- 'errorMessage' => 'STS Server Internal Error happened, please send the RequestId to us.',
- ],
+ ['errorCode' => 'InternalError', 'errorMessage' => 'STS Server Internal Error happened, please send the RequestId to us.', 'description' => ''],
],
],
- 'responseDemo' => '[{"type":"json","example":"{\\n \\"RequestId\\": \\"6894B13B-6D71-4EF5-88FA-F32781734A7F\\",\\n \\"AssumedRoleUser\\": {\\n \\"AssumedRoleId\\": \\"34458433936495****:alice\\",\\n \\"Arn\\": \\"acs:ram::123456789012****:role/adminrole/alice\\"\\n },\\n \\"Credentials\\": {\\n \\"SecurityToken\\": \\"********\\",\\n \\"Expiration\\": \\"2015-04-09T11:52:19Z\\",\\n \\"AccessKeySecret\\": \\"wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****\\",\\n \\"AccessKeyId\\": \\"STS.L4aBSCSJVMuKg5U1****\\"\\n },\\n \\"SourceIdentity\\": \\"Alice\\"\\n}","errorExample":""},{"type":"xml","example":"<AssumeRoleResponse>\\n <Credentials>\\n <AccessKeyId>STS.L4aBSCSJVMuKg5U1****</AccessKeyId>\\n <AccessKeySecret>wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****</AccessKeySecret>\\n <Expiration>2015-04-09T11:52:19Z</Expiration>\\n <SecurityToken>********</SecurityToken>\\n </Credentials>\\n <AssumedRoleUser>\\n <Arn>acs:ram::123456789012****:role/adminrole/alice</Arn>\\n <AssumedRoleId>34458433936495****:alice</AssumedRoleId>\\n </AssumedRoleUser>\\n <RequestId>6894B13B-6D71-4EF5-88FA-F32781734A7F</RequestId>\\n</AssumeRoleResponse>","errorExample":""}]',
'title' => 'AssumeRole',
'description' => '### Prerequisites'."\n"
."\n"
@@ -278,668 +170,535 @@
."\n"
.'You can refer to the following information to troubleshoot the error:'."\n"
."\n"
- .'* Cause of the error: The policy that is required to assume a RAM role is not attached to the requester. To resolve this issue, attach the AliyunSTSAssumeRoleAccess policy or a custom policy to the requester. For more information, see [Can I specify the RAM role that a RAM user can assume?](~~39744~~) and [Grant permissions to a RAM user](~~116146~~).'."\n"
- .'* Cause of the error: The requester is not authorized to assume the RAM role. To resolve this issue, add the requester to the Principal element in the trust policy of the RAM role For more information, see [Edit the trust policy of a RAM role](~~116819~~).'."\n"
+ .'- Cause of the error: The policy that is required to assume a RAM role is not attached to the requester. To resolve this issue, attach the AliyunSTSAssumeRoleAccess policy or a custom policy to the requester. For more information, see [Can I specify the RAM role that a RAM user can assume?](~~39744~~) and [Grant permissions to a RAM user](~~116146~~).'."\n"
+ .'- Cause of the error: The requester is not authorized to assume the RAM role. To resolve this issue, add the requester to the Principal element in the trust policy of the RAM role For more information, see [Edit the trust policy of a RAM role](~~116819~~).'."\n"
."\n"
.'### Best practices'."\n"
."\n"
.'An STS token is valid for a period of time after it is issued, and the number of STS tokens that can be issued within an interval is also limited. Therefore, we recommend that you configure a proper validity period for an STS token and repeatedly use the token within this period. This prevents frequent issuing of STS tokens from adversely affecting your services if a large number of requests are sent. For more information about the limit, see [Is the number of STS API requests limited?](~~39744~~) You can configure the `DurationSeconds` parameter to specify a validity period for an STS token.'."\n"
."\n"
- .'When you upload or download Object Storage Service (OSS) objects on mobile devices, a large number of STS API requests are sent. In this case, repeated use of an STS token may not meet your business requirements. To avoid the limit on STS API requests from affecting access to OSS, you can **add a signature to the URL of an OSS object**. For more information, see [Add signatures to URLs](~~31952~~) and [Obtain signature information from the server and upload data to OSS](~~31926~~).'."\n",
- 'requestParamsDescription' => 'For more information about common request parameters, see [Common parameters](~~315526~~).'."\n",
- ],
- 'AssumeRoleWithSAML' => [
- 'summary' => 'Obtains a Security Token Service (STS) token to assume a Resource Access Management (RAM) role during role-based single sign-on (SSO) by using Security Assertion Markup Language (SAML).',
- 'methods' => [
- 'post',
- 'get',
+ .'When you upload or download Object Storage Service (OSS) objects on mobile devices, a large number of STS API requests are sent. In this case, repeated use of an STS token may not meet your business requirements. To avoid the limit on STS API requests from affecting access to OSS, you can **add a signature to the URL of an OSS object**. For more information, see [Add signatures to URLs](~~31952~~) and [Obtain signature information from the server and upload data to OSS](~~31926~~).',
+ 'changeSet' => [],
+ 'flowControl' => [
+ 'flowControlList' => [
+ ['threshold' => '100', 'countWindow' => 1, 'regionId' => '*', 'api' => 'AssumeRole'],
+ ],
],
- 'schemes' => [
- 'https',
+ 'ramActions' => [
+ [
+ 'operationType' => 'get',
+ 'ramAction' => [
+ 'action' => 'sts:AssumeRole',
+ 'authLevel' => 'resource',
+ 'actionConditions' => [
+ ['conditionKey' => 'sts:SourceIdentity', 'validationType' => 'conditional'],
+ ],
+ 'resources' => [
+ ['validationType' => 'always', 'product' => 'Sts', 'resourceType' => 'Role', 'arn' => 'acs:ram::{#accountId}:role/{#RoleName}'],
+ ],
+ ],
+ 'additionalActions' => [
+ ['action' => 'sts:SetSourceIdentity', 'validationType' => 'conditional'],
+ ],
+ ],
],
+ 'responseDemo' => '[{"errorExample":"","example":"{\\n \\"RequestId\\": \\"6894B13B-6D71-4EF5-88FA-F32781734A7F\\",\\n \\"AssumedRoleUser\\": {\\n \\"AssumedRoleId\\": \\"34458433936495****:alice\\",\\n \\"Arn\\": \\"acs:ram::123456789012****:role/adminrole/alice\\"\\n },\\n \\"Credentials\\": {\\n \\"SecurityToken\\": \\"********\\",\\n \\"Expiration\\": \\"2015-04-09T11:52:19Z\\",\\n \\"AccessKeySecret\\": \\"wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****\\",\\n \\"AccessKeyId\\": \\"STS.L4aBSCSJVMuKg5U1****\\"\\n },\\n \\"SourceIdentity\\": \\"Alice\\"\\n}","type":"json"}]',
+ 'requestParamsDescription' => 'For more information about common request parameters, see [Common parameters](~~315526~~).',
+ ],
+ 'AssumeRoleWithOIDC' => [
+ 'methods' => ['get', 'post'],
+ 'schemes' => ['https'],
'security' => [
[
- 'Anonymous' => [],
+ 'ARS_OIDC' => [],
],
],
'operationType' => 'readAndWrite',
- 'systemTags' => [
- 'operationType' => 'get',
- 'riskType' => 'high',
- 'chargeType' => 'free',
- ],
+ 'deprecated' => false,
+ 'systemTags' => ['operationType' => 'get', 'riskType' => 'high', 'chargeType' => 'free'],
'parameters' => [
[
- 'name' => 'SAMLProviderArn',
+ 'name' => 'OIDCProviderArn',
'in' => 'query',
- 'schema' => [
- 'description' => 'The Alibaba Cloud Resource Name (ARN) of the SAML IdP that is created in the RAM console.'."\n"
- ."\n"
- .'Format: `acs:ram::<account_id>:saml-provider/<saml_provider_id>`.'."\n"
- ."\n"
- .'You can view the ARN in the RAM console or by calling operations.'."\n"
- ."\n"
- .'* For more information about how to view the ARN in the RAM console, see [How do I view the ARN of a RAM role?](~~116795~~)'."\n"
- .'* For more information about how to view the ARN by calling operations, see [GetSAMLProvider](~~186833~~) or [ListSAMLProviders](~~186851~~).'."\n",
- 'type' => 'string',
- 'required' => false,
- 'docRequired' => true,
- 'example' => 'acs:ram::123456789012****:saml-provider/company1',
- ],
+ 'schema' => ['title' => '', 'description' => 'The Alibaba Cloud Resource Name (ARN) of the OIDC identity provider.'."\n"
+ ."\n"
+ .'You can view the ARN of the OIDC identity provider in the RAM console or by calling an API operation:'."\n"
+ ."\n"
+ .'- RAM console: For more information, see [View the information about an OIDC identity provider](~~327123~~).'."\n"
+ .'- API: For more information, see [GetOIDCProvider](~~327126~~) or [ListOIDCProviders](~~327127~~).', 'type' => 'string', 'required' => false, 'docRequired' => true, 'example' => 'acs:ram::113511544585****:oidc-provider/TestOidcIdp'],
],
[
'name' => 'RoleArn',
'in' => 'query',
- 'schema' => [
- 'description' => 'The ARN of the RAM role.'."\n"
- ."\n"
- .'The trust entity of the RAM role is a SAML IdP. For more information, see [Create a RAM role for a trusted IdP](~~116805~~) or [CreateRole](~~28710~~).'."\n"
- ."\n"
- .'Format: `acs:ram::<account_id>:role/<role_name>`.'."\n"
- ."\n"
- .'You can view the ARN in the RAM console or by calling operations.'."\n"
- ."\n"
- .'* For more information about how to view the ARN in the RAM console, see [How do I view the ARN of the RAM role?](~~39744~~).'."\n"
- .'* For more information about how to view the ARN by calling operations, see [ListRoles](~~28713~~) or [GetRole](~~28711~~).'."\n",
- 'type' => 'string',
- 'required' => false,
- 'docRequired' => true,
- 'example' => 'acs:ram::123456789012****:role/adminrole',
- ],
+ 'schema' => ['title' => '', 'description' => 'The ARN of the RAM role that you want to assume.'."\n"
+ ."\n"
+ .'You can view the ARN of the role in the RAM console or by calling an API operation:'."\n"
+ ."\n"
+ .'- RAM console: For more information, see [View the ARN of a RAM role](~~39744~~).'."\n"
+ .'- API: For more information, see [ListRoles](~~28713~~) or [GetRole](~~28711~~).', 'type' => 'string', 'required' => false, 'docRequired' => true, 'example' => 'acs:ram::113511544585****:role/testoidc'],
],
[
- 'name' => 'SAMLAssertion',
+ 'name' => 'OIDCToken',
'in' => 'query',
- 'schema' => [
- 'description' => 'The Base64-encoded SAML assertion.'."\n"
- ."\n"
- .'The value must be 4 to 100,000 characters in length.'."\n"
- ."\n"
- .'> A complete SAML response rather than a single SAMLAssertion field must be retrieved from the external IdP.'."\n",
- 'type' => 'string',
- 'required' => false,
- 'docRequired' => true,
- 'example' => 'base64_encoded_saml_assertion',
- ],
+ 'schema' => ['title' => '', 'description' => 'The OIDC token that is issued by an external IdP.'."\n"
+ ."\n"
+ .'The token must be 4 to 20,000 characters long.'."\n"
+ ."\n"
+ .'> Enter the original OIDC token. Do not Base64-decode the token.', 'type' => 'string', 'required' => false, 'docRequired' => true, 'example' => 'eyJraWQiOiJKQzl3eHpyaHFKMGd0****'],
],
[
'name' => 'Policy',
'in' => 'query',
- 'schema' => [
- 'description' => 'The policy that specifies the permissions of the returned STS token. You can use this parameter to grant the STS token fewer permissions than the permissions granted to the RAM role.'."\n"
- ."\n"
- .'* If you specify this parameter, the permissions of the returned STS token are the permissions that are included in the value of this parameter and owned by the RAM role.'."\n"
- .'* If you do not specify this parameter, the returned STS token has all the permissions of the RAM role.'."\n"
- ."\n"
- .'The value must be 1 to 2,048 characters in length.'."\n",
- 'type' => 'string',
- 'required' => false,
- 'example' => 'url_encoded_policy',
- ],
+ 'schema' => ['title' => '', 'description' => 'An access policy to further restrict the permissions of the STS token.'."\n"
+ ."\n"
+ .'- If you specify this policy, the permissions of the STS token are the intersection of the permissions that are granted to the RAM role and the permissions that are specified in this policy.'."\n"
+ .'- If you do not specify this policy, the STS token has the same permissions as the RAM role.'."\n"
+ ."\n"
+ .'The policy must be 1 to 2,048 characters long.', 'type' => 'string', 'required' => false, 'example' => '{"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}'],
],
[
'name' => 'DurationSeconds',
'in' => 'query',
- 'schema' => [
- 'description' => 'The validity period of the STS token. Unit: seconds.'."\n"
- ."\n"
- .'Minimum value: 900. Maximum value: the value of the `MaxSessionDuration` parameter. Default value: 3600.'."\n"
- ."\n"
- .'You can call the CreateRole or UpdateRole operation to configure the `MaxSessionDuration` parameter. For more information, see [CreateRole](~~28710~~) or [UpdateRole](~~28712~~).'."\n",
- 'type' => 'integer',
- 'format' => 'int64',
- 'required' => false,
- 'example' => '3600',
- ],
+ 'schema' => ['title' => '', 'description' => 'The validity period of the token, in seconds.'."\n"
+ ."\n"
+ .'Valid values: 900 to the value of the `MaxSessionDuration` parameter. The default value is 3600.'."\n"
+ ."\n"
+ .'For more information about how to set the `MaxSessionDuration` parameter, see [CreateRole](~~28710~~) or [UpdateRole](~~28712~~).', 'type' => 'integer', 'format' => 'int64', 'required' => false, 'example' => '3600'],
+ ],
+ [
+ 'name' => 'RoleSessionName',
+ 'in' => 'query',
+ 'schema' => ['title' => '', 'description' => 'The name of the role session.'."\n"
+ ."\n"
+ .'A custom parameter used to distinguish role sessions. The value is typically the identity of the user who calls the operation, such as a username. In ActionTrail, you can use the value of this parameter to identify the user who assumes the RAM role. This provides user-level access auditing.'."\n"
+ ."\n"
+ .'The name can contain letters, digits, periods (.), at signs (@), hyphens (-), and underscores (\\_).'."\n"
+ ."\n"
+ .'The name must be 2 to 64 characters long.', 'type' => 'string', 'required' => true, 'docRequired' => true, 'example' => 'TestOidcAssumedRoleSession'],
],
],
'responses' => [
200 => [
'schema' => [
- 'description' => 'The response parameters.'."\n",
+ 'description' => 'The returned parameters.',
'type' => 'object',
'properties' => [
- 'RequestId' => [
- 'description' => 'The ID of the request.'."\n",
- 'type' => 'string',
- 'example' => '6894B13B-6D71-4EF5-88FA-F32781734A7F',
- ],
- 'SAMLAssertionInfo' => [
- 'description' => 'The information in the SAML assertion.'."\n",
+ 'RequestId' => ['description' => 'The request ID.', 'type' => 'string', 'title' => '', 'example' => '3D57EAD2-8723-1F26-B69C-F8707D8B565D'],
+ 'OIDCTokenInfo' => [
+ 'description' => 'Information about the OIDC token.',
'type' => 'object',
'properties' => [
- 'SubjectType' => [
- 'description' => 'The Format attribute of the `NameID` element in the SAML assertion. If the Format attribute is prefixed with `urn:oasis:names:tc:SAML:2.0:nameid-format:`, the prefix is not included in the value of this parameter. For example, if the value of the Format attribute is urn:oasis:names:tc:SAML:2.0:nameid-format:persistent/transient, the value of this parameter is `persistent/transient`.'."\n",
- 'type' => 'string',
- 'example' => 'persistent',
- ],
- 'Subject' => [
- 'description' => 'The value in the NameID sub-element of the `Subject` element in the SAML assertion.'."\n",
- 'type' => 'string',
- 'example' => 'alice@example.com',
- ],
- 'Issuer' => [
- 'description' => 'The value in the `Issuer` element in the SAML assertion.'."\n",
- 'type' => 'string',
- 'example' => 'http://example.com/adfs/services/trust',
- ],
- 'Recipient' => [
- 'description' => 'The `Recipient` attribute of the SubjectConfirmationData sub-element. SubjectConfirmationData is a sub-element of the `Subject` element in the SAML assertion.'."\n",
- 'type' => 'string',
- 'example' => 'https://signin.aliyun.com/saml-role/SSO',
- ],
+ 'Subject' => ['description' => 'The subject of the OIDC token.'."\n"
+ ."\n"
+ .'This corresponds to the value of the `sub` field in the OIDC token.', 'type' => 'string', 'title' => '', 'example' => 'KryrkIdjylZb7agUgCEf****'],
+ 'Issuer' => ['description' => 'The issuer of the OIDC token.'."\n"
+ ."\n"
+ .'This corresponds to the value of the `iss` field in the OIDC token.', 'type' => 'string', 'title' => '', 'example' => 'https://dev-xxxxxx.okta.com'],
+ 'ClientIds' => ['description' => 'The audience of the OIDC token. Multiple audiences are separated by commas (,).'."\n"
+ ."\n"
+ .'This corresponds to the value of the `aud` field in the OIDC token.', 'type' => 'string', 'title' => '', 'example' => '496271242565057****'],
+ 'ExpirationTime' => ['description' => 'The expiration time of the OIDC token.', 'type' => 'string', 'title' => '', 'example' => '2021-10-20T04:27:09Z'],
+ 'IssuanceTime' => ['description' => 'The time when the OIDC token was issued.', 'type' => 'string', 'title' => '', 'example' => '2021-10-20T03:27:09Z'],
+ 'VerificationInfo' => ['description' => 'The verification information for the OIDC token. For more information, see [Manage OIDC identity providers](~~327123~~).', 'type' => 'string', 'title' => '', 'example' => 'Success'],
],
+ 'title' => '',
+ 'example' => '',
],
'AssumedRoleUser' => [
- 'description' => 'The temporary identity that you use to assume the RAM role.'."\n",
+ 'description' => 'The assumed temporary identity.',
'type' => 'object',
'properties' => [
- 'AssumedRoleId' => [
- 'description' => 'The ID of the temporary identity that you use to assume the RAM role.'."\n",
- 'type' => 'string',
- 'example' => '34458433936495****:alice',
- ],
- 'Arn' => [
- 'description' => 'The ARN of the temporary identity that you use to assume the RAM role.'."\n",
- 'type' => 'string',
- 'example' => 'acs:sts::123456789012****:assumed-role/AdminRole/alice',
- ],
+ 'AssumedRoleId' => ['description' => 'The ID of the temporary identity.', 'type' => 'string', 'title' => '', 'example' => '33157794895460****'],
+ 'Arn' => ['description' => 'The ARN of the temporary identity.', 'type' => 'string', 'title' => '', 'example' => 'acs:ram::113511544585****:role/testoidc/TestOidcAssumedRoleSession'],
],
+ 'title' => '',
+ 'example' => '',
],
'Credentials' => [
- 'description' => 'The STS credentials.'."\n",
+ 'description' => 'The temporary access credential (STS token).',
'type' => 'object',
'properties' => [
- 'SecurityToken' => [
- 'description' => 'The STS token.'."\n"
- ."\n"
- .'> Alibaba Cloud STS does not impose limits on the length of STS tokens. We strongly recommend that you do not specify a maximum length for STS tokens.'."\n",
- 'type' => 'string',
- 'example' => '********',
- ],
- 'Expiration' => [
- 'description' => 'The time when the STS token expires. The time is displayed in UTC.'."\n",
- 'type' => 'string',
- 'example' => '2015-04-09T11:52:19Z',
- ],
- 'AccessKeySecret' => [
- 'description' => 'The AccessKey secret.'."\n",
- 'type' => 'string',
- 'example' => 'wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****',
- ],
- 'AccessKeyId' => [
- 'description' => 'The AccessKey ID.'."\n",
- 'type' => 'string',
- 'example' => 'STS.L4aBSCSJVMuKg5U1****',
- ],
+ 'SecurityToken' => ['description' => 'The security token.'."\n"
+ ."\n"
+ .'> The length of the security token is not fixed. Do not set a maximum length for the security token.', 'type' => 'string', 'title' => '', 'example' => 'CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz****'],
+ 'Expiration' => ['description' => 'The time when the token expires, in Coordinated Universal Time (UTC).', 'type' => 'string', 'title' => '', 'example' => '2021-10-20T04:27:09Z'],
+ 'AccessKeySecret' => ['description' => 'The AccessKey secret.', 'type' => 'string', 'title' => '', 'example' => 'CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2****'],
+ 'AccessKeyId' => ['description' => 'The AccessKey ID.', 'type' => 'string', 'title' => '', 'example' => 'STS.NUgYrLnoC37mZZCNnAbez****'],
],
+ 'title' => '',
+ 'example' => '',
],
- 'SourceIdentity' => [
- 'type' => 'string',
- ],
+ 'SourceIdentity' => ['type' => 'string', 'description' => 'The source identity.'."\n"
+ ."\n"
+ .'The value of this identity persists throughout chained role-assuming sessions and cannot be changed. This ensures operational traceability and security.'."\n"
+ ."\n"
+ .'This parameter is returned only if a source identity is configured.', 'title' => '', 'example' => 'Alice'],
],
+ 'title' => '',
+ 'example' => '',
],
],
],
- 'errorCodes' => [
- 500 => [
- [
- 'errorCode' => 'InternalError',
- 'errorMessage' => 'STS Server Internal Error happened, please send the RequestId to us.',
- ],
+ 'title' => 'AssumeRoleWithOIDC',
+ 'summary' => 'For role-based single sign-on (SSO) that uses OpenID Connect (OIDC), call the AssumeRoleWithOIDC operation to obtain a temporary identity credential (a Security Token Service token) to assume a RAM role.',
+ 'description' => '### Prerequisites'."\n"
+ ."\n"
+ .'- Obtain an OpenID Connect (OIDC) token from an external identity provider (IdP).'."\n"
+ .'- Create an OIDC identity provider in RAM. For more information, see [Create an OIDC identity provider](~~327123~~) or [CreateOIDCProvider](~~327135~~).'."\n"
+ .'- Create a RAM role that uses an OIDC identity provider as the trusted entity. For more information, see [Create a RAM role for a trusted identity provider](~~116805~~) or [CreateRole](~~28710~~).',
+ 'requestParamsDescription' => '> The AssumeRoleWithOIDC operation uses an OIDC token for identity authentication and allows anonymous access. Therefore, you do not need to specify the `Signature`, `SignatureMethod`, `SignatureVersion`, or `AccessKeyId` common request parameters. For more information, see [Common parameters](~~315526~~).',
+ 'changeSet' => [],
+ 'flowControl' => [
+ 'flowControlList' => [
+ ['threshold' => '100', 'countWindow' => 1, 'regionId' => '*', 'api' => 'AssumeRoleWithOIDC'],
],
],
- 'responseDemo' => '[{"type":"json","example":"{\\n \\"RequestId\\": \\"6894B13B-6D71-4EF5-88FA-F32781734A7F\\",\\n \\"SAMLAssertionInfo\\": {\\n \\"SubjectType\\": \\"persistent\\",\\n \\"Subject\\": \\"alice@example.com\\",\\n \\"Issuer\\": \\"http://example.com/adfs/services/trust\\",\\n \\"Recipient\\": \\"https://signin.aliyun.com/saml-role/SSO\\"\\n },\\n \\"AssumedRoleUser\\": {\\n \\"AssumedRoleId\\": \\"34458433936495****:alice\\",\\n \\"Arn\\": \\"acs:sts::123456789012****:assumed-role/AdminRole/alice\\"\\n },\\n \\"Credentials\\": {\\n \\"SecurityToken\\": \\"********\\",\\n \\"Expiration\\": \\"2015-04-09T11:52:19Z\\",\\n \\"AccessKeySecret\\": \\"wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****\\",\\n \\"AccessKeyId\\": \\"STS.L4aBSCSJVMuKg5U1****\\"\\n },\\n \\"SourceIdentity\\": \\"Alice\\"\\n}","errorExample":""},{"type":"xml","example":"<AssumeRoleWithSAMLResponse>\\n <Credentials>\\n <AccessKeyId>STS.L4aBSCSJVMuKg5U1****</AccessKeyId>\\n <AccessKeySecret>wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****</AccessKeySecret>\\n <Expiration>2015-04-09T11:52:19Z</Expiration>\\n <SecurityToken>********</SecurityToken>\\n </Credentials>\\n <AssumedRoleUser>\\n <arn>acs:sts::1234567890123456:assumed-role/AdminRole/alice</arn>\\n <AssumedRoleId>34458433936495****:alice</AssumedRoleId>\\n </AssumedRoleUser>\\n <SAMLAssertionInfo>\\n <SubjectType>persistent</SubjectType>\\n <Subject>alice@example.com</Subject>\\n <Recipient>https://signin.aliyun.com/saml-role/SSO</Recipient>\\n <Issuer>http://example.com/adfs/services/trust</Issuer>\\n </SAMLAssertionInfo>\\n <RequestId>6894B13B-6D71-4EF5-88FA-F32781734A7F</RequestId>\\n</AssumeRoleWithSAMLResponse>","errorExample":""}]',
- 'title' => 'AssumeRoleWithSAML',
- 'description' => '###'."\n"
- ."\n"
- .'* A SAML response is obtained from an external identity provider (IdP).'."\n"
- .'* A SAML IdP is created in the RAM console. For more information, see [Create a SAML IdP](~~116083~~) or [CreateSAMLProvider](~~186846~~).'."\n"
- .'* A RAM role whose trusted entity is a SAML IdP is created in the RAM console. For more information, see [Create a RAM role for a trusted IdP](~~116805~~) or [CreateRole](~~28710~~).'."\n",
- 'requestParamsDescription' => '> Anonymous users can call the AssumeRoleWithSAML operation because authentication for this operation is performed based on SAML assertions. Therefore, you do not need to specify the following common request parameters: `Signature`, `SignatureMethod`, `SignatureVersion`, and `AccessKeyId`. For more information about common request parameters, see [Common request parameters](~~315526~~).'."\n",
+ 'ramActions' => [],
+ 'responseDemo' => '[{"errorExample":"","example":"{\\n \\"RequestId\\": \\"3D57EAD2-8723-1F26-B69C-F8707D8B565D\\",\\n \\"OIDCTokenInfo\\": {\\n \\"Subject\\": \\"KryrkIdjylZb7agUgCEf****\\",\\n \\"Issuer\\": \\"https://dev-xxxxxx.okta.com\\",\\n \\"ClientIds\\": \\"496271242565057****\\",\\n \\"ExpirationTime\\": \\"2021-10-20T04:27:09Z\\",\\n \\"IssuanceTime\\": \\"2021-10-20T03:27:09Z\\",\\n \\"VerificationInfo\\": \\"Success\\"\\n },\\n \\"AssumedRoleUser\\": {\\n \\"AssumedRoleId\\": \\"33157794895460****\\",\\n \\"Arn\\": \\"acs:ram::113511544585****:role/testoidc/TestOidcAssumedRoleSession\\"\\n },\\n \\"Credentials\\": {\\n \\"SecurityToken\\": \\"CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz****\\",\\n \\"Expiration\\": \\"2021-10-20T04:27:09Z\\",\\n \\"AccessKeySecret\\": \\"CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2****\\",\\n \\"AccessKeyId\\": \\"STS.NUgYrLnoC37mZZCNnAbez****\\"\\n },\\n \\"SourceIdentity\\": \\"Alice\\"\\n}","type":"json"}]',
],
- 'AssumeRoleWithOIDC' => [
- 'summary' => 'Queries a Security Token Service (STS) token to assume a Resource Access Management (RAM) role during role-based single sign-on (SSO) by using OpenID Connect (OIDC).',
- 'methods' => [
- 'get',
- 'post',
- ],
- 'schemes' => [
- 'https',
- ],
+ 'AssumeRoleWithSAML' => [
+ 'summary' => 'For role-based single sign-on (SSO) that uses Security Assertion Markup Language (SAML), call the AssumeRoleWithSAML operation to obtain a temporary identity credential (a Security Token Service (STS) token) for a RAM role.',
+ 'methods' => ['post', 'get'],
+ 'schemes' => ['https'],
'security' => [
[
- 'ARS_OIDC' => [],
+ 'Anonymous' => [],
],
],
'operationType' => 'readAndWrite',
- 'deprecated' => false,
- 'systemTags' => [
- 'operationType' => 'get',
- 'riskType' => 'high',
- 'chargeType' => 'free',
- ],
+ 'systemTags' => ['operationType' => 'get', 'riskType' => 'high', 'chargeType' => 'free'],
'parameters' => [
[
- 'name' => 'OIDCProviderArn',
+ 'name' => 'SAMLProviderArn',
'in' => 'query',
- 'schema' => [
- 'title' => 'OIDC Provider的ARN',
- 'description' => 'The Alibaba Cloud Resource Name (ARN) of the OIDC IdP.'."\n"
- ."\n"
- .'You can view the ARN in the RAM console or by calling operations.'."\n"
- ."\n"
- .'* For more information about how to view the ARN in the RAM console, see [View the information about an OIDC IdP](~~327123~~).'."\n"
- .'* For more information about how to view the ARN by calling operations, see [GetOIDCProvider](~~327126~~) or [ListOIDCProviders](~~327127~~).'."\n",
- 'type' => 'string',
- 'required' => false,
- 'docRequired' => true,
- 'example' => 'acs:ram::113511544585****:oidc-provider/TestOidcIdp',
- ],
+ 'schema' => ['description' => 'The Alibaba Cloud Resource Name (ARN) of the SAML IdP that is created in RAM.'."\n"
+ ."\n"
+ .'Format: `acs:ram::<account_id>:saml-provider/<saml_provider_name>`.'."\n"
+ ."\n"
+ .'You can view the ARN of the IdP in the RAM console or by calling an API operation:'."\n"
+ ."\n"
+ .'- RAM console: For more information, see [View the basic information of a SAML identity provider](~~116795~~).'."\n"
+ ."\n"
+ .'- API: For more information, see [GetSAMLProvider](~~186833~~) or [ListSAMLProviders](~~186851~~).', 'type' => 'string', 'required' => false, 'docRequired' => true, 'example' => 'acs:ram::123456789012****:saml-provider/company1', 'title' => ''],
],
[
'name' => 'RoleArn',
'in' => 'query',
- 'schema' => [
- 'title' => '需要扮演的角色的ARN',
- 'description' => 'The ARN of the RAM role.'."\n"
- ."\n"
- .'You can view the ARN in the RAM console or by calling operations.'."\n"
- ."\n"
- .'* For more information about how to view the ARN in the RAM console, see [How do I view the ARN of the RAM role?](~~39744~~)'."\n"
- .'* For more information about how to view the ARN by calling operations, see [ListRoles](~~28713~~) or [GetRole](~~28711~~).'."\n",
- 'type' => 'string',
- 'required' => false,
- 'docRequired' => true,
- 'example' => 'acs:ram::113511544585****:role/testoidc',
- ],
+ 'schema' => ['description' => 'The ARN of the RAM role to assume.'."\n"
+ ."\n"
+ .'The trusted entity of the RAM role is a SAML IdP. For more information, see [Create a RAM role for an identity provider](~~116805~~) or [CreateRole](~~28710~~).'."\n"
+ ."\n"
+ .'Format: `acs:ram::<account_id>:role/<role_name>`.'."\n"
+ ."\n"
+ .'You can view the ARN of the role in the RAM console or by calling an API operation:'."\n"
+ ."\n"
+ .'- RAM console: For more information, see [How do I view the ARN of a RAM role?](~~39744~~).'."\n"
+ ."\n"
+ .'- API: For more information, see [ListRoles](~~28713~~) or [GetRole](~~28711~~).', 'type' => 'string', 'required' => false, 'docRequired' => true, 'example' => 'acs:ram::123456789012****:role/adminrole', 'title' => ''],
],
[
- 'name' => 'OIDCToken',
+ 'name' => 'SAMLAssertion',
'in' => 'query',
- 'schema' => [
- 'title' => 'OIDC的ID Token,需输入原始Token,无需Base64解码',
- 'description' => 'The OIDC token that is issued by the external IdP.'."\n"
- ."\n"
- .'The OIDC token must be 4 to 20,000 characters in length.'."\n"
- ."\n"
- .'> You must enter the original OIDC token. You do not need to enter the Base64-encoded OIDC token.'."\n",
- 'type' => 'string',
- 'required' => false,
- 'docRequired' => true,
- 'example' => 'eyJraWQiOiJKQzl3eHpyaHFKMGd0****',
- ],
+ 'schema' => ['description' => 'The Base64-encoded SAML assertion.'."\n"
+ ."\n"
+ .'The value must be 4 to 100,000 characters in length.'."\n"
+ ."\n"
+ .'> Obtain the complete SAML response from the IdP. Do not use only the SAML assertion field.', 'type' => 'string', 'required' => false, 'docRequired' => true, 'example' => 'base64_encoded_saml_assertion', 'title' => ''],
],
[
'name' => 'Policy',
'in' => 'query',
- 'schema' => [
- 'title' => '权限策略。 生成STS Token时可以指定一个额外的权限策略,以进一步限制STS Token的权限。若不指定则返回的Token拥有指定角色的所有权限。',
- 'description' => 'The policy that specifies the permissions of the returned STS token. You can use this parameter to grant the STS token fewer permissions than the permissions granted to the RAM role.'."\n"
- ."\n"
- .'* If you specify this parameter, the permissions of the returned STS token are the permissions that are included in the value of this parameter and owned by the RAM role.'."\n"
- .'* If you do not specify this parameter, the returned STS token has all the permissions of the RAM role.'."\n"
- ."\n"
- .'The value must be 1 to 2,048 characters in length.'."\n",
- 'type' => 'string',
- 'required' => false,
- 'example' => '{"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}',
- ],
+ 'schema' => ['description' => 'An access policy to further limit the permissions of the STS token. This parameter works as follows:'."\n"
+ ."\n"
+ .'- If you specify this policy, the permissions of the STS token are the intersection of the permissions that are granted to the RAM role and the permissions that are specified in this policy.'."\n"
+ ."\n"
+ .'- If you do not specify this policy, the STS token has all the permissions that are granted to the RAM role.'."\n"
+ ."\n"
+ .'The value must be 1 to 2,048 characters in length.', 'type' => 'string', 'required' => false, 'example' => 'url_encoded_policy', 'title' => ''],
],
[
'name' => 'DurationSeconds',
'in' => 'query',
- 'schema' => [
- 'title' => 'Session过期时间,单位为秒。',
- 'description' => 'The validity period of the STS token. Unit: seconds.'."\n"
- ."\n"
- .'Default value: 3600. Minimum value: 900. Maximum value: the value of the `MaxSessionDuration` parameter.'."\n"
- ."\n"
- .'For more information about how to specify `MaxSessionDuration`, see [CreateRole](~~28710~~) or [UpdateRole](~~28712~~).'."\n",
- 'type' => 'integer',
- 'format' => 'int64',
- 'required' => false,
- 'example' => '3600',
- ],
- ],
- [
- 'name' => 'RoleSessionName',
- 'in' => 'query',
- 'schema' => [
- 'title' => '用户自定义参数。此参数用来区分不同的令牌,可用于用户级别的访问审计。',
- 'description' => 'The custom name of the role session.'."\n"
- ."\n"
- .'Set this parameter based on your business requirements. In most cases, this parameter is set to the identity of the user who calls the operation, for example, the username. In ActionTrail logs, you can distinguish the users who assume the same RAM role to perform operations based on the value of the RoleSessionName parameter. This way, you can perform user-specific auditing.'."\n"
- ."\n"
- .'The value can contain letters, digits, periods (.), at signs (@), hyphens (-), and underscores (\\_).'."\n"
- ."\n"
- .'The value must be 2 to 64 characters in length.'."\n",
- 'type' => 'string',
- 'required' => true,
- 'docRequired' => true,
- 'example' => 'TestOidcAssumedRoleSession',
- ],
+ 'schema' => ['description' => 'The expiration duration of the token. Unit: seconds.'."\n"
+ ."\n"
+ .'The minimum value is 900 seconds. The maximum value is the value of the `MaxSessionDuration` parameter. The default value is 3600 seconds.'."\n"
+ ."\n"
+ .'You can set the `MaxSessionDuration` parameter when you call the CreateRole or UpdateRole operation. For more information, see [CreateRole](~~28710~~) or [UpdateRole](~~28712~~).', 'type' => 'integer', 'format' => 'int64', 'required' => false, 'example' => '3600', 'title' => ''],
],
],
'responses' => [
200 => [
'schema' => [
- 'description' => 'The response parameters.'."\n",
+ 'description' => 'The response parameters.',
'type' => 'object',
'properties' => [
- 'RequestId' => [
- 'description' => 'The ID of the request.'."\n",
- 'type' => 'string',
- 'example' => '3D57EAD2-8723-1F26-B69C-F8707D8B565D',
- ],
- 'OIDCTokenInfo' => [
- 'description' => 'The information about the OIDC token.'."\n",
+ 'RequestId' => ['description' => 'The request ID.', 'type' => 'string', 'example' => '6894B13B-6D71-4EF5-88FA-F32781734A7F', 'title' => ''],
+ 'SAMLAssertionInfo' => [
+ 'description' => 'The information about the SAML assertion.',
'type' => 'object',
'properties' => [
- 'Subject' => [
- 'description' => 'The subject,'."\n"
- ."\n"
- .'which is represented by the `sub` field in the OIDC Token.'."\n",
- 'type' => 'string',
- 'example' => 'KryrkIdjylZb7agUgCEf****',
- ],
- 'Issuer' => [
- 'description' => 'The URL of the issuer,'."\n"
- ."\n"
- .'which is represented by the `iss` field in the OIDC Token.'."\n",
- 'type' => 'string',
- 'example' => 'https://dev-xxxxxx.okta.com',
- ],
- 'ClientIds' => [
- 'description' => 'The audience. If multiple audiences are returned, the audiences are separated by commas (,).'."\n"
- ."\n"
- .'The audience is represented by the `aud` field in the OIDC Token.'."\n",
- 'type' => 'string',
- 'example' => '496271242565057****',
- ],
- 'ExpirationTime' => [
- 'description' => 'The time when the OIDC token expires.'."\n",
- 'type' => 'string',
- 'example' => '2021-10-20T04:27:09Z',
- ],
- 'IssuanceTime' => [
- 'description' => 'The time when the OIDC token was issued.'."\n",
- 'type' => 'string',
- 'example' => '2021-10-20T03:27:09Z',
- ],
- 'VerificationInfo' => [
- 'description' => 'The verification information about the OIDC token. For more information, see [Manage an OIDC IdP](~~327123~~).',
- 'type' => 'string',
- 'example' => 'Success',
- ],
+ 'SubjectType' => ['description' => 'The format of the NameID element in the SAML assertion. If the prefix is `urn:oasis:names:tc:SAML:2.0:nameid-format:`, the prefix is removed. Examples: `persistent` and `transient`.', 'type' => 'string', 'example' => 'persistent', 'title' => ''],
+ 'Subject' => ['description' => 'The value of the `Subject - NameID` field in the SAML assertion.', 'type' => 'string', 'example' => 'alice@example.com', 'title' => ''],
+ 'Issuer' => ['description' => 'The value of the `Issuer` field in the SAML assertion.', 'type' => 'string', 'example' => 'http://example.com/adfs/services/trust', 'title' => ''],
+ 'Recipient' => ['description' => 'The value of the `Recipient` attribute in the `Subject - SubjectConfirmation - SubjectConfirmationData` field of the SAML assertion.', 'type' => 'string', 'example' => 'https://signin.aliyun.com/saml-role/SSO', 'title' => ''],
],
+ 'title' => '',
+ 'example' => '',
],
'AssumedRoleUser' => [
- 'description' => 'The temporary identity that you use to assume the RAM role.'."\n",
+ 'description' => 'The temporary identity of the assumed role.',
'type' => 'object',
'properties' => [
- 'AssumedRoleId' => [
- 'description' => 'The ID of the temporary identity that you use to assume the RAM role.'."\n",
- 'type' => 'string',
- 'example' => '33157794895460****',
- ],
- 'Arn' => [
- 'description' => 'The ARN of the temporary identity that you use to assume the RAM role.'."\n",
- 'type' => 'string',
- 'example' => 'acs:ram::113511544585****:role/testoidc/TestOidcAssumedRoleSession',
- ],
+ 'AssumedRoleId' => ['description' => 'The ID of the temporary identity.', 'type' => 'string', 'example' => '34458433936495****:alice', 'title' => ''],
+ 'Arn' => ['description' => 'The ARN of the temporary identity.', 'type' => 'string', 'example' => 'acs:sts::123456789012****:assumed-role/AdminRole/alice', 'title' => ''],
],
+ 'title' => '',
+ 'example' => '',
],
'Credentials' => [
- 'description' => 'The access credentials.'."\n",
+ 'description' => 'The access credential.',
'type' => 'object',
'properties' => [
- 'SecurityToken' => [
- 'description' => 'The STS token.'."\n"
- ."\n"
- .'> Alibaba Cloud STS does not impose limits on the length of STS tokens. We strongly recommend that you do not specify a maximum length for STS tokens.'."\n",
- 'type' => 'string',
- 'example' => 'CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz****',
- ],
- 'Expiration' => [
- 'description' => 'The time when the STS token expires. The time is displayed in UTC.'."\n",
- 'type' => 'string',
- 'example' => '2021-10-20T04:27:09Z',
- ],
- 'AccessKeySecret' => [
- 'description' => 'The AccessKey secret.'."\n",
- 'type' => 'string',
- 'example' => 'CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2****',
- ],
- 'AccessKeyId' => [
- 'description' => 'The AccessKey ID.'."\n",
- 'type' => 'string',
- 'example' => 'STS.NUgYrLnoC37mZZCNnAbez****',
- ],
+ 'SecurityToken' => ['description' => 'The security token.'."\n"
+ ."\n"
+ .'> The security token has a variable length. Do not impose a maximum length limit on the security token.', 'type' => 'string', 'example' => '********', 'title' => ''],
+ 'Expiration' => ['description' => 'The expiration time of the token. The time is in UTC.', 'type' => 'string', 'example' => '2015-04-09T11:52:19Z', 'title' => ''],
+ 'AccessKeySecret' => ['description' => 'The AccessKey secret.', 'type' => 'string', 'example' => 'wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****', 'title' => ''],
+ 'AccessKeyId' => ['description' => 'The AccessKey ID.', 'type' => 'string', 'example' => 'STS.L4aBSCSJVMuKg5U1****', 'title' => ''],
],
+ 'title' => '',
+ 'example' => '',
],
- 'SourceIdentity' => [
- 'type' => 'string',
- ],
+ 'SourceIdentity' => ['description' => 'The source identity.'."\n"
+ ."\n"
+ .'When you assume a role, you can specify a source identity for the role user. The source identity is used as the initial identity of the session. The value of the source identity persists throughout chained role-assuming sessions and cannot be changed. This ensures the traceability and security of operations.'."\n"
+ ."\n"
+ .'This parameter is not returned if you do not set a source identity.', 'type' => 'string', 'example' => 'Alice', 'title' => ''],
],
+ 'title' => '',
+ 'example' => '',
],
],
],
- 'responseDemo' => '[{"type":"json","example":"{\\n \\"RequestId\\": \\"3D57EAD2-8723-1F26-B69C-F8707D8B565D\\",\\n \\"OIDCTokenInfo\\": {\\n \\"Subject\\": \\"KryrkIdjylZb7agUgCEf****\\",\\n \\"Issuer\\": \\"https://dev-xxxxxx.okta.com\\",\\n \\"ClientIds\\": \\"496271242565057****\\",\\n \\"ExpirationTime\\": \\"2021-10-20T04:27:09Z\\",\\n \\"IssuanceTime\\": \\"2021-10-20T03:27:09Z\\",\\n \\"VerificationInfo\\": \\"Success\\"\\n },\\n \\"AssumedRoleUser\\": {\\n \\"AssumedRoleId\\": \\"33157794895460****\\",\\n \\"Arn\\": \\"acs:ram::113511544585****:role/testoidc/TestOidcAssumedRoleSession\\"\\n },\\n \\"Credentials\\": {\\n \\"SecurityToken\\": \\"CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz****\\",\\n \\"Expiration\\": \\"2021-10-20T04:27:09Z\\",\\n \\"AccessKeySecret\\": \\"CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2****\\",\\n \\"AccessKeyId\\": \\"STS.NUgYrLnoC37mZZCNnAbez****\\"\\n },\\n \\"SourceIdentity\\": \\"Alice\\"\\n}","errorExample":""},{"type":"xml","example":"<?xml version=\\"1.0\\" encoding=\\"UTF-8\\" ?>\\n<AssumeRoleWithOIDCResponse>\\n\\t<RequestId>3D57EAD2-8723-1F26-B69C-F8707D8B565D</RequestId>\\n\\t<OIDCTokenInfo>\\n\\t\\t<Subject>KryrkIdjylZb7agUgCEf****</Subject>\\n\\t\\t<Issuer>https://dev-xxxxxx.okta.com</Issuer>\\n\\t\\t<ClientIds>496271242565057****</ClientIds>\\n\\t</OIDCTokenInfo>\\n\\t<AssumedRoleUser>\\n\\t\\t<AssumedRoleId>33157794895460****</AssumedRoleId>\\n\\t\\t<Arn>acs:ram::113511544585****:role/testoidc/TestOidcAssumedRoleSession</Arn>\\n\\t</AssumedRoleUser>\\n\\t<Credentials>\\n\\t\\t<SecurityToken>CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz****</SecurityToken>\\n\\t\\t<Expiration>2021-10-20T04:27:09Z</Expiration>\\n\\t\\t<AccessKeySecret>CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2****</AccessKeySecret>\\n\\t\\t<AccessKeyId>STS.NUgYrLnoC37mZZCNnAbez****</AccessKeyId>\\n\\t</Credentials>\\n</AssumeRoleWithOIDCResponse>\\t\\n","errorExample":""}]',
- 'title' => 'AssumeRoleWithOIDC',
+ 'errorCodes' => [
+ 500 => [
+ ['errorCode' => 'InternalError', 'errorMessage' => 'STS Server Internal Error happened, please send the RequestId to us.', 'description' => ''],
+ ],
+ ],
+ 'title' => 'AssumeRoleWithSAML',
'description' => '### Prerequisites'."\n"
."\n"
- .'* An OIDC token is obtained from an external identity provider (IdP).'."\n"
- .'* An OIDC IdP is created in the RAM console. For more information, see [Create an OIDC IdP](~~327123~~) or [CreateOIDCProvider](~~327135~~).'."\n"
- .'* A RAM role whose trusted entity is an OIDC IdP is created in the RAM console. For more information, see [Create a RAM role for a trusted IdP](~~116805~~) or [CreateRole](~~28710~~).'."\n",
- 'requestParamsDescription' => '> Anonymous users can call the AssumeRoleWithOIDC operation because authentication for this operation is performed based on OIDC tokens. Therefore, you do not need to specify the following common request parameters: `Signature`, `SignatureMethod`, `SignatureVersion`, and `AccessKeyId`. For more information about common request parameters, see [Common request parameters](~~315526~~).'."\n",
+ .'- Obtain a SAML response from an external identity provider (IdP).'."\n"
+ ."\n"
+ .'- Create a SAML identity provider in Resource Access Management (RAM). For more information, see [Create a SAML identity provider](~~116083~~) or [CreateSAMLProvider](~~186846~~).'."\n"
+ ."\n"
+ .'- Create a RAM role for a SAML identity provider. For more information, see [Create a RAM role for an identity provider](~~116805~~) or [CreateRole](~~28710~~).',
+ 'requestParamsDescription' => '> Because the AssumeRoleWithSAML operation uses a SAML assertion for identity authentication and allows anonymous access, you do not need to specify the common request parameters `Signature`, `SignatureMethod`, `SignatureVersion`, or `AccessKeyId`. For more information about common request parameters, see [Common request parameters](~~315526~~).',
+ 'changeSet' => [],
+ 'flowControl' => [
+ 'flowControlList' => [],
+ ],
+ 'ramActions' => [],
+ 'responseDemo' => '[{"errorExample":"","example":"{\\n \\"RequestId\\": \\"6894B13B-6D71-4EF5-88FA-F32781734A7F\\",\\n \\"SAMLAssertionInfo\\": {\\n \\"SubjectType\\": \\"persistent\\",\\n \\"Subject\\": \\"alice@example.com\\",\\n \\"Issuer\\": \\"http://example.com/adfs/services/trust\\",\\n \\"Recipient\\": \\"https://signin.aliyun.com/saml-role/SSO\\"\\n },\\n \\"AssumedRoleUser\\": {\\n \\"AssumedRoleId\\": \\"34458433936495****:alice\\",\\n \\"Arn\\": \\"acs:sts::123456789012****:assumed-role/AdminRole/alice\\"\\n },\\n \\"Credentials\\": {\\n \\"SecurityToken\\": \\"********\\",\\n \\"Expiration\\": \\"2015-04-09T11:52:19Z\\",\\n \\"AccessKeySecret\\": \\"wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****\\",\\n \\"AccessKeyId\\": \\"STS.L4aBSCSJVMuKg5U1****\\"\\n },\\n \\"SourceIdentity\\": \\"Alice\\"\\n}","type":"json"}]',
],
'GetCallerIdentity' => [
- 'summary' => 'The ID of the Alibaba Cloud account to which the current requester belongs.',
- 'methods' => [
- 'post',
- 'get',
- ],
- 'schemes' => [
- 'https',
- ],
+ 'methods' => ['post', 'get'],
+ 'schemes' => ['https'],
'security' => [
[
'AK' => [],
],
],
- 'operationType' => 'read',
- 'systemTags' => [
- 'operationType' => 'get',
- 'riskType' => 'none',
- 'chargeType' => 'free',
- ],
+ 'systemTags' => ['operationType' => 'get', 'riskType' => 'none', 'chargeType' => 'free'],
'parameters' => [],
'responses' => [
200 => [
'schema' => [
- 'description' => 'Queries the identity of the current requester.',
+ 'description' => 'The response parameters.',
'type' => 'object',
'properties' => [
- 'IdentityType' => [
- 'description' => '',
- 'type' => 'string',
- 'example' => 'RAMUser',
- ],
- 'AccountId' => [
- 'description' => '',
- 'type' => 'string',
- 'example' => '196813200012****',
- ],
- 'RequestId' => [
- 'description' => '',
- 'type' => 'string',
- 'example' => '3C87BF47-3724-5443-ADC1-5AEAD9A03EB1',
- ],
- 'PrincipalId' => [
- 'description' => '',
- 'type' => 'string',
- 'example' => '28877424437521****',
- ],
- 'UserId' => [
- 'description' => '',
- 'type' => 'string',
- 'example' => '216959339000****',
- ],
- 'Arn' => [
- 'description' => '',
- 'type' => 'string',
- 'example' => 'acs:ram::196813200012****:user/admin',
- ],
- 'RoleId' => [
- 'description' => '',
- 'type' => 'string',
- 'example' => '33537620082992****',
- ],
+ 'IdentityType' => ['description' => 'The type of the identity. Valid values:'."\n"
+ ."\n"
+ .'- Account: an Alibaba Cloud account.'."\n"
+ .'- RAMUser: a RAM user.'."\n"
+ .'- AssumedRoleUser: a RAM role.', 'type' => 'string', 'title' => '', 'example' => 'RAMUser'],
+ 'AccountId' => ['description' => 'The ID of the Alibaba Cloud account to which the current caller belongs.', 'type' => 'string', 'title' => '', 'example' => '196813200012****'],
+ 'RequestId' => ['description' => 'The request ID.', 'type' => 'string', 'title' => '', 'example' => '3C87BF47-3724-5443-ADC1-5AEAD9A03EB1'],
+ 'PrincipalId' => ['description' => 'The ID of the principal.', 'type' => 'string', 'title' => '', 'example' => '28877424437521****'],
+ 'UserId' => ['description' => 'The user ID. Details are as follows:'."\n"
+ ."\n"
+ .'- If the caller is an Alibaba Cloud account, the ID of the Alibaba Cloud account is returned.'."\n"
+ .'- If the caller is a RAM user, the ID of the RAM user is returned.'."\n"
+ ."\n"
+ .'> This parameter is returned only when the caller is an Alibaba Cloud account or a RAM user.', 'type' => 'string', 'title' => '', 'example' => '216959339000****'],
+ 'Arn' => ['description' => 'The Alibaba Cloud Resource Name (ARN) of the current caller.', 'type' => 'string', 'title' => '', 'example' => 'acs:ram::196813200012****:user/admin'],
+ 'RoleId' => ['description' => 'The ID of the RAM role.'."\n"
+ ."\n"
+ .'> This parameter is returned only when the caller is a RAM role.', 'type' => 'string', 'title' => '', 'example' => '33537620082992****'],
],
+ 'title' => '',
],
],
],
'errorCodes' => [
500 => [
- [
- 'errorCode' => 'InternalError',
- 'errorMessage' => 'STS Server Internal Error happened, please send the RequestId to us.',
- ],
+ ['errorCode' => 'InternalError', 'errorMessage' => 'STS Server Internal Error happened, please send the RequestId to us.', 'description' => ''],
],
],
- 'responseDemo' => '[{"type":"json","example":"{\\n \\"IdentityType\\": \\"RAMUser\\",\\n \\"AccountId\\": \\"196813200012****\\",\\n \\"RequestId\\": \\"3C87BF47-3724-5443-ADC1-5AEAD9A03EB1\\",\\n \\"PrincipalId\\": \\"28877424437521****\\",\\n \\"UserId\\": \\"216959339000****\\",\\n \\"Arn\\": \\"acs:ram::196813200012****:user/admin\\",\\n \\"RoleId\\": \\"33537620082992****\\"\\n}","errorExample":""},{"type":"xml","example":"","errorExample":""}]',
+ 'responseDemo' => '[{"errorExample":"","example":"{\\n \\"IdentityType\\": \\"RAMUser\\",\\n \\"AccountId\\": \\"196813200012****\\",\\n \\"RequestId\\": \\"3C87BF47-3724-5443-ADC1-5AEAD9A03EB1\\",\\n \\"PrincipalId\\": \\"28877424437521****\\",\\n \\"UserId\\": \\"216959339000****\\",\\n \\"Arn\\": \\"acs:ram::196813200012****:user/admin\\",\\n \\"RoleId\\": \\"33537620082992****\\"\\n}","type":"json"}]',
'title' => 'GetCallerIdentity',
+ 'summary' => 'A call to the GetCallerIdentity operation returns information about the identity of the current caller.',
+ 'changeSet' => [],
+ 'flowControl' => [
+ 'flowControlList' => [
+ ['threshold' => '100', 'countWindow' => 1, 'regionId' => '*', 'api' => 'GetCallerIdentity'],
+ ],
+ ],
+ 'ramActions' => [],
+ 'operationType' => 'read',
],
],
'endpoints' => [
- [
- 'regionId' => 'cn-qingdao',
- 'endpoint' => 'sts.cn-qingdao.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-beijing',
- 'endpoint' => 'sts.cn-beijing.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-zhangjiakou',
- 'endpoint' => 'sts.cn-zhangjiakou.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-huhehaote',
- 'endpoint' => 'sts.cn-huhehaote.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-wulanchabu',
- 'endpoint' => 'sts.cn-wulanchabu.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-hangzhou',
- 'endpoint' => 'sts.cn-hangzhou.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-shanghai',
- 'endpoint' => 'sts.cn-shanghai.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-nanjing',
- 'endpoint' => 'sts.cn-nanjing.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-fuzhou',
- 'endpoint' => 'sts.cn-fuzhou.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-shenzhen',
- 'endpoint' => 'sts.cn-shenzhen.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-chengdu',
- 'endpoint' => 'sts.cn-chengdu.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-hongkong',
- 'endpoint' => 'sts.cn-hongkong.aliyuncs.com',
- ],
- [
- 'regionId' => 'ap-northeast-1',
- 'endpoint' => 'sts.ap-northeast-1.aliyuncs.com',
- ],
- [
- 'regionId' => 'ap-northeast-2',
- 'endpoint' => 'sts.ap-northeast-2.aliyuncs.com',
- ],
- [
- 'regionId' => 'ap-southeast-1',
- 'endpoint' => 'sts.ap-southeast-1.aliyuncs.com',
- ],
- [
- 'regionId' => 'ap-southeast-3',
- 'endpoint' => 'sts.ap-southeast-3.aliyuncs.com',
- ],
- [
- 'regionId' => 'ap-southeast-5',
- 'endpoint' => 'sts.ap-southeast-5.aliyuncs.com',
- ],
- [
- 'regionId' => 'us-east-1',
- 'endpoint' => 'sts.us-east-1.aliyuncs.com',
- ],
- [
- 'regionId' => 'us-west-1',
- 'endpoint' => 'sts.us-west-1.aliyuncs.com',
- ],
- [
- 'regionId' => 'eu-west-1',
- 'endpoint' => 'sts.eu-west-1.aliyuncs.com',
- ],
- [
- 'regionId' => 'eu-central-1',
- 'endpoint' => 'sts.eu-central-1.aliyuncs.com',
- ],
- [
- 'regionId' => 'me-east-1',
- 'endpoint' => 'sts.me-east-1.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-hangzhou-finance',
- 'endpoint' => 'sts.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-shanghai-finance-1',
- 'endpoint' => 'sts.cn-shanghai-finance-1.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-shenzhen-finance-1',
- 'endpoint' => 'sts.aliyuncs.com',
- ],
- [
- 'regionId' => 'ap-southeast-7',
- 'endpoint' => 'sts.ap-southeast-7.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-beijing-finance-1',
- 'endpoint' => 'sts.cn-beijing-finance-1.aliyuncs.com',
- ],
- [
- 'regionId' => 'me-central-1',
- 'endpoint' => 'sts.me-central-1.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-heyuan',
- 'endpoint' => 'sts.cn-heyuan.aliyuncs.com',
+ ['regionId' => 'cn-beijing', 'regionName' => 'China (Beijing)', 'areaId' => 'asiaPacific', 'areaName' => 'Asia Pacific', 'public' => 'sts.cn-beijing.aliyuncs.com', 'endpoint' => 'sts.cn-beijing.aliyuncs.com', 'vpc' => 'sts-vpc.cn-beijing.aliyuncs.com'],
+ ['regionId' => 'cn-heyuan', 'regionName' => 'China (Heyuan)', 'areaId' => 'asiaPacific', 'areaName' => 'Asia Pacific', 'public' => 'sts.cn-heyuan.aliyuncs.com', 'endpoint' => 'sts.cn-heyuan.aliyuncs.com', 'vpc' => 'sts-vpc.cn-heyuan.aliyuncs.com'],
+ ['regionId' => 'cn-zhangjiakou', 'regionName' => 'China (Zhangjiakou)', 'areaId' => 'asiaPacific', 'areaName' => 'Asia Pacific', 'public' => 'sts.cn-zhangjiakou.aliyuncs.com', 'endpoint' => 'sts.cn-zhangjiakou.aliyuncs.com', 'vpc' => 'sts-vpc.cn-zhangjiakou.aliyuncs.com'],
+ ['regionId' => 'ap-northeast-2', 'regionName' => 'South Korea (Seoul)', 'areaId' => 'asiaPacific', 'areaName' => 'Asia Pacific', 'public' => 'sts.ap-northeast-2.aliyuncs.com', 'endpoint' => 'sts.ap-northeast-2.aliyuncs.com', 'vpc' => 'sts-vpc.ap-northeast-2.aliyuncs.com'],
+ ['regionId' => 'ap-northeast-1', 'regionName' => 'Japan (Tokyo)', 'areaId' => 'asiaPacific', 'areaName' => 'Asia Pacific', 'public' => 'sts.ap-northeast-1.aliyuncs.com', 'endpoint' => 'sts.ap-northeast-1.aliyuncs.com', 'vpc' => 'sts-vpc.ap-northeast-1.aliyuncs.com'],
+ ['regionId' => 'ap-southeast-1', 'regionName' => 'Singapore', 'areaId' => 'asiaPacific', 'areaName' => 'Asia Pacific', 'public' => 'sts.ap-southeast-1.aliyuncs.com', 'endpoint' => 'sts.ap-southeast-1.aliyuncs.com', 'vpc' => 'sts-vpc.ap-southeast-1.aliyuncs.com'],
+ ['regionId' => 'ap-southeast-3', 'regionName' => 'Malaysia (Kuala Lumpur)', 'areaId' => 'asiaPacific', 'areaName' => 'Asia Pacific', 'public' => 'sts.ap-southeast-3.aliyuncs.com', 'endpoint' => 'sts.ap-southeast-3.aliyuncs.com', 'vpc' => 'sts-vpc.ap-southeast-3.aliyuncs.com'],
+ ['regionId' => 'ap-southeast-5', 'regionName' => 'Indonesia (Jakarta)', 'areaId' => 'asiaPacific', 'areaName' => 'Asia Pacific', 'public' => 'sts.ap-southeast-5.aliyuncs.com', 'endpoint' => 'sts.ap-southeast-5.aliyuncs.com', 'vpc' => 'sts-vpc.ap-southeast-5.aliyuncs.com'],
+ ['regionId' => 'ap-southeast-7', 'regionName' => 'Thailand (Bangkok)', 'areaId' => 'asiaPacific', 'areaName' => 'Asia Pacific', 'public' => 'sts.ap-southeast-7.aliyuncs.com', 'endpoint' => 'sts.ap-southeast-7.aliyuncs.com', 'vpc' => 'sts-vpc.ap-southeast-7.aliyuncs.com'],
+ ['regionId' => 'cn-wulanchabu', 'regionName' => 'China (Ulanqab)', 'areaId' => 'asiaPacific', 'areaName' => 'Asia Pacific', 'public' => 'sts.cn-wulanchabu.aliyuncs.com', 'endpoint' => 'sts.cn-wulanchabu.aliyuncs.com', 'vpc' => 'sts-vpc.cn-wulanchabu.aliyuncs.com'],
+ ['regionId' => 'cn-qingdao', 'regionName' => 'China (Qingdao)', 'areaId' => 'asiaPacific', 'areaName' => 'Asia Pacific', 'public' => 'sts.cn-qingdao.aliyuncs.com', 'endpoint' => 'sts.cn-qingdao.aliyuncs.com', 'vpc' => 'sts-vpc.cn-qingdao.aliyuncs.com'],
+ ['regionId' => 'cn-wuhan-lr', 'regionName' => 'China (Wuhan - Local Region)', 'areaId' => 'asiaPacific', 'areaName' => 'Asia Pacific', 'public' => 'sts.cn-wuhan-lr.aliyuncs.com', 'endpoint' => 'sts.cn-wuhan-lr.aliyuncs.com', 'vpc' => 'sts-vpc.cn-wuhan-lr.aliyuncs.com'],
+ ['regionId' => 'cn-shanghai', 'regionName' => 'China (Shanghai)', 'areaId' => 'asiaPacific', 'areaName' => 'Asia Pacific', 'public' => 'sts.cn-shanghai.aliyuncs.com', 'endpoint' => 'sts.cn-shanghai.aliyuncs.com', 'vpc' => 'sts-vpc.cn-shanghai.aliyuncs.com'],
+ ['regionId' => 'cn-hongkong', 'regionName' => 'China (Hong Kong)', 'areaId' => 'asiaPacific', 'areaName' => 'Asia Pacific', 'public' => 'sts.cn-hongkong.aliyuncs.com', 'endpoint' => 'sts.cn-hongkong.aliyuncs.com', 'vpc' => 'sts-vpc.cn-hongkong.aliyuncs.com'],
+ ['regionId' => 'cn-shenzhen', 'regionName' => 'China (Shenzhen)', 'areaId' => 'asiaPacific', 'areaName' => 'Asia Pacific', 'public' => 'sts.cn-shenzhen.aliyuncs.com', 'endpoint' => 'sts.cn-shenzhen.aliyuncs.com', 'vpc' => 'sts-vpc.cn-shenzhen.aliyuncs.com'],
+ ['regionId' => 'cn-nanjing', 'regionName' => 'China (Nanjing - Local Region)', 'areaId' => 'asiaPacific', 'areaName' => 'Asia Pacific', 'public' => 'sts.cn-nanjing.aliyuncs.com', 'endpoint' => 'sts.cn-nanjing.aliyuncs.com', 'vpc' => 'sts-vpc.cn-nanjing.aliyuncs.com'],
+ ['regionId' => 'cn-fuzhou', 'regionName' => 'China (Fuzhou - Local Region)', 'areaId' => 'asiaPacific', 'areaName' => 'Asia Pacific', 'public' => 'sts.cn-fuzhou.aliyuncs.com', 'endpoint' => 'sts.cn-fuzhou.aliyuncs.com', 'vpc' => 'sts-vpc.cn-fuzhou.aliyuncs.com'],
+ ['regionId' => 'cn-chengdu', 'regionName' => 'China (Chengdu)', 'areaId' => 'asiaPacific', 'areaName' => 'Asia Pacific', 'public' => 'sts.cn-chengdu.aliyuncs.com', 'endpoint' => 'sts.cn-chengdu.aliyuncs.com', 'vpc' => 'sts-vpc.cn-chengdu.aliyuncs.com'],
+ ['regionId' => 'cn-guangzhou', 'regionName' => 'China (Guangzhou)', 'areaId' => 'asiaPacific', 'areaName' => 'Asia Pacific', 'public' => 'sts.cn-guangzhou.aliyuncs.com', 'endpoint' => 'sts.cn-guangzhou.aliyuncs.com', 'vpc' => 'sts-vpc.cn-guangzhou.aliyuncs.com'],
+ ['regionId' => 'cn-huhehaote', 'regionName' => 'China (Hohhot)', 'areaId' => 'asiaPacific', 'areaName' => 'Asia Pacific', 'public' => 'sts.cn-huhehaote.aliyuncs.com', 'endpoint' => 'sts.cn-huhehaote.aliyuncs.com', 'vpc' => 'sts-vpc.cn-huhehaote.aliyuncs.com'],
+ ['regionId' => 'cn-hangzhou', 'regionName' => 'China (Hangzhou)', 'areaId' => 'asiaPacific', 'areaName' => 'Asia Pacific', 'public' => 'sts.cn-hangzhou.aliyuncs.com', 'endpoint' => 'sts.cn-hangzhou.aliyuncs.com', 'vpc' => 'sts-vpc.cn-hangzhou.aliyuncs.com'],
+ ['regionId' => 'eu-west-1', 'regionName' => 'UK (London)', 'areaId' => 'europeAmerica', 'areaName' => 'Europe & Americas', 'public' => 'sts.eu-west-1.aliyuncs.com', 'endpoint' => 'sts.eu-west-1.aliyuncs.com', 'vpc' => 'sts-vpc.eu-west-1.aliyuncs.com'],
+ ['regionId' => 'eu-central-1', 'regionName' => 'Germany (Frankfurt)', 'areaId' => 'europeAmerica', 'areaName' => 'Europe & Americas', 'public' => 'sts.eu-central-1.aliyuncs.com', 'endpoint' => 'sts.eu-central-1.aliyuncs.com', 'vpc' => 'sts-vpc.eu-central-1.aliyuncs.com'],
+ ['regionId' => 'us-east-1', 'regionName' => 'US (Virginia)', 'areaId' => 'europeAmerica', 'areaName' => 'Europe & Americas', 'public' => 'sts.us-east-1.aliyuncs.com', 'endpoint' => 'sts.us-east-1.aliyuncs.com', 'vpc' => 'sts-vpc.us-east-1.aliyuncs.com'],
+ ['regionId' => 'us-west-1', 'regionName' => 'US (Silicon Valley)', 'areaId' => 'europeAmerica', 'areaName' => 'Europe & Americas', 'public' => 'sts.us-west-1.aliyuncs.com', 'endpoint' => 'sts.us-west-1.aliyuncs.com', 'vpc' => 'sts-vpc.us-west-1.aliyuncs.com'],
+ ['regionId' => 'na-south-1', 'regionName' => 'Mexico', 'areaId' => 'europeAmerica', 'areaName' => 'Europe & Americas', 'public' => 'sts.na-south-1.aliyuncs.com', 'endpoint' => 'sts.na-south-1.aliyuncs.com', 'vpc' => 'sts-vpc.na-south-1.aliyuncs.com'],
+ ['regionId' => 'me-east-1', 'regionName' => 'UAE (Dubai)', 'areaId' => 'middleEast', 'areaName' => 'Middle East', 'public' => 'sts.me-east-1.aliyuncs.com', 'endpoint' => 'sts.me-east-1.aliyuncs.com', 'vpc' => 'sts-vpc.me-east-1.aliyuncs.com'],
+ ['regionId' => 'me-central-1', 'regionName' => 'Saudi Arabia (Riyadh)', 'areaId' => 'middleEast', 'areaName' => 'Middle East', 'public' => 'sts.me-central-1.aliyuncs.com', 'endpoint' => 'sts.me-central-1.aliyuncs.com', 'vpc' => 'sts-vpc.me-central-1.aliyuncs.com'],
+ ['regionId' => 'cn-shenzhen-finance-1', 'regionName' => 'China South 1 Finance', 'areaId' => 'industryCloud', 'areaName' => 'Industry Cloud', 'public' => 'sts.aliyuncs.com', 'endpoint' => 'sts.aliyuncs.com', 'vpc' => 'sts-vpc.cn-shenzhen-finance-1.aliyuncs.com'],
+ ['regionId' => 'cn-beijing-finance-1', 'regionName' => 'China North 2 Finance (Preview)', 'areaId' => 'industryCloud', 'areaName' => 'Industry Cloud', 'public' => 'sts.cn-beijing-finance-1.aliyuncs.com', 'endpoint' => 'sts.cn-beijing-finance-1.aliyuncs.com', 'vpc' => 'sts-vpc.cn-beijing-finance-1.aliyuncs.com'],
+ ['regionId' => 'cn-shanghai-finance-1', 'regionName' => 'China East 2 Finance', 'areaId' => 'industryCloud', 'areaName' => 'Industry Cloud', 'public' => 'sts.cn-shanghai-finance-1.aliyuncs.com', 'endpoint' => 'sts.cn-shanghai-finance-1.aliyuncs.com', 'vpc' => 'sts-vpc.cn-shanghai-finance-1.aliyuncs.com'],
+ ['regionId' => 'cn-hangzhou-finance', 'regionName' => 'China East 1 Finance', 'areaId' => 'industryCloud', 'areaName' => 'Industry Cloud', 'public' => 'sts.aliyuncs.com', 'endpoint' => 'sts.aliyuncs.com', 'vpc' => ''],
+ ],
+ 'errorCodes' => [
+ ['code' => 'AuthenticationFail.OIDCToken.AudienceNotMatch', 'message' => 'Invalid audience.', 'http_code' => 401, 'description' => 'audience mismatch in Token'],
+ ['code' => 'AuthenticationFail.OIDCToken.Expired', 'message' => 'This JsonWebToken is expired.', 'http_code' => 401, 'description' => ''],
+ ['code' => 'AuthenticationFail.OIDCToken.Invalid', 'message' => 'The Jwt content is invalid that cannot be recognized.', 'http_code' => 401, 'description' => 'Jwt content is invalid and not recognized'],
+ ['code' => 'AuthenticationFail.OIDCToken.Invalid', 'message' => 'The algorithm HS256 that be specified in Jwt header is unknown.', 'http_code' => 401, 'description' => 'The HS256 algorithm specified in the Jwt header is unknown.'],
+ ['code' => 'AuthenticationFail.OIDCToken.Invalid', 'message' => 'Cannot decode base64 encoded response(format invalided).', 'http_code' => 401, 'description' => 'The format is incorrect and the base64 encoded return result cannot be decoded.'],
+ ['code' => 'AuthenticationFail.OIDCToken.Invalid', 'message' => 'The number of Jwt field should be divided into 3 parts with \'.\' .', 'http_code' => 401, 'description' => 'Jwt needs to be able to be divided into 3 parts by the \'.\' character.'],
+ ['code' => 'AuthenticationFail.OIDCToken.Invalid', 'message' => 'The OIDCToken can not empty.', 'http_code' => 401, 'description' => 'OIDCToken field cannot be null.'],
+ ['code' => 'AuthenticationFail.OIDCToken.InvalidSignature', 'message' => 'OIDC token validate failed: invalid signature.', 'http_code' => 401, 'description' => 'Verification signature of ODIC token shi bai'],
+ ['code' => 'AuthenticationFail.OIDCToken.IssuerConfigurationBroken', 'message' => 'Cannot find the specific key from the discovery, kid is %s.', 'http_code' => 401, 'description' => 'The kid of the public key specified in OIDC Token to verify the signature is not provided in jwks uri of idp, and the kid is% s'],
+ ['code' => 'AuthenticationFail.OIDCToken.IssuerNotMatch', 'message' => 'The issuer in the OIDC Token doesn\'t match the OIDC Provider registered.', 'http_code' => 401, 'description' => 'The issuer field in the OIDC token does not match the registered OIDC provider.'],
+ ['code' => 'AuthenticationFail.OIDCToken.PublicKeyFingerprintMismatch', 'message' => 'The https fingerprint of this discovery is invalid.', 'http_code' => 401, 'description' => 'Verify that the fingerprint is not in the list of fingerprints for the corresponding OIDC identity provider'],
+ ['code' => 'AuthenticationFail.SAMLAssertion.Expired', 'message' => 'Response IssueInstant is either too old or with date in the future, value:%s.', 'http_code' => 401, 'description' => 'SAML Assertion Expired'],
+ ['code' => 'AuthenticationFail.SAMLAssertion.Invalid', 'message' => 'Bearer SubjectConfirmation invalidated by not before which is forbidden.', 'http_code' => 401, 'description' => 'SAML Assertion SubjectConfirmation cannot contain NotBefore attributes.'],
+ ['code' => 'AuthenticationFail.SAMLAssertion.Invalid', 'message' => 'Can\'t find the intended audience in at least one AudienceRestriction.', 'http_code' => 401, 'description' => ''],
+ ['code' => 'AuthenticationFail.SAMLAssertion.Invalid', 'message' => 'The rolearn and samlprovider pair can not be found in the Role Attibute of the SAMLAssertion.', 'http_code' => 401, 'description' => 'There is no RoleArn and SamlProvider information in the SAML Assertion. It needs to exist in Attribute form in the AttributeStatement. The format is roleArn,providerArn'],
+ ['code' => 'AuthenticationFail.SAMLAssertion.Invalid', 'message' => 'Cannot decode base64 encoded response(format invalided).', 'http_code' => 401, 'description' => 'The SAML Assertion is malformed and is not a standard Base64 string.'],
+ ['code' => 'AuthenticationFail.SAMLAssertion.Invalid', 'message' => 'The assertion schema validation failed.', 'http_code' => 401, 'description' => ''],
+ ['code' => 'EntityNotExist.Role', 'message' => 'The role not exists: %s.', 'http_code' => 404, 'description' => 'Role played by bu cun'],
+ ['code' => 'EntityNotExist.SAMLProvider', 'message' => 'Can not find SAML provider by ARN:%s.', 'http_code' => 404, 'description' => 'Cannot find the corresponding through ARM'],
+ ['code' => 'EntityNotExist.SAMLProvider', 'message' => 'Parameter SAMLProviderArn is not valid.', 'http_code' => 404, 'description' => 'Invalid Arn for SAML identity provider.'],
+ ['code' => 'EntityNotExist.User', 'message' => 'account not exists.', 'http_code' => 404, 'description' => 'Account does not exist'],
+ ['code' => 'EntityNotExist.User', 'message' => 'The identity account is not exists.', 'http_code' => 404, 'description' => 'The identity account is not exists.'],
+ ['code' => 'InvalidParameter', 'message' => 'Invalid role arn format:%s.', 'http_code' => 400, 'description' => 'The role arn format is incorrect.'],
+ ['code' => 'InvalidParameter.AssumeRoleFor', 'message' => 'The parameter AssumeRoleFor is wrongly formed.', 'http_code' => 400, 'description' => 'Parameter AssumeRoleFor format is illegal'],
+ ['code' => 'InvalidParameter.DurationSeconds', 'message' => 'The Min/Max value of DurationSeconds is 15min/1hr.', 'http_code' => 400, 'description' => 'DurationSeconds parameter is illegal, DurationSeconds minimum value is 15 minutes, maximum value is 1 hour'],
+ ['code' => 'InvalidParameter.DurationSeconds', 'message' => 'The Min/Max value of DurationSeconds is %s.', 'http_code' => 400, 'description' => 'DurationSeconds parameter is illegal.'],
+ ['code' => 'InvalidParameter.DurationSeconds', 'message' => 'The Min/Max value of DurationSeconds is 15min/12hr.', 'http_code' => 400, 'description' => 'DurationSeconds parameter is illegal, DurationSeconds minimum value is 15 minutes, maximum value is 12 hour'."\n"],
+ ['code' => 'InvalidParameter.ExternalId', 'message' => 'The parameter ExternalId is wrongly formed.', 'http_code' => 400, 'description' => 'Parameters'],
+ ['code' => 'InvalidParameter.Policy.StarCount', 'message' => 'The count of star in policy document\'s value field is limited to %s.', 'http_code' => 400, 'description' => 'The number of * in the policy exceeds the maximum limit.'],
+ ['code' => 'InvalidParameter.Policy.StarCount', 'message' => 'The count of star in policy document\'s value field is illegal.', 'http_code' => 400, 'description' => 'The number of * in the policy exceeds the maximum limit.'."\n"],
+ ['code' => 'InvalidParameter.PolicyGrammar', 'message' => 'The parameter Policy has not passed grammar check.', 'http_code' => 400, 'description' => 'Parameter Policy syntax format check failed'],
+ ['code' => 'InvalidParameter.PolicyGrammar', 'message' => 'Invalid Policy.', 'http_code' => 400, 'description' => 'Invalid parameter Policy.'],
+ ['code' => 'InvalidParameter.PolicySize', 'message' => 'The size of Policy must be smaller than 2048 bytes.', 'http_code' => 400, 'description' => 'The policy parameter is invalid. The policy length must be less than 2048 bytes.'],
+ ['code' => 'InvalidParameter.RoleArn', 'message' => 'The RoleArn can not empty.', 'http_code' => 400, 'description' => 'Parameter RoleArn cannot be wei kong zhi'],
+ ['code' => 'InvalidParameter.RoleArn', 'message' => 'The parameter RoleArn is wrongly formed.', 'http_code' => 400, 'description' => 'Parameters'],
+ ['code' => 'InvalidParameter.RoleSessionName', 'message' => 'The parameter RoleSessionName is wrongly formed.', 'http_code' => 400, 'description' => ''],
+ ['code' => 'InvalidParameter.RoleSessionName', 'message' => 'The RoleSessionName can not empty.', 'http_code' => 400, 'description' => 'The parameter RoleSessionName cannot be null.'],
+ ['code' => 'InvalidParameter.UserSessionName', 'message' => 'The parameter UserSessionName is invalid.', 'http_code' => 400, 'description' => 'Invalid parameter UserSessionName'."\n"],
+ ['code' => 'InvalidVersion', 'message' => 'Specified parameter Version is not valid.', 'http_code' => 400, 'description' => 'Incorrect STS version number'],
+ ['code' => 'ISVAuthenticationFail.SignatureNotMatch', 'message' => 'The IspSignature does not match.', 'http_code' => 401, 'description' => 'IspSignature signatures do not match.'],
+ ['code' => 'MissingAccessKeyId', 'message' => 'AccessKeyId is mandatory for this action.', 'http_code' => 400, 'description' => 'The operation must have a AccessKeyId.'],
+ ['code' => 'MissingParameter.OIDCProviderArn', 'message' => 'Parameter OIDCProviderArn is required.', 'http_code' => 400, 'description' => 'Missing required parameter OIDCProviderArn'],
+ ['code' => 'MissingParameter.RoleSessionName', 'message' => 'Parameter RoleSessionName is required.', 'http_code' => 400, 'description' => 'Missing required parameter RoleSessionName.'],
+ ['code' => 'NoPermission', 'message' => 'Roles may not be assumed by root accounts.', 'http_code' => 403, 'description' => 'Roles may not be assumed by root accounts.'],
+ ['code' => 'NoPermission', 'message' => 'You are not authorized to do this action.', 'http_code' => 403, 'description' => 'You are not authorized to do this action.'],
+ ['code' => 'NotSupported', 'message' => 'The identity type is not supported for this action.', 'http_code' => 403, 'description' => 'This operation is not supported for the identity type.'],
+ ['code' => 'InvalidParameter.Conditions', 'message' => 'The value of Conditions is invalid.', 'http_code' => 400, 'description' => 'Conditions parameter is illegal'],
+ ],
+ 'changeSet' => [],
+ 'flowControl' => [
+ 'flowControlList' => [
+ ['threshold' => '100', 'countWindow' => 1, 'regionId' => '*', 'api' => 'GetCallerIdentity'],
+ ['threshold' => '100', 'countWindow' => 1, 'regionId' => '*', 'api' => 'AssumeRole'],
+ ['threshold' => '100', 'countWindow' => 1, 'regionId' => '*', 'api' => 'AssumeRoleWithOIDC'],
+ ['threshold' => '-1', 'countWindow' => 1, 'regionId' => '*'],
],
- [
- 'regionId' => 'cn-guangzhou',
- 'endpoint' => 'sts.cn-guangzhou.aliyuncs.com',
+ ],
+ 'ram' => [
+ 'productCode' => 'Sts',
+ 'productName' => 'Resource Access Management',
+ 'ramCodes' => ['sts'],
+ 'ramLevel' => 'RESOURCE',
+ 'ramConditions' => [
+ [
+ 'name' => 'acs:Service',
+ 'schema' => ['type' => 'String', 'description' => 'The identifier of the cloud service to which the role can be passed. This condition key is only applicable to the PassRole action. Example value: actiontrail.aliyuncs.com.'],
+ ],
+ [
+ 'name' => 'ram:ServiceNames',
+ 'schema' => ['type' => 'Array<String>', 'description' => 'The identifiers of the cloud services that the service role can trust. This is a multi-valued field. Example value: [\\\\\\&quot;ecs.aliyun.com\\\\\\&quot;, \\\\\\&quot;rds.aliyuncs.com\\\\\\&quot;]'],
+ ],
+ [
+ 'name' => 'sts:SourceIdentity',
+ 'schema' => ['type' => 'String', 'description' => 'The source identity information set when assuming the role.'],
+ ],
+ [
+ 'name' => 'ram:TrustedPrincipalTypes',
+ 'schema' => [
+ 'type' => 'Array<String>',
+ 'description' => 'The types of trusted principals for the role. This is a multi-valued field.',
+ 'enums' => ['RAM', 'Service', 'Federated-SAMLProvider', 'Federated-OIDCProvider'],
+ ],
+ ],
],
- [
- 'regionId' => 'cn-wuhan-lr',
- 'endpoint' => 'sts.cn-wuhan-lr.aliyuncs.com',
+ 'ramActions' => [
+ [
+ 'apiName' => 'AssumeRole',
+ 'description' => '',
+ 'operationType' => 'get',
+ 'additionalActions' => [
+ ['action' => 'sts:SetSourceIdentity', 'validationType' => 'conditional'],
+ ],
+ 'ramAction' => [
+ 'action' => 'sts:AssumeRole',
+ 'authLevel' => 'resource',
+ 'actionConditions' => [
+ ['conditionKey' => 'sts:SourceIdentity', 'validationType' => 'conditional'],
+ ],
+ 'resources' => [
+ ['validationType' => 'always', 'product' => 'Sts', 'resourceType' => 'Role', 'arn' => 'acs:ram::{#accountId}:role/{#RoleName}'],
+ ],
+ ],
+ ],
],
- [
- 'regionId' => 'na-south-1',
- 'endpoint' => 'sts.na-south-1.aliyuncs.com',
+ 'resourceTypes' => [
+ ['validationType' => 'always', 'resourceType' => 'Role', 'arn' => 'acs:ram::{#accountId}:role/{#RoleName}'],
],
],
];