summaryrefslogtreecommitdiff
path: root/data/zh_cn/sts/2015-04-01
diff options
context:
space:
mode:
authorZhineng Li <im@zhineng.li>2026-07-12 17:11:17 +0800
committerZhineng Li <im@zhineng.li>2026-07-12 17:11:17 +0800
commit1c7f908ce09f98fdcbf79ed2a8ae21be60eaa634 (patch)
tree5f0857666365b7e40cdaa3733ebe1f3ba9e13c67 /data/zh_cn/sts/2015-04-01
parent7347bac4ab7e136157fc94777e6cf87ef9e08599 (diff)
downloadafterglow-metadata-full-1c7f908ce09f98fdcbf79ed2a8ae21be60eaa634.tar.gz
afterglow-metadata-full-1c7f908ce09f98fdcbf79ed2a8ae21be60eaa634.zip
update APIs 20260712
Diffstat (limited to 'data/zh_cn/sts/2015-04-01')
-rw-r--r--data/zh_cn/sts/2015-04-01/api-docs.php1167
1 files changed, 432 insertions, 735 deletions
diff --git a/data/zh_cn/sts/2015-04-01/api-docs.php b/data/zh_cn/sts/2015-04-01/api-docs.php
index b0e7efc..1b99579 100644
--- a/data/zh_cn/sts/2015-04-01/api-docs.php
+++ b/data/zh_cn/sts/2015-04-01/api-docs.php
@@ -1,28 +1,18 @@
<?php return [
'version' => '1.0',
- 'info' => [
- 'style' => 'RPC',
- 'product' => 'Sts',
- 'version' => '2015-04-01',
- ],
+ 'info' => ['style' => 'RPC', 'product' => 'Sts', 'version' => '2015-04-01'],
'directories' => [
[
- 'id' => 120773,
- 'title' => '角色扮演',
+ 'children' => ['AssumeRole', 'AssumeRoleWithSAML', 'AssumeRoleWithOIDC'],
'type' => 'directory',
- 'children' => [
- 'AssumeRole',
- 'AssumeRoleWithSAML',
- 'AssumeRoleWithOIDC',
- ],
+ 'title' => '角色扮演',
+ 'id' => 95516,
],
[
- 'id' => 120777,
- 'title' => '调用身份',
+ 'children' => ['GetCallerIdentity'],
'type' => 'directory',
- 'children' => [
- 'GetCallerIdentity',
- ],
+ 'title' => '调用身份',
+ 'id' => 95524,
],
],
'components' => [
@@ -31,117 +21,77 @@
'apis' => [
'AssumeRole' => [
'summary' => '通过调用AssumeRole接口,获取一个扮演RAM角色的临时身份凭证(STS Token)。',
- 'methods' => [
- 'post',
- 'get',
- ],
- 'schemes' => [
- 'https',
- ],
+ 'methods' => ['post', 'get'],
+ 'schemes' => ['https'],
'security' => [
[
'AK' => [],
],
],
'operationType' => 'readAndWrite',
- 'systemTags' => [
- 'operationType' => 'get',
- 'riskType' => 'high',
- 'chargeType' => 'free',
- ],
+ 'systemTags' => ['operationType' => 'get', 'riskType' => 'high', 'chargeType' => 'free'],
'parameters' => [
[
'name' => 'DurationSeconds',
'in' => 'query',
- 'schema' => [
- 'description' => 'Token有效期。单位:秒。'."\n"
- ."\n"
- .'Token有效期最小值为900秒,最大值为要扮演角色的`MaxSessionDuration`时间。默认值为3600秒。'."\n"
- ."\n"
- .'您可以通过CreateRole或UpdateRole设置角色最大会话时间`MaxSessionDuration`。更多信息,请参见[CreateRole](~~28710~~)或[UpdateRole](~~28712~~)。',
- 'type' => 'integer',
- 'format' => 'int64',
- 'required' => false,
- 'example' => '3600',
- ],
+ 'schema' => ['description' => 'Token有效期。单位:秒。'."\n"
+ ."\n"
+ .'Token有效期最小值为900秒,最大值为要扮演角色的`MaxSessionDuration`时间。默认值为3600秒。'."\n"
+ ."\n"
+ .'您可以通过CreateRole或UpdateRole设置角色最大会话时间`MaxSessionDuration`。更多信息,请参见[CreateRole](~~28710~~)或[UpdateRole](~~28712~~)。', 'type' => 'integer', 'format' => 'int64', 'required' => false, 'example' => '3600'],
],
[
'name' => 'Policy',
'in' => 'query',
- 'schema' => [
- 'description' => '为STS Token额外添加的一个权限策略,进一步限制STS Token的权限。具体如下:'."\n"
- ."\n"
- .'- 如果指定该权限策略,则STS Token最终的权限策略取RAM角色权限策略与该权限策略的交集。'."\n"
- .'- 如果不指定该权限策略,则STS Token最终的权限策略取RAM角色的权限策略。'."\n"
- ."\n"
- .'长度为1~2048个字符。'."\n"
- ."\n"
- .'关于权限策略元素和示例,请参见[权限策略基本元素](~~93738~~)和[权限策略示例库](~~210969~~)。',
- 'type' => 'string',
- 'required' => false,
- 'example' => '{"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}',
- ],
+ 'schema' => ['description' => '为STS Token额外添加的一个权限策略,进一步限制STS Token的权限。具体如下:'."\n"
+ ."\n"
+ .'- 如果指定该权限策略,则STS Token最终的权限策略取RAM角色权限策略与该权限策略的交集。'."\n"
+ .'- 如果不指定该权限策略,则STS Token最终的权限策略取RAM角色的权限策略。'."\n"
+ ."\n"
+ .'长度为1~2048个字符。'."\n"
+ ."\n"
+ .'关于权限策略元素和示例,请参见[权限策略基本元素](~~93738~~)和[权限策略示例库](~~210969~~)。', 'type' => 'string', 'required' => false, 'example' => '{"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}'],
],
[
'name' => 'RoleArn',
'in' => 'query',
- 'schema' => [
- 'description' => '要扮演的RAM角色ARN。'."\n"
- ."\n"
- .'该角色是可信实体为阿里云账号类型的RAM角色。更多信息,请参见[创建可信实体为阿里云账号的RAM角色](~~93691~~)或[CreateRole](~~28710~~)。'."\n"
- ."\n"
- .'格式:`acs:ram::<account_id>:role/<role_name>` 。'."\n"
- ."\n"
- .'您可以通过RAM控制台或API查看角色ARN。具体如下:'."\n"
- ."\n"
- .'- RAM控制台:请参见[查看RAM角色的ARN](~~39744~~)。'."\n"
- .'- API:请参见[ListRoles](~~28713~~)或[GetRole](~~28711~~)。',
- 'type' => 'string',
- 'required' => true,
- 'example' => 'acs:ram::123456789012****:role/adminrole',
- ],
+ 'schema' => ['description' => '要扮演的RAM角色ARN。'."\n"
+ ."\n"
+ .'该角色是可信实体为阿里云账号类型的RAM角色。更多信息,请参见[创建可信实体为阿里云账号的RAM角色](~~93691~~)或[CreateRole](~~28710~~)。'."\n"
+ ."\n"
+ .'格式:`acs:ram::<account_id>:role/<role_name>` 。'."\n"
+ ."\n"
+ .'您可以通过RAM控制台或API查看角色ARN。具体如下:'."\n"
+ ."\n"
+ .'- RAM控制台:请参见[查看RAM角色的ARN](~~39744~~)。'."\n"
+ .'- API:请参见[ListRoles](~~28713~~)或[GetRole](~~28711~~)。', 'type' => 'string', 'required' => true, 'example' => 'acs:ram::123456789012****:role/adminrole'],
],
[
'name' => 'RoleSessionName',
'in' => 'query',
- 'schema' => [
- 'description' => '角色会话名称。'."\n"
- ."\n"
- .'该参数为用户自定义参数。通常设置为调用该API的用户身份,例如:用户名。在操作审计日志中,即使是同一个RAM角色执行的操作,也可以根据不同的`RoleSessionName`来区分实际操作者,以实现用户级别的访问审计。'."\n"
- ."\n"
- .'长度为2~64个字符,可包含英文字母、数字和特殊字符`.@-_`。',
- 'type' => 'string',
- 'required' => true,
- 'example' => 'alice',
- ],
+ 'schema' => ['description' => '角色会话名称。'."\n"
+ ."\n"
+ .'该参数为用户自定义参数。通常设置为调用该API的用户身份,例如:用户名。在操作审计日志中,即使是同一个RAM角色执行的操作,也可以根据不同的`RoleSessionName`来区分实际操作者,以实现用户级别的访问审计。'."\n"
+ ."\n"
+ .'长度为2~64个字符,可包含英文字母、数字和特殊字符`.@-_`。', 'type' => 'string', 'required' => true, 'example' => 'alice'],
],
[
'name' => 'ExternalId',
'in' => 'query',
- 'schema' => [
- 'description' => '角色外部ID。'."\n"
- ."\n"
- .'该参数为外部提供的用于表示角色的参数信息,主要功能是防止混淆代理人问题。更多信息,请参见[使用ExternalId防止混淆代理人问题](~~2361741~~)。'."\n"
- ."\n"
- .'长度为2~1224个字符,可包含英文字母、数字和特殊字符`=,.@:/-_`。正则为:`[\\w+=,.@:\\/-]*`。',
- 'type' => 'string',
- 'required' => false,
- 'example' => 'abcd1234',
- ],
+ 'schema' => ['description' => '角色外部ID。'."\n"
+ ."\n"
+ .'该参数为外部提供的用于表示角色的参数信息,主要功能是防止混淆代理人问题。更多信息,请参见[使用ExternalId防止混淆代理人问题](~~2361741~~)。'."\n"
+ ."\n"
+ .'长度为2~1224个字符,可包含英文字母、数字和特殊字符`=,.@:/-_`。正则为:`[\\w+=,.@:\\/-]*`。', 'type' => 'string', 'required' => false, 'example' => 'abcd1234'],
],
[
'name' => 'SourceIdentity',
'in' => 'query',
- 'schema' => [
- 'description' => '源身份信息。'."\n"
- ."\n"
- .'在扮演角色时,可以指定扮演者的源身份(SourceIdentity)作为会话的初始身份标识。 该源身份的值在持续扮演角色的链式会话中将一直存在,中途不可更改,可确保操作的可追溯性和安全性。'."\n"
- ."\n"
- .'SourceIdentity 长度为 2~64 个字符,可包含英文字母、数字、以及特殊字符:`=,.@-_`。正则为:`[\\w+=,.@-]*`。您不能使用以`acs:`、`aliyun:`、`alibabacloud:` 开头的值,这些前缀为阿里云内部使用。',
- 'type' => 'string',
- 'required' => false,
- 'example' => 'Alice',
- ],
+ 'schema' => ['description' => '源身份信息。'."\n"
+ ."\n"
+ .'在扮演角色时,可以指定扮演者的源身份(SourceIdentity)作为会话的初始身份标识。 该源身份的值在持续扮演角色的链式会话中将一直存在,中途不可更改,可确保操作的可追溯性和安全性。'."\n"
+ ."\n"
+ .'SourceIdentity 长度为 2~64 个字符,可包含英文字母、数字、以及特殊字符:`=,.@-_`。正则为:`[\\w+=,.@-]*`。您不能使用以`acs:`、`aliyun:`、`alibabacloud:` 开头的值,这些前缀为阿里云内部使用。', 'type' => 'string', 'required' => false, 'example' => 'Alice'],
],
],
'responses' => [
@@ -151,131 +101,57 @@
'description' => '返回参数。',
'type' => 'object',
'properties' => [
- 'RequestId' => [
- 'description' => '请求ID。',
- 'type' => 'string',
- 'example' => '6894B13B-6D71-4EF5-88FA-F32781734A7F',
- ],
+ 'RequestId' => ['description' => '请求ID。', 'type' => 'string', 'example' => '6894B13B-6D71-4EF5-88FA-F32781734A7F'],
'AssumedRoleUser' => [
'description' => '角色扮演时的临时身份。',
'type' => 'object',
'properties' => [
- 'AssumedRoleId' => [
- 'description' => '临时身份的ID。',
- 'type' => 'string',
- 'example' => '34458433936495****:alice',
- ],
- 'Arn' => [
- 'description' => '临时身份的ARN。',
- 'type' => 'string',
- 'example' => 'acs:ram::123456789012****:role/adminrole/alice',
- ],
+ 'AssumedRoleId' => ['description' => '临时身份的ID。', 'type' => 'string', 'example' => '34458433936495****:alice'],
+ 'Arn' => ['description' => '临时身份的ARN。', 'type' => 'string', 'example' => 'acs:ram::123456789012****:role/adminrole/alice'],
],
],
'Credentials' => [
'description' => '访问凭证。'."\n",
'type' => 'object',
'properties' => [
- 'SecurityToken' => [
- 'description' => '安全令牌。'."\n"
- .'> 安全令牌的长度不固定,我们强烈建议您不要对安全令牌的最大长度做任何限制。',
- 'type' => 'string',
- 'example' => '********',
- ],
- 'Expiration' => [
- 'description' => 'Token到期失效时间(UTC时间)。',
- 'type' => 'string',
- 'example' => '2015-04-09T11:52:19Z',
- ],
- 'AccessKeySecret' => [
- 'description' => '访问密钥。',
- 'type' => 'string',
- 'example' => 'wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****',
- ],
- 'AccessKeyId' => [
- 'description' => '访问密钥ID。',
- 'type' => 'string',
- 'example' => 'STS.L4aBSCSJVMuKg5U1****',
- ],
+ 'SecurityToken' => ['description' => '安全令牌。'."\n"
+ .'> 安全令牌的长度不固定,我们强烈建议您不要对安全令牌的最大长度做任何限制。', 'type' => 'string', 'example' => '********'],
+ 'Expiration' => ['description' => 'Token到期失效时间(UTC时间)。', 'type' => 'string', 'example' => '2015-04-09T11:52:19Z'],
+ 'AccessKeySecret' => ['description' => '访问密钥。', 'type' => 'string', 'example' => 'wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****'],
+ 'AccessKeyId' => ['description' => '访问密钥ID。', 'type' => 'string', 'example' => 'STS.L4aBSCSJVMuKg5U1****'],
],
],
- 'SourceIdentity' => [
- 'description' => '源身份信息。'."\n"
- ."\n"
- .'在扮演角色时,可以指定扮演者的源身份(SourceIdentity)作为会话的初始身份标识。 该源身份的值在持续扮演角色的链式会话中将一直存在,中途不可更改,可确保操作的可追溯性和安全性。'."\n"
- ."\n"
- .'如果没有设置源身份信息,则该字段不会返回。',
- 'type' => 'string',
- 'example' => 'Alice',
- ],
+ 'SourceIdentity' => ['description' => '源身份信息。'."\n"
+ ."\n"
+ .'在扮演角色时,可以指定扮演者的源身份(SourceIdentity)作为会话的初始身份标识。 该源身份的值在持续扮演角色的链式会话中将一直存在,中途不可更改,可确保操作的可追溯性和安全性。'."\n"
+ ."\n"
+ .'如果没有设置源身份信息,则该字段不会返回。', 'type' => 'string', 'example' => 'Alice'],
],
],
],
],
'errorCodes' => [
400 => [
- [
- 'errorCode' => 'InvalidParameter.DurationSeconds',
- 'errorMessage' => 'The Min/Max value of DurationSeconds is 15min/1hr.',
- ],
- [
- 'errorCode' => 'InvalidParameter.ExternalId',
- 'errorMessage' => 'The parameter ExternalId is wrongly formed.',
- ],
- [
- 'errorCode' => 'InvalidParameter.RoleArn',
- 'errorMessage' => 'The parameter RoleArn is wrongly formed.',
- ],
- [
- 'errorCode' => 'InvalidParameter.RoleSessionName',
- 'errorMessage' => 'The parameter RoleSessionName is wrongly formed.',
- ],
- [
- 'errorCode' => 'InvalidParameter.SerialNumber',
- 'errorMessage' => 'The parameter SerialNumber is wrongly formed.',
- ],
- [
- 'errorCode' => 'InvalidParameter.TokenCode',
- 'errorMessage' => 'The parameter TokenCode is wrongly formed.',
- ],
- [
- 'errorCode' => 'InvalidParameter.PolicyGrammar',
- 'errorMessage' => 'The parameter Policy has not passed grammar check.',
- ],
- [
- 'errorCode' => 'InvalidParameter.PolicySize',
- 'errorMessage' => 'The size of Policy must be smaller than 2048 bytes.',
- ],
- [
- 'errorCode' => 'InvalidParameter.ContentType',
- 'errorMessage' => 'The ContentType request header must be either "application/json" or "application/x-www-form-urlencoded".',
- ],
+ ['errorCode' => 'InvalidParameter.DurationSeconds', 'errorMessage' => 'The Min/Max value of DurationSeconds is 15min/1hr.', 'description' => 'DurationSeconds参数不合法,DurationSeconds最小值为15分钟,最大值为1小时'],
+ ['errorCode' => 'InvalidParameter.ExternalId', 'errorMessage' => 'The parameter ExternalId is wrongly formed.', 'description' => '参数ExternalId不合法'],
+ ['errorCode' => 'InvalidParameter.RoleArn', 'errorMessage' => 'The parameter RoleArn is wrongly formed.', 'description' => '参数RoleArn的格式错误'],
+ ['errorCode' => 'InvalidParameter.RoleSessionName', 'errorMessage' => 'The parameter RoleSessionName is wrongly formed.', 'description' => '参数RoleSessionName格式错误。'],
+ ['errorCode' => 'InvalidParameter.SerialNumber', 'errorMessage' => 'The parameter SerialNumber is wrongly formed.', 'description' => ''],
+ ['errorCode' => 'InvalidParameter.TokenCode', 'errorMessage' => 'The parameter TokenCode is wrongly formed.', 'description' => ''],
+ ['errorCode' => 'InvalidParameter.PolicyGrammar', 'errorMessage' => 'The parameter Policy has not passed grammar check.', 'description' => '参数Policy语法格式检查未通过。'],
+ ['errorCode' => 'InvalidParameter.PolicySize', 'errorMessage' => 'The size of Policy must be smaller than 2048 bytes.', 'description' => 'Policy参数不合法,Policy长度必须小于2048字节。'],
+ ['errorCode' => 'InvalidParameter.ContentType', 'errorMessage' => 'The ContentType request header must be either "application/json" or "application/x-www-form-urlencoded".', 'description' => ''],
],
403 => [
- [
- 'errorCode' => 'NoPermission',
- 'errorMessage' => 'You are not authorized to do this action. You should be authorized by RAM.',
- ],
- [
- 'errorCode' => 'AuthenticationFail.ApiUsername',
- 'errorMessage' => 'The specified api username is not legal.',
- ],
- [
- 'errorCode' => 'AuthenticationFail.ApiPassword',
- 'errorMessage' => 'The specified api password is not legal.',
- ],
+ ['errorCode' => 'NoPermission', 'errorMessage' => 'You are not authorized to do this action. You should be authorized by RAM.', 'description' => ''],
+ ['errorCode' => 'AuthenticationFail.ApiUsername', 'errorMessage' => 'The specified api username is not legal.', 'description' => ''],
+ ['errorCode' => 'AuthenticationFail.ApiPassword', 'errorMessage' => 'The specified api password is not legal.', 'description' => ''],
],
[
- [
- 'errorCode' => 'EntityNotExist.Role',
- 'errorMessage' => 'The specified Role not exists .',
- ],
+ ['errorCode' => 'EntityNotExist.Role', 'errorMessage' => 'The specified Role not exists .', 'description' => ''],
],
500 => [
- [
- 'errorCode' => 'InternalError',
- 'errorMessage' => 'STS Server Internal Error happened, please send the RequestId to us.',
- ],
+ ['errorCode' => 'InternalError', 'errorMessage' => 'STS Server Internal Error happened, please send the RequestId to us.', 'description' => ''],
],
],
'responseDemo' => '[{"type":"json","example":"{\\n \\"RequestId\\": \\"6894B13B-6D71-4EF5-88FA-F32781734A7F\\",\\n \\"AssumedRoleUser\\": {\\n \\"AssumedRoleId\\": \\"34458433936495****:alice\\",\\n \\"Arn\\": \\"acs:ram::123456789012****:role/adminrole/alice\\"\\n },\\n \\"Credentials\\": {\\n \\"SecurityToken\\": \\"********\\",\\n \\"Expiration\\": \\"2015-04-09T11:52:19Z\\",\\n \\"AccessKeySecret\\": \\"wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****\\",\\n \\"AccessKeyId\\": \\"STS.L4aBSCSJVMuKg5U1****\\"\\n },\\n \\"SourceIdentity\\": \\"Alice\\"\\n}","errorExample":""},{"type":"xml","example":"<AssumeRoleResponse>\\n <Credentials>\\n <AccessKeyId>STS.L4aBSCSJVMuKg5U1****</AccessKeyId>\\n <AccessKeySecret>wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****</AccessKeySecret>\\n <Expiration>2015-04-09T11:52:19Z</Expiration>\\n <SecurityToken>********</SecurityToken>\\n </Credentials>\\n <AssumedRoleUser>\\n <Arn>acs:ram::123456789012****:role/adminrole/alice</Arn>\\n <AssumedRoleId>34458433936495****:alice</AssumedRoleId>\\n </AssumedRoleUser>\\n <RequestId>6894B13B-6D71-4EF5-88FA-F32781734A7F</RequestId>\\n</AssumeRoleResponse>","errorExample":""}]',
@@ -304,110 +180,101 @@
.'STS Token自颁发后将在一段时间内有效,建议您设置合理的Token有效期,并在有效期内重复使用,以避免业务请求速率上升后,STS Token颁发的速率限制影响到业务。具体速率限制,请参见[STS服务调用次数是否有上限](~~39744~~)。您可以通过请求参数`DurationSeconds`设置Token有效期。'."\n"
."\n"
.'在移动端上传或下载OSS文件等场景下,其访问量较大,即使重复使用STS Token也可能无法满足限流要求。为避免STS的限流成为OSS访问量的瓶颈,您可以尝试OSS的**在URL中包含签名**的方案。更多信息,请参见[在URL中包含签名](~~31952~~)和[服务端签名后直传](~~31926~~)。',
- ],
- 'AssumeRoleWithSAML' => [
- 'summary' => '进行SAML角色SSO时,通过调用AssumeRoleWithSAML接口,获取扮演RAM角色的临时身份凭证(STS Token)。',
- 'methods' => [
- 'post',
- 'get',
+ 'changeSet' => [],
+ 'flowControl' => [
+ 'flowControlList' => [
+ ['threshold' => '100', 'countWindow' => 1, 'regionId' => '*', 'api' => 'AssumeRole'],
+ ],
],
- 'schemes' => [
- 'https',
+ 'ramActions' => [
+ [
+ 'operationType' => 'get',
+ 'ramAction' => [
+ 'action' => 'sts:AssumeRole',
+ 'authLevel' => 'resource',
+ 'actionConditions' => [
+ ['conditionKey' => 'sts:SourceIdentity', 'validationType' => 'conditional'],
+ ],
+ 'resources' => [
+ ['validationType' => 'always', 'product' => 'Sts', 'resourceType' => 'Role', 'arn' => 'acs:ram::{#accountId}:role/{#RoleName}'],
+ ],
+ ],
+ 'additionalActions' => [
+ ['action' => 'sts:SetSourceIdentity', 'validationType' => 'conditional'],
+ ],
+ ],
],
+ ],
+ 'AssumeRoleWithOIDC' => [
+ 'methods' => ['get', 'post'],
+ 'schemes' => ['https'],
'security' => [
[
- 'Anonymous' => [],
+ 'ARS_OIDC' => [],
],
],
'operationType' => 'readAndWrite',
- 'systemTags' => [
- 'operationType' => 'get',
- 'riskType' => 'high',
- 'chargeType' => 'free',
- ],
+ 'deprecated' => false,
+ 'systemTags' => ['operationType' => 'get', 'riskType' => 'high', 'chargeType' => 'free'],
'parameters' => [
[
- 'name' => 'SAMLProviderArn',
+ 'name' => 'OIDCProviderArn',
'in' => 'query',
- 'schema' => [
- 'description' => 'RAM中创建的SAML身份提供商的ARN。'."\n"
- ."\n"
- .'格式:`acs:ram::<account_id>:saml-provider/<saml_provider_id>`。'."\n"
- ."\n"
- .'您可以通过RAM控制台或API查看身份提供商的ARN。具体如下:'."\n"
- ."\n"
- .'- RAM控制台:请参见[查看SAML身份提供商基本信息](~~116795~~)。'."\n"
- .'- API:请参见[GetSAMLProvider](~~186833~~)或[ListSAMLProviders](~~186851~~)。',
- 'type' => 'string',
- 'required' => false,
- 'docRequired' => true,
- 'example' => 'acs:ram::123456789012****:saml-provider/company1',
- ],
+ 'schema' => ['title' => 'OIDC Provider的ARN', 'description' => 'OIDC身份提供商的ARN。'."\n"
+ ."\n"
+ .'您可以通过RAM控制台或API查看OIDC身份提供商的ARN。具体如下:'."\n"
+ ."\n"
+ .'- RAM控制台:请参见[查看OIDC身份提供商信息](~~327123~~)。'."\n"
+ .'- API:请参见[GetOIDCProvider](~~327126~~)或[ListOIDCProviders](~~327127~~) 。', 'type' => 'string', 'required' => false, 'docRequired' => true, 'example' => 'acs:ram::113511544585****:oidc-provider/TestOidcIdp'],
],
[
'name' => 'RoleArn',
'in' => 'query',
- 'schema' => [
- 'description' => '要扮演的RAM角色的ARN。'."\n"
- ."\n"
- .'该角色是可信实体为SAML身份提供商的RAM角色。更多信息,请参见[创建可信实体为身份提供商的RAM角色](~~116805~~)或[CreateRole](~~28710~~)。'."\n"
- ."\n"
- .'格式:`acs:ram::<account_id>:role/<role_name>`。'."\n"
- ."\n"
- .'您可以通过RAM控制台或API查看角色ARN。具体如下:'."\n"
- ."\n"
- .'- RAM控制台:请参见[如何查看RAM角色的ARN?](~~39744~~)。'."\n"
- .'- API:请参见[ListRoles](~~28713~~)或[GetRole](~~28711~~)。',
- 'type' => 'string',
- 'required' => false,
- 'docRequired' => true,
- 'example' => 'acs:ram::123456789012****:role/adminrole',
- ],
+ 'schema' => ['title' => '需要扮演的角色的ARN', 'description' => '需要扮演的RAM角色ARN。'."\n"
+ ."\n"
+ .'您可以通过RAM控制台或API查看角色ARN。具体如下:'."\n"
+ ."\n"
+ .'- RAM控制台:请参见[如何查看RAM角色的ARN](~~39744~~)。'."\n"
+ .'- API:请参见[ListRoles](~~28713~~)或[GetRole](~~28711~~) 。', 'type' => 'string', 'required' => false, 'docRequired' => true, 'example' => 'acs:ram::113511544585****:role/testoidc'],
],
[
- 'name' => 'SAMLAssertion',
+ 'name' => 'OIDCToken',
'in' => 'query',
- 'schema' => [
- 'description' => 'Base64编码后的SAML断言。'."\n"
- ."\n"
- .'长度为4~100000个字符。'."\n"
- ."\n"
- .'> 需要从IdP获取完整的SAML响应,不能是单独的SAML断言字段。',
- 'type' => 'string',
- 'required' => false,
- 'docRequired' => true,
- 'example' => 'base64_encoded_saml_assertion',
- ],
+ 'schema' => ['title' => 'OIDC的ID Token,需输入原始Token,无需Base64解码', 'description' => '由外部IdP签发的OIDC令牌(OIDC Token)。'."\n"
+ ."\n"
+ .'长度:4~20000个字符。'."\n"
+ ."\n"
+ .'> 需要输入原始OIDC Token,无需Base64解码。', 'type' => 'string', 'required' => false, 'docRequired' => true, 'example' => 'eyJraWQiOiJKQzl3eHpyaHFKMGd0****'],
],
[
'name' => 'Policy',
'in' => 'query',
- 'schema' => [
- 'description' => '为STS Token额外添加的一个权限策略,进一步限制STS Token的权限。具体如下:'."\n"
- ."\n"
- .'- 如果指定该权限策略,则STS Token最终的权限取RAM角色权限策略与该权限策略的交集。'."\n"
- .'- 如果不指定该权限策略,则STS Token最终的权限就是RAM角色的权限。'."\n"
- ."\n"
- .'长度为1~2048个字符。',
- 'type' => 'string',
- 'required' => false,
- 'example' => 'url_encoded_policy',
- ],
+ 'schema' => ['title' => '权限策略。 生成STS Token时可以指定一个额外的权限策略,以进一步限制STS Token的权限。若不指定则返回的Token拥有指定角色的所有权限。', 'description' => '为STS Token额外添加的一个权限策略,进一步限制STS Token的权限。具体如下:'."\n"
+ ."\n"
+ .'- 如果指定该权限策略,则STS Token最终的权限取RAM角色权限策略与该权限策略的交集。'."\n"
+ .'- 如果不指定该权限策略,则STS Token最终的权限就是RAM角色的权限。'."\n"
+ ."\n"
+ .'长度:1~2048个字符。', 'type' => 'string', 'required' => false, 'example' => '{"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}'],
],
[
'name' => 'DurationSeconds',
'in' => 'query',
- 'schema' => [
- 'description' => 'Token有效期。单位:秒。'."\n"
- ."\n"
- .'Token有效期最小值为900秒,最大值为`MaxSessionDuration`设置的时间,默认值为3600秒。'."\n"
- ."\n"
- .'您可以通过CreateRole或UpdateRole接口设置角色最大会话时间`MaxSessionDuration`。更多信息,请参见[CreateRole](~~28710~~)或[UpdateRole](~~28712~~)。',
- 'type' => 'integer',
- 'format' => 'int64',
- 'required' => false,
- 'example' => '3600',
- ],
+ 'schema' => ['title' => 'Session过期时间,单位为秒。', 'description' => 'Token有效期。单位:秒。'."\n"
+ ."\n"
+ .'默认值:3600。最小值:900。最大值:`MaxSessionDuration`设置的时间。'."\n"
+ ."\n"
+ .'关于设置角色最大会话时间`MaxSessionDuration`的具体操作,请参见[CreateRole](~~28710~~)或[UpdateRole](~~28712~~)。', 'type' => 'integer', 'format' => 'int64', 'required' => false, 'example' => '3600'],
+ ],
+ [
+ 'name' => 'RoleSessionName',
+ 'in' => 'query',
+ 'schema' => ['title' => '用户自定义参数。此参数用来区分不同的令牌,可用于用户级别的访问审计。', 'description' => '角色会话名称。'."\n"
+ ."\n"
+ .'该参数为用户自定义参数。通常设置为调用该API的用户身份,例如:用户名。在操作审计日志中,即使是同一个RAM角色执行的操作,也可以根据不同的RoleSessionName来区分实际操作者,以实现用户级别的访问审计。'."\n"
+ ."\n"
+ .'格式:包含英文字母、数字、半角句号(.)、at(@)、短划线(-)和下划线(_)。'."\n"
+ ."\n"
+ .'长度:2~64个字符。', 'type' => 'string', 'required' => true, 'docRequired' => true, 'example' => 'TestOidcAssumedRoleSession'],
],
],
'responses' => [
@@ -416,231 +283,135 @@
'description' => '返回参数。',
'type' => 'object',
'properties' => [
- 'RequestId' => [
- 'description' => '请求ID。',
- 'type' => 'string',
- 'example' => '6894B13B-6D71-4EF5-88FA-F32781734A7F',
- ],
- 'SAMLAssertionInfo' => [
- 'description' => 'SAML断言中的部分信息。',
+ 'RequestId' => ['description' => '请求ID。', 'type' => 'string', 'example' => '3D57EAD2-8723-1F26-B69C-F8707D8B565D'],
+ 'OIDCTokenInfo' => [
+ 'description' => '解析的OIDC Token信息。',
'type' => 'object',
'properties' => [
- 'SubjectType' => [
- 'description' => 'SAML断言中`NameID`的格式。当前缀为`urn:oasis:names:tc:SAML:2.0:nameid-format:`时,前缀会被移除。例如:`persistent/transient`。',
- 'type' => 'string',
- 'example' => 'persistent',
- ],
- 'Subject' => [
- 'description' => 'SAML断言中`Subject - NameID`字段的值。',
- 'type' => 'string',
- 'example' => 'alice@example.com',
- ],
- 'Issuer' => [
- 'description' => 'SAML断言中`Issuer`字段的值。',
- 'type' => 'string',
- 'example' => 'http://example.com/adfs/services/trust',
- ],
- 'Recipient' => [
- 'description' => 'SAML断言中`Subject - SubjectConfirmation - SubjectConfirmationData`字段中`Recipient`属性的值。',
- 'type' => 'string',
- 'example' => 'https://signin.aliyun.com/saml-role/SSO',
- ],
+ 'Subject' => ['description' => 'OIDC主体。'."\n"
+ ."\n"
+ .'对应OIDC Token中的`sub`字段值。'."\n", 'type' => 'string', 'example' => 'KryrkIdjylZb7agUgCEf****'],
+ 'Issuer' => ['description' => 'OIDC颁发者URL。'."\n"
+ ."\n"
+ .'对应OIDC Token中的`iss`字段值。', 'type' => 'string', 'example' => 'https://dev-xxxxxx.okta.com'],
+ 'ClientIds' => ['description' => 'OIDC受众。多个之间用半角逗号(,)分隔。'."\n"
+ ."\n"
+ .'对应OIDC Token中的`aud`字段值。', 'type' => 'string', 'example' => '496271242565057****'],
+ 'ExpirationTime' => ['description' => 'OIDC Token的过期时间。', 'type' => 'string', 'example' => '2021-10-20T04:27:09Z'],
+ 'IssuanceTime' => ['description' => 'OIDC Token的签发时间。', 'type' => 'string', 'example' => '2021-10-20T03:27:09Z'],
+ 'VerificationInfo' => ['description' => 'OIDC Token的检验信息。更多信息,请参见[管理OIDC身份提供商](~~327123~~)。', 'type' => 'string', 'example' => 'Success'],
],
],
'AssumedRoleUser' => [
'description' => '角色扮演临时身份。',
'type' => 'object',
'properties' => [
- 'AssumedRoleId' => [
- 'description' => '临时身份的ID。',
- 'type' => 'string',
- 'example' => '34458433936495****:alice',
- ],
- 'Arn' => [
- 'description' => '临时身份的ARN。',
- 'type' => 'string',
- 'example' => 'acs:sts::123456789012****:assumed-role/AdminRole/alice',
- ],
+ 'AssumedRoleId' => ['description' => '临时身份的ID。', 'type' => 'string', 'example' => '33157794895460****'],
+ 'Arn' => ['description' => '临时身份的ARN。', 'type' => 'string', 'example' => 'acs:ram::113511544585****:role/testoidc/TestOidcAssumedRoleSession'],
],
],
'Credentials' => [
- 'description' => '访问凭证。',
+ 'description' => '临时访问凭证(STS Token)。',
'type' => 'object',
'properties' => [
- 'SecurityToken' => [
- 'description' => '安全令牌。'."\n"
- .'> 安全令牌的长度不固定,我们强烈建议您不要对安全令牌的最大长度做任何限制。',
- 'type' => 'string',
- 'example' => '********',
- ],
- 'Expiration' => [
- 'description' => 'Token到期失效时间(UTC时间)。',
- 'type' => 'string',
- 'example' => '2015-04-09T11:52:19Z',
- ],
- 'AccessKeySecret' => [
- 'description' => '访问密钥。',
- 'type' => 'string',
- 'example' => 'wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****',
- ],
- 'AccessKeyId' => [
- 'description' => '访问密钥ID。',
- 'type' => 'string',
- 'example' => 'STS.L4aBSCSJVMuKg5U1****',
- ],
+ 'SecurityToken' => ['description' => '安全令牌。'."\n"
+ .'> 安全令牌的长度不固定,我们强烈建议您不要对安全令牌的最大长度做任何限制。', 'type' => 'string', 'example' => 'CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz****'],
+ 'Expiration' => ['description' => 'Token到期失效时间(UTC时间)。', 'type' => 'string', 'example' => '2021-10-20T04:27:09Z'],
+ 'AccessKeySecret' => ['description' => '访问密钥。', 'type' => 'string', 'example' => 'CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2****'],
+ 'AccessKeyId' => ['description' => '访问密钥ID。', 'type' => 'string', 'example' => 'STS.NUgYrLnoC37mZZCNnAbez****'],
],
],
- 'SourceIdentity' => [
- 'description' => '源身份信息。'."\n"
- ."\n"
- .'在扮演角色时,可以指定扮演者的源身份(SourceIdentity)作为会话的初始身份标识。 该源身份的值在持续扮演角色的链式会话中将一直存在,中途不可更改,可确保操作的可追溯性和安全性。'."\n"
- ."\n"
- .'如果没有设置源身份信息,则该字段不会返回。',
- 'type' => 'string',
- 'example' => 'Alice',
- ],
+ 'SourceIdentity' => ['description' => '源身份信息。'."\n"
+ ."\n"
+ .'在扮演角色时,可以指定扮演者的源身份(SourceIdentity)作为会话的初始身份标识。 该源身份的值在持续扮演角色的链式会话中将一直存在,中途不可更改,可确保操作的可追溯性和安全性。'."\n"
+ ."\n"
+ .'如果没有设置源身份信息,则该字段不会返回。', 'type' => 'string', 'example' => 'Alice'],
],
],
],
],
- 'errorCodes' => [
- 500 => [
- [
- 'errorCode' => 'InternalError',
- 'errorMessage' => 'STS Server Internal Error happened, please send the RequestId to us.',
- ],
- ],
- ],
- 'responseDemo' => '[{"type":"json","example":"{\\n \\"RequestId\\": \\"6894B13B-6D71-4EF5-88FA-F32781734A7F\\",\\n \\"SAMLAssertionInfo\\": {\\n \\"SubjectType\\": \\"persistent\\",\\n \\"Subject\\": \\"alice@example.com\\",\\n \\"Issuer\\": \\"http://example.com/adfs/services/trust\\",\\n \\"Recipient\\": \\"https://signin.aliyun.com/saml-role/SSO\\"\\n },\\n \\"AssumedRoleUser\\": {\\n \\"AssumedRoleId\\": \\"34458433936495****:alice\\",\\n \\"Arn\\": \\"acs:sts::123456789012****:assumed-role/AdminRole/alice\\"\\n },\\n \\"Credentials\\": {\\n \\"SecurityToken\\": \\"********\\",\\n \\"Expiration\\": \\"2015-04-09T11:52:19Z\\",\\n \\"AccessKeySecret\\": \\"wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****\\",\\n \\"AccessKeyId\\": \\"STS.L4aBSCSJVMuKg5U1****\\"\\n },\\n \\"SourceIdentity\\": \\"Alice\\"\\n}","errorExample":""},{"type":"xml","example":"<AssumeRoleWithSAMLResponse>\\n <Credentials>\\n <AccessKeyId>STS.L4aBSCSJVMuKg5U1****</AccessKeyId>\\n <AccessKeySecret>wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****</AccessKeySecret>\\n <Expiration>2015-04-09T11:52:19Z</Expiration>\\n <SecurityToken>********</SecurityToken>\\n </Credentials>\\n <AssumedRoleUser>\\n <arn>acs:sts::1234567890123456:assumed-role/AdminRole/alice</arn>\\n <AssumedRoleId>34458433936495****:alice</AssumedRoleId>\\n </AssumedRoleUser>\\n <SAMLAssertionInfo>\\n <SubjectType>persistent</SubjectType>\\n <Subject>alice@example.com</Subject>\\n <Recipient>https://signin.aliyun.com/saml-role/SSO</Recipient>\\n <Issuer>http://example.com/adfs/services/trust</Issuer>\\n </SAMLAssertionInfo>\\n <RequestId>6894B13B-6D71-4EF5-88FA-F32781734A7F</RequestId>\\n</AssumeRoleWithSAMLResponse>","errorExample":""}]',
- 'title' => 'SAML角色SSO时获取扮演角色的临时身份凭证',
+ 'title' => 'OIDC角色SSO时获取扮演角色的临时身份凭证',
+ 'summary' => '进行OIDC角色SSO时,通过调用AssumeRoleWithOIDC接口,获取扮演RAM角色的临时身份凭证(STS Token)。',
'description' => '### 前提条件'."\n"
."\n"
- .'- 确保已从外部身份提供商(IdP)获取到SAML响应。'."\n"
- .'- 确保已在RAM中创建了SAML身份提供商。具体操作,请参见[创建SAML身份提供商](~~116083~~)或[CreateSAMLProvider](~~186846~~) 。'."\n"
- .'- 确保已在RAM中创建了可信实体为SAML身份提供商的RAM角色。具体操作,请参见[创建可信实体为身份提供商的RAM角色](~~116805~~)或[CreateRole](~~28710~~) 。',
- 'requestParamsDescription' => '> 由于AssumeRoleWithSAML接口使用SAML断言进行身份认证,可以匿名访问,因此不需要提供公共请求参数中的`Signature`、`SignatureMethod`、`SignatureVersion`和`AccessKeyId`参数。关于公共请求参数的详情,请参见[公共请求参数](~~315526~~)。',
- ],
- 'AssumeRoleWithOIDC' => [
- 'summary' => '进行OIDC角色SSO时,通过调用AssumeRoleWithOIDC接口,获取扮演RAM角色的临时身份凭证(STS Token)。',
- 'methods' => [
- 'get',
- 'post',
- ],
- 'schemes' => [
- 'https',
+ .'- 确保已从外部身份提供商(IdP)获取到OIDC令牌(OIDC Token)。'."\n"
+ .'- 确保已在RAM中创建了OIDC身份提供商。具体操作,请参见[创建OIDC身份提供商](~~327123~~)或[CreateOIDCProvider](~~327135~~) 。'."\n"
+ .'- 确保已在RAM中创建了可信实体为OIDC身份提供商的RAM角色。具体操作,请参见[创建可信实体为身份提供商的RAM角色](~~116805~~)或[CreateRole](~~28710~~) 。',
+ 'requestParamsDescription' => '> 由于AssumeRoleWithOIDC接口使用OIDC Token进行身份认证,可以匿名访问,因此不需要提供公共请求参数中的`Signature`、`SignatureMethod`、`SignatureVersion`和`AccessKeyId`参数。关于公共请求参数的详情,请参见[公共请求参数](~~315526~~)。',
+ 'changeSet' => [],
+ 'flowControl' => [
+ 'flowControlList' => [
+ ['threshold' => '100', 'countWindow' => 1, 'regionId' => '*', 'api' => 'AssumeRoleWithOIDC'],
+ ],
],
+ 'ramActions' => [],
+ 'responseDemo' => '[{"type":"json","example":"{\\n \\"RequestId\\": \\"3D57EAD2-8723-1F26-B69C-F8707D8B565D\\",\\n \\"OIDCTokenInfo\\": {\\n \\"Subject\\": \\"KryrkIdjylZb7agUgCEf****\\",\\n \\"Issuer\\": \\"https://dev-xxxxxx.okta.com\\",\\n \\"ClientIds\\": \\"496271242565057****\\",\\n \\"ExpirationTime\\": \\"2021-10-20T04:27:09Z\\",\\n \\"IssuanceTime\\": \\"2021-10-20T03:27:09Z\\",\\n \\"VerificationInfo\\": \\"Success\\"\\n },\\n \\"AssumedRoleUser\\": {\\n \\"AssumedRoleId\\": \\"33157794895460****\\",\\n \\"Arn\\": \\"acs:ram::113511544585****:role/testoidc/TestOidcAssumedRoleSession\\"\\n },\\n \\"Credentials\\": {\\n \\"SecurityToken\\": \\"CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz****\\",\\n \\"Expiration\\": \\"2021-10-20T04:27:09Z\\",\\n \\"AccessKeySecret\\": \\"CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2****\\",\\n \\"AccessKeyId\\": \\"STS.NUgYrLnoC37mZZCNnAbez****\\"\\n },\\n \\"SourceIdentity\\": \\"Alice\\"\\n}","errorExample":""},{"type":"xml","example":"<?xml version=\\"1.0\\" encoding=\\"UTF-8\\" ?>\\n<AssumeRoleWithOIDCResponse>\\n\\t<RequestId>3D57EAD2-8723-1F26-B69C-F8707D8B565D</RequestId>\\n\\t<OIDCTokenInfo>\\n\\t\\t<Subject>KryrkIdjylZb7agUgCEf****</Subject>\\n\\t\\t<Issuer>https://dev-xxxxxx.okta.com</Issuer>\\n\\t\\t<ClientIds>496271242565057****</ClientIds>\\n\\t</OIDCTokenInfo>\\n\\t<AssumedRoleUser>\\n\\t\\t<AssumedRoleId>33157794895460****</AssumedRoleId>\\n\\t\\t<Arn>acs:ram::113511544585****:role/testoidc/TestOidcAssumedRoleSession</Arn>\\n\\t</AssumedRoleUser>\\n\\t<Credentials>\\n\\t\\t<SecurityToken>CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz****</SecurityToken>\\n\\t\\t<Expiration>2021-10-20T04:27:09Z</Expiration>\\n\\t\\t<AccessKeySecret>CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2****</AccessKeySecret>\\n\\t\\t<AccessKeyId>STS.NUgYrLnoC37mZZCNnAbez****</AccessKeyId>\\n\\t</Credentials>\\n</AssumeRoleWithOIDCResponse>\\t\\n","errorExample":""}]',
+ ],
+ 'AssumeRoleWithSAML' => [
+ 'summary' => '进行SAML角色SSO时,通过调用AssumeRoleWithSAML接口,获取扮演RAM角色的临时身份凭证(STS Token)。',
+ 'methods' => ['post', 'get'],
+ 'schemes' => ['https'],
'security' => [
[
- 'ARS_OIDC' => [],
+ 'Anonymous' => [],
],
],
'operationType' => 'readAndWrite',
- 'deprecated' => false,
- 'systemTags' => [
- 'operationType' => 'get',
- 'riskType' => 'high',
- 'chargeType' => 'free',
- ],
+ 'systemTags' => ['operationType' => 'get', 'riskType' => 'high', 'chargeType' => 'free'],
'parameters' => [
[
- 'name' => 'OIDCProviderArn',
+ 'name' => 'SAMLProviderArn',
'in' => 'query',
- 'schema' => [
- 'title' => 'OIDC Provider的ARN',
- 'description' => 'OIDC身份提供商的ARN。'."\n"
- ."\n"
- .'您可以通过RAM控制台或API查看OIDC身份提供商的ARN。具体如下:'."\n"
- ."\n"
- .'- RAM控制台:请参见[查看OIDC身份提供商信息](~~327123~~)。'."\n"
- .'- API:请参见[GetOIDCProvider](~~327126~~)或[ListOIDCProviders](~~327127~~) 。',
- 'type' => 'string',
- 'required' => false,
- 'docRequired' => true,
- 'example' => 'acs:ram::113511544585****:oidc-provider/TestOidcIdp',
- ],
+ 'schema' => ['description' => 'RAM中创建的SAML身份提供商的ARN。'."\n"
+ ."\n"
+ .'格式:`acs:ram::<account_id>:saml-provider/<saml_provider_id>`。'."\n"
+ ."\n"
+ .'您可以通过RAM控制台或API查看身份提供商的ARN。具体如下:'."\n"
+ ."\n"
+ .'- RAM控制台:请参见[查看SAML身份提供商基本信息](~~116795~~)。'."\n"
+ .'- API:请参见[GetSAMLProvider](~~186833~~)或[ListSAMLProviders](~~186851~~)。', 'type' => 'string', 'required' => false, 'docRequired' => true, 'example' => 'acs:ram::123456789012****:saml-provider/company1'],
],
[
'name' => 'RoleArn',
'in' => 'query',
- 'schema' => [
- 'title' => '需要扮演的角色的ARN',
- 'description' => '需要扮演的RAM角色ARN。'."\n"
- ."\n"
- .'您可以通过RAM控制台或API查看角色ARN。具体如下:'."\n"
- ."\n"
- .'- RAM控制台:请参见[如何查看RAM角色的ARN](~~39744~~)。'."\n"
- .'- API:请参见[ListRoles](~~28713~~)或[GetRole](~~28711~~) 。',
- 'type' => 'string',
- 'required' => false,
- 'docRequired' => true,
- 'example' => 'acs:ram::113511544585****:role/testoidc',
- ],
+ 'schema' => ['description' => '要扮演的RAM角色的ARN。'."\n"
+ ."\n"
+ .'该角色是可信实体为SAML身份提供商的RAM角色。更多信息,请参见[创建可信实体为身份提供商的RAM角色](~~116805~~)或[CreateRole](~~28710~~)。'."\n"
+ ."\n"
+ .'格式:`acs:ram::<account_id>:role/<role_name>`。'."\n"
+ ."\n"
+ .'您可以通过RAM控制台或API查看角色ARN。具体如下:'."\n"
+ ."\n"
+ .'- RAM控制台:请参见[如何查看RAM角色的ARN?](~~39744~~)。'."\n"
+ .'- API:请参见[ListRoles](~~28713~~)或[GetRole](~~28711~~)。', 'type' => 'string', 'required' => false, 'docRequired' => true, 'example' => 'acs:ram::123456789012****:role/adminrole'],
],
[
- 'name' => 'OIDCToken',
+ 'name' => 'SAMLAssertion',
'in' => 'query',
- 'schema' => [
- 'title' => 'OIDC的ID Token,需输入原始Token,无需Base64解码',
- 'description' => '由外部IdP签发的OIDC令牌(OIDC Token)。'."\n"
- ."\n"
- .'长度:4~20000个字符。'."\n"
- ."\n"
- .'> 需要输入原始OIDC Token,无需Base64解码。',
- 'type' => 'string',
- 'required' => false,
- 'docRequired' => true,
- 'example' => 'eyJraWQiOiJKQzl3eHpyaHFKMGd0****',
- ],
+ 'schema' => ['description' => 'Base64编码后的SAML断言。'."\n"
+ ."\n"
+ .'长度为4~100000个字符。'."\n"
+ ."\n"
+ .'> 需要从IdP获取完整的SAML响应,不能是单独的SAML断言字段。', 'type' => 'string', 'required' => false, 'docRequired' => true, 'example' => 'base64_encoded_saml_assertion'],
],
[
'name' => 'Policy',
'in' => 'query',
- 'schema' => [
- 'title' => '权限策略。 生成STS Token时可以指定一个额外的权限策略,以进一步限制STS Token的权限。若不指定则返回的Token拥有指定角色的所有权限。',
- 'description' => '为STS Token额外添加的一个权限策略,进一步限制STS Token的权限。具体如下:'."\n"
- ."\n"
- .'- 如果指定该权限策略,则STS Token最终的权限取RAM角色权限策略与该权限策略的交集。'."\n"
- .'- 如果不指定该权限策略,则STS Token最终的权限就是RAM角色的权限。'."\n"
- ."\n"
- .'长度:1~2048个字符。',
- 'type' => 'string',
- 'required' => false,
- 'example' => '{"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}',
- ],
+ 'schema' => ['description' => '为STS Token额外添加的一个权限策略,进一步限制STS Token的权限。具体如下:'."\n"
+ ."\n"
+ .'- 如果指定该权限策略,则STS Token最终的权限取RAM角色权限策略与该权限策略的交集。'."\n"
+ .'- 如果不指定该权限策略,则STS Token最终的权限就是RAM角色的权限。'."\n"
+ ."\n"
+ .'长度为1~2048个字符。', 'type' => 'string', 'required' => false, 'example' => 'url_encoded_policy'],
],
[
'name' => 'DurationSeconds',
'in' => 'query',
- 'schema' => [
- 'title' => 'Session过期时间,单位为秒。',
- 'description' => 'Token有效期。单位:秒。'."\n"
- ."\n"
- .'默认值:3600。最小值:900。最大值:`MaxSessionDuration`设置的时间。'."\n"
- ."\n"
- .'关于设置角色最大会话时间`MaxSessionDuration`的具体操作,请参见[CreateRole](~~28710~~)或[UpdateRole](~~28712~~)。',
- 'type' => 'integer',
- 'format' => 'int64',
- 'required' => false,
- 'example' => '3600',
- ],
- ],
- [
- 'name' => 'RoleSessionName',
- 'in' => 'query',
- 'schema' => [
- 'title' => '用户自定义参数。此参数用来区分不同的令牌,可用于用户级别的访问审计。',
- 'description' => '角色会话名称。'."\n"
- ."\n"
- .'该参数为用户自定义参数。通常设置为调用该API的用户身份,例如:用户名。在操作审计日志中,即使是同一个RAM角色执行的操作,也可以根据不同的RoleSessionName来区分实际操作者,以实现用户级别的访问审计。'."\n"
- ."\n"
- .'格式:包含英文字母、数字、半角句号(.)、at(@)、短划线(-)和下划线(_)。'."\n"
- ."\n"
- .'长度:2~64个字符。',
- 'type' => 'string',
- 'required' => true,
- 'docRequired' => true,
- 'example' => 'TestOidcAssumedRoleSession',
- ],
+ 'schema' => ['description' => 'Token有效期。单位:秒。'."\n"
+ ."\n"
+ .'Token有效期最小值为900秒,最大值为`MaxSessionDuration`设置的时间,默认值为3600秒。'."\n"
+ ."\n"
+ .'您可以通过CreateRole或UpdateRole接口设置角色最大会话时间`MaxSessionDuration`。更多信息,请参见[CreateRole](~~28710~~)或[UpdateRole](~~28712~~)。', 'type' => 'integer', 'format' => 'int64', 'required' => false, 'example' => '3600'],
],
],
'responses' => [
@@ -649,138 +420,75 @@
'description' => '返回参数。',
'type' => 'object',
'properties' => [
- 'RequestId' => [
- 'description' => '请求ID。',
- 'type' => 'string',
- 'example' => '3D57EAD2-8723-1F26-B69C-F8707D8B565D',
- ],
- 'OIDCTokenInfo' => [
- 'description' => '解析的OIDC Token信息。',
+ 'RequestId' => ['description' => '请求ID。', 'type' => 'string', 'example' => '6894B13B-6D71-4EF5-88FA-F32781734A7F'],
+ 'SAMLAssertionInfo' => [
+ 'description' => 'SAML断言中的部分信息。',
'type' => 'object',
'properties' => [
- 'Subject' => [
- 'description' => 'OIDC主体。'."\n"
- ."\n"
- .'对应OIDC Token中的`sub`字段值。'."\n",
- 'type' => 'string',
- 'example' => 'KryrkIdjylZb7agUgCEf****',
- ],
- 'Issuer' => [
- 'description' => 'OIDC颁发者URL。'."\n"
- ."\n"
- .'对应OIDC Token中的`iss`字段值。',
- 'type' => 'string',
- 'example' => 'https://dev-xxxxxx.okta.com',
- ],
- 'ClientIds' => [
- 'description' => 'OIDC受众。多个之间用半角逗号(,)分隔。'."\n"
- ."\n"
- .'对应OIDC Token中的`aud`字段值。',
- 'type' => 'string',
- 'example' => '496271242565057****',
- ],
- 'ExpirationTime' => [
- 'description' => 'OIDC Token的过期时间。',
- 'type' => 'string',
- 'example' => '2021-10-20T04:27:09Z',
- ],
- 'IssuanceTime' => [
- 'description' => 'OIDC Token的签发时间。',
- 'type' => 'string',
- 'example' => '2021-10-20T03:27:09Z',
- ],
- 'VerificationInfo' => [
- 'description' => 'OIDC Token的检验信息。更多信息,请参见[管理OIDC身份提供商](~~327123~~)。',
- 'type' => 'string',
- 'example' => 'Success',
- ],
+ 'SubjectType' => ['description' => 'SAML断言中`NameID`的格式。当前缀为`urn:oasis:names:tc:SAML:2.0:nameid-format:`时,前缀会被移除。例如:`persistent/transient`。', 'type' => 'string', 'example' => 'persistent'],
+ 'Subject' => ['description' => 'SAML断言中`Subject - NameID`字段的值。', 'type' => 'string', 'example' => 'alice@example.com'],
+ 'Issuer' => ['description' => 'SAML断言中`Issuer`字段的值。', 'type' => 'string', 'example' => 'http://example.com/adfs/services/trust'],
+ 'Recipient' => ['description' => 'SAML断言中`Subject - SubjectConfirmation - SubjectConfirmationData`字段中`Recipient`属性的值。', 'type' => 'string', 'example' => 'https://signin.aliyun.com/saml-role/SSO'],
],
],
'AssumedRoleUser' => [
'description' => '角色扮演临时身份。',
'type' => 'object',
'properties' => [
- 'AssumedRoleId' => [
- 'description' => '临时身份的ID。',
- 'type' => 'string',
- 'example' => '33157794895460****',
- ],
- 'Arn' => [
- 'description' => '临时身份的ARN。',
- 'type' => 'string',
- 'example' => 'acs:ram::113511544585****:role/testoidc/TestOidcAssumedRoleSession',
- ],
+ 'AssumedRoleId' => ['description' => '临时身份的ID。', 'type' => 'string', 'example' => '34458433936495****:alice'],
+ 'Arn' => ['description' => '临时身份的ARN。', 'type' => 'string', 'example' => 'acs:sts::123456789012****:assumed-role/AdminRole/alice'],
],
],
'Credentials' => [
- 'description' => '临时访问凭证(STS Token)。',
+ 'description' => '访问凭证。',
'type' => 'object',
'properties' => [
- 'SecurityToken' => [
- 'description' => '安全令牌。'."\n"
- .'> 安全令牌的长度不固定,我们强烈建议您不要对安全令牌的最大长度做任何限制。',
- 'type' => 'string',
- 'example' => 'CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz****',
- ],
- 'Expiration' => [
- 'description' => 'Token到期失效时间(UTC时间)。',
- 'type' => 'string',
- 'example' => '2021-10-20T04:27:09Z',
- ],
- 'AccessKeySecret' => [
- 'description' => '访问密钥。',
- 'type' => 'string',
- 'example' => 'CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2****',
- ],
- 'AccessKeyId' => [
- 'description' => '访问密钥ID。',
- 'type' => 'string',
- 'example' => 'STS.NUgYrLnoC37mZZCNnAbez****',
- ],
+ 'SecurityToken' => ['description' => '安全令牌。'."\n"
+ .'> 安全令牌的长度不固定,我们强烈建议您不要对安全令牌的最大长度做任何限制。', 'type' => 'string', 'example' => '********'],
+ 'Expiration' => ['description' => 'Token到期失效时间(UTC时间)。', 'type' => 'string', 'example' => '2015-04-09T11:52:19Z'],
+ 'AccessKeySecret' => ['description' => '访问密钥。', 'type' => 'string', 'example' => 'wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****'],
+ 'AccessKeyId' => ['description' => '访问密钥ID。', 'type' => 'string', 'example' => 'STS.L4aBSCSJVMuKg5U1****'],
],
],
- 'SourceIdentity' => [
- 'description' => '源身份信息。'."\n"
- ."\n"
- .'在扮演角色时,可以指定扮演者的源身份(SourceIdentity)作为会话的初始身份标识。 该源身份的值在持续扮演角色的链式会话中将一直存在,中途不可更改,可确保操作的可追溯性和安全性。'."\n"
- ."\n"
- .'如果没有设置源身份信息,则该字段不会返回。',
- 'type' => 'string',
- 'example' => 'Alice',
- ],
+ 'SourceIdentity' => ['description' => '源身份信息。'."\n"
+ ."\n"
+ .'在扮演角色时,可以指定扮演者的源身份(SourceIdentity)作为会话的初始身份标识。 该源身份的值在持续扮演角色的链式会话中将一直存在,中途不可更改,可确保操作的可追溯性和安全性。'."\n"
+ ."\n"
+ .'如果没有设置源身份信息,则该字段不会返回。', 'type' => 'string', 'example' => 'Alice'],
],
],
],
],
- 'responseDemo' => '[{"type":"json","example":"{\\n \\"RequestId\\": \\"3D57EAD2-8723-1F26-B69C-F8707D8B565D\\",\\n \\"OIDCTokenInfo\\": {\\n \\"Subject\\": \\"KryrkIdjylZb7agUgCEf****\\",\\n \\"Issuer\\": \\"https://dev-xxxxxx.okta.com\\",\\n \\"ClientIds\\": \\"496271242565057****\\",\\n \\"ExpirationTime\\": \\"2021-10-20T04:27:09Z\\",\\n \\"IssuanceTime\\": \\"2021-10-20T03:27:09Z\\",\\n \\"VerificationInfo\\": \\"Success\\"\\n },\\n \\"AssumedRoleUser\\": {\\n \\"AssumedRoleId\\": \\"33157794895460****\\",\\n \\"Arn\\": \\"acs:ram::113511544585****:role/testoidc/TestOidcAssumedRoleSession\\"\\n },\\n \\"Credentials\\": {\\n \\"SecurityToken\\": \\"CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz****\\",\\n \\"Expiration\\": \\"2021-10-20T04:27:09Z\\",\\n \\"AccessKeySecret\\": \\"CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2****\\",\\n \\"AccessKeyId\\": \\"STS.NUgYrLnoC37mZZCNnAbez****\\"\\n },\\n \\"SourceIdentity\\": \\"Alice\\"\\n}","errorExample":""},{"type":"xml","example":"<?xml version=\\"1.0\\" encoding=\\"UTF-8\\" ?>\\n<AssumeRoleWithOIDCResponse>\\n\\t<RequestId>3D57EAD2-8723-1F26-B69C-F8707D8B565D</RequestId>\\n\\t<OIDCTokenInfo>\\n\\t\\t<Subject>KryrkIdjylZb7agUgCEf****</Subject>\\n\\t\\t<Issuer>https://dev-xxxxxx.okta.com</Issuer>\\n\\t\\t<ClientIds>496271242565057****</ClientIds>\\n\\t</OIDCTokenInfo>\\n\\t<AssumedRoleUser>\\n\\t\\t<AssumedRoleId>33157794895460****</AssumedRoleId>\\n\\t\\t<Arn>acs:ram::113511544585****:role/testoidc/TestOidcAssumedRoleSession</Arn>\\n\\t</AssumedRoleUser>\\n\\t<Credentials>\\n\\t\\t<SecurityToken>CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz****</SecurityToken>\\n\\t\\t<Expiration>2021-10-20T04:27:09Z</Expiration>\\n\\t\\t<AccessKeySecret>CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2****</AccessKeySecret>\\n\\t\\t<AccessKeyId>STS.NUgYrLnoC37mZZCNnAbez****</AccessKeyId>\\n\\t</Credentials>\\n</AssumeRoleWithOIDCResponse>\\t\\n","errorExample":""}]',
- 'title' => 'OIDC角色SSO时获取扮演角色的临时身份凭证',
+ 'errorCodes' => [
+ 500 => [
+ ['errorCode' => 'InternalError', 'errorMessage' => 'STS Server Internal Error happened, please send the RequestId to us.', 'description' => ''],
+ ],
+ ],
+ 'title' => 'SAML角色SSO时获取扮演角色的临时身份凭证',
'description' => '### 前提条件'."\n"
."\n"
- .'- 确保已从外部身份提供商(IdP)获取到OIDC令牌(OIDC Token)。'."\n"
- .'- 确保已在RAM中创建了OIDC身份提供商。具体操作,请参见[创建OIDC身份提供商](~~327123~~)或[CreateOIDCProvider](~~327135~~) 。'."\n"
- .'- 确保已在RAM中创建了可信实体为OIDC身份提供商的RAM角色。具体操作,请参见[创建可信实体为身份提供商的RAM角色](~~116805~~)或[CreateRole](~~28710~~) 。',
- 'requestParamsDescription' => '> 由于AssumeRoleWithOIDC接口使用OIDC Token进行身份认证,可以匿名访问,因此不需要提供公共请求参数中的`Signature`、`SignatureMethod`、`SignatureVersion`和`AccessKeyId`参数。关于公共请求参数的详情,请参见[公共请求参数](~~315526~~)。',
+ .'- 确保已从外部身份提供商(IdP)获取到SAML响应。'."\n"
+ .'- 确保已在RAM中创建了SAML身份提供商。具体操作,请参见[创建SAML身份提供商](~~116083~~)或[CreateSAMLProvider](~~186846~~) 。'."\n"
+ .'- 确保已在RAM中创建了可信实体为SAML身份提供商的RAM角色。具体操作,请参见[创建可信实体为身份提供商的RAM角色](~~116805~~)或[CreateRole](~~28710~~) 。',
+ 'requestParamsDescription' => '> 由于AssumeRoleWithSAML接口使用SAML断言进行身份认证,可以匿名访问,因此不需要提供公共请求参数中的`Signature`、`SignatureMethod`、`SignatureVersion`和`AccessKeyId`参数。关于公共请求参数的详情,请参见[公共请求参数](~~315526~~)。',
+ 'changeSet' => [],
+ 'flowControl' => [
+ 'flowControlList' => [],
+ ],
+ 'ramActions' => [],
+ 'responseDemo' => '[{"type":"json","example":"{\\n \\"RequestId\\": \\"6894B13B-6D71-4EF5-88FA-F32781734A7F\\",\\n \\"SAMLAssertionInfo\\": {\\n \\"SubjectType\\": \\"persistent\\",\\n \\"Subject\\": \\"alice@example.com\\",\\n \\"Issuer\\": \\"http://example.com/adfs/services/trust\\",\\n \\"Recipient\\": \\"https://signin.aliyun.com/saml-role/SSO\\"\\n },\\n \\"AssumedRoleUser\\": {\\n \\"AssumedRoleId\\": \\"34458433936495****:alice\\",\\n \\"Arn\\": \\"acs:sts::123456789012****:assumed-role/AdminRole/alice\\"\\n },\\n \\"Credentials\\": {\\n \\"SecurityToken\\": \\"********\\",\\n \\"Expiration\\": \\"2015-04-09T11:52:19Z\\",\\n \\"AccessKeySecret\\": \\"wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****\\",\\n \\"AccessKeyId\\": \\"STS.L4aBSCSJVMuKg5U1****\\"\\n },\\n \\"SourceIdentity\\": \\"Alice\\"\\n}","errorExample":""},{"type":"xml","example":"<AssumeRoleWithSAMLResponse>\\n <Credentials>\\n <AccessKeyId>STS.L4aBSCSJVMuKg5U1****</AccessKeyId>\\n <AccessKeySecret>wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****</AccessKeySecret>\\n <Expiration>2015-04-09T11:52:19Z</Expiration>\\n <SecurityToken>********</SecurityToken>\\n </Credentials>\\n <AssumedRoleUser>\\n <arn>acs:sts::1234567890123456:assumed-role/AdminRole/alice</arn>\\n <AssumedRoleId>34458433936495****:alice</AssumedRoleId>\\n </AssumedRoleUser>\\n <SAMLAssertionInfo>\\n <SubjectType>persistent</SubjectType>\\n <Subject>alice@example.com</Subject>\\n <Recipient>https://signin.aliyun.com/saml-role/SSO</Recipient>\\n <Issuer>http://example.com/adfs/services/trust</Issuer>\\n </SAMLAssertionInfo>\\n <RequestId>6894B13B-6D71-4EF5-88FA-F32781734A7F</RequestId>\\n</AssumeRoleWithSAMLResponse>","errorExample":""}]',
],
'GetCallerIdentity' => [
'summary' => '调用GetCallerIdentity获取当前调用者的身份信息。',
- 'methods' => [
- 'post',
- 'get',
- ],
- 'schemes' => [
- 'https',
- ],
+ 'methods' => ['post', 'get'],
+ 'schemes' => ['https'],
'security' => [
[
'AK' => [],
],
],
'operationType' => 'read',
- 'systemTags' => [
- 'operationType' => 'get',
- 'riskType' => 'none',
- 'chargeType' => 'free',
- ],
+ 'systemTags' => ['operationType' => 'get', 'riskType' => 'none', 'chargeType' => 'free'],
'parameters' => [],
'responses' => [
200 => [
@@ -788,196 +496,185 @@
'description' => '返回参数。',
'type' => 'object',
'properties' => [
- 'IdentityType' => [
- 'description' => '身份类型。取值:'."\n"
- ."\n"
- .'- Account:阿里云账号(主账号)。'."\n"
- .'- RAMUser:RAM用户。'."\n"
- .'- AssumedRoleUser:RAM角色。',
- 'type' => 'string',
- 'example' => 'RAMUser',
- ],
- 'AccountId' => [
- 'description' => '当前调用者所属阿里云账号ID。',
- 'type' => 'string',
- 'example' => '196813200012****',
- ],
- 'RequestId' => [
- 'description' => '请求ID。',
- 'type' => 'string',
- 'example' => '3C87BF47-3724-5443-ADC1-5AEAD9A03EB1',
- ],
- 'PrincipalId' => [
- 'description' => '身份标识。',
- 'type' => 'string',
- 'example' => '28877424437521****',
- ],
- 'UserId' => [
- 'description' => '用户ID。具体如下:'."\n"
- ."\n"
- .'- 如果当前调用者是阿里云账号,则返回阿里云账号ID。'."\n"
- .'- 如果当前调用者是RAM用户,则返回RAM用户ID。'."\n"
- ."\n"
- .'> 仅限当前调用者是阿里云账号或RAM用户时返回该参数。',
- 'type' => 'string',
- 'example' => '216959339000****',
- ],
- 'Arn' => [
- 'description' => '当前调用者的ARN。',
- 'type' => 'string',
- 'example' => 'acs:ram::196813200012****:user/admin',
- ],
- 'RoleId' => [
- 'description' => 'RAM角色ID。'."\n"
- ."\n"
- .'> 仅限当前调用者是RAM角色时返回该参数。',
- 'type' => 'string',
- 'example' => '33537620082992****',
- ],
+ 'IdentityType' => ['description' => '身份类型。取值:'."\n"
+ ."\n"
+ .'- Account:阿里云账号(主账号)。'."\n"
+ .'- RAMUser:RAM用户。'."\n"
+ .'- AssumedRoleUser:RAM角色。', 'type' => 'string', 'example' => 'RAMUser'],
+ 'AccountId' => ['description' => '当前调用者所属阿里云账号ID。', 'type' => 'string', 'example' => '196813200012****'],
+ 'RequestId' => ['description' => '请求ID。', 'type' => 'string', 'example' => '3C87BF47-3724-5443-ADC1-5AEAD9A03EB1'],
+ 'PrincipalId' => ['description' => '身份标识。', 'type' => 'string', 'example' => '28877424437521****'],
+ 'UserId' => ['description' => '用户ID。具体如下:'."\n"
+ ."\n"
+ .'- 如果当前调用者是阿里云账号,则返回阿里云账号ID。'."\n"
+ .'- 如果当前调用者是RAM用户,则返回RAM用户ID。'."\n"
+ ."\n"
+ .'> 仅限当前调用者是阿里云账号或RAM用户时返回该参数。', 'type' => 'string', 'example' => '216959339000****'],
+ 'Arn' => ['description' => '当前调用者的ARN。', 'type' => 'string', 'example' => 'acs:ram::196813200012****:user/admin'],
+ 'RoleId' => ['description' => 'RAM角色ID。'."\n"
+ ."\n"
+ .'> 仅限当前调用者是RAM角色时返回该参数。', 'type' => 'string', 'example' => '33537620082992****'],
],
],
],
],
'errorCodes' => [
500 => [
- [
- 'errorCode' => 'InternalError',
- 'errorMessage' => 'STS Server Internal Error happened, please send the RequestId to us.',
- ],
+ ['errorCode' => 'InternalError', 'errorMessage' => 'STS Server Internal Error happened, please send the RequestId to us.', 'description' => ''],
],
],
- 'responseDemo' => '[{"type":"json","example":"{\\n \\"IdentityType\\": \\"RAMUser\\",\\n \\"AccountId\\": \\"196813200012****\\",\\n \\"RequestId\\": \\"3C87BF47-3724-5443-ADC1-5AEAD9A03EB1\\",\\n \\"PrincipalId\\": \\"28877424437521****\\",\\n \\"UserId\\": \\"216959339000****\\",\\n \\"Arn\\": \\"acs:ram::196813200012****:user/admin\\",\\n \\"RoleId\\": \\"33537620082992****\\"\\n}","errorExample":""},{"type":"xml","example":"","errorExample":""}]',
'title' => '获取当前调用者的身份信息',
+ 'changeSet' => [],
+ 'flowControl' => [
+ 'flowControlList' => [
+ ['threshold' => '100', 'countWindow' => 1, 'regionId' => '*', 'api' => 'GetCallerIdentity'],
+ ],
+ ],
+ 'ramActions' => [],
+ 'responseDemo' => '[{"type":"json","example":"{\\n \\"IdentityType\\": \\"RAMUser\\",\\n \\"AccountId\\": \\"196813200012****\\",\\n \\"RequestId\\": \\"3C87BF47-3724-5443-ADC1-5AEAD9A03EB1\\",\\n \\"PrincipalId\\": \\"28877424437521****\\",\\n \\"UserId\\": \\"216959339000****\\",\\n \\"Arn\\": \\"acs:ram::196813200012****:user/admin\\",\\n \\"RoleId\\": \\"33537620082992****\\"\\n}","errorExample":""},{"type":"xml","example":"","errorExample":""}]',
],
],
'endpoints' => [
- [
- 'regionId' => 'cn-qingdao',
- 'endpoint' => 'sts.cn-qingdao.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-beijing',
- 'endpoint' => 'sts.cn-beijing.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-zhangjiakou',
- 'endpoint' => 'sts.cn-zhangjiakou.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-huhehaote',
- 'endpoint' => 'sts.cn-huhehaote.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-wulanchabu',
- 'endpoint' => 'sts.cn-wulanchabu.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-hangzhou',
- 'endpoint' => 'sts.cn-hangzhou.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-shanghai',
- 'endpoint' => 'sts.cn-shanghai.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-nanjing',
- 'endpoint' => 'sts.cn-nanjing.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-fuzhou',
- 'endpoint' => 'sts.cn-fuzhou.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-shenzhen',
- 'endpoint' => 'sts.cn-shenzhen.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-chengdu',
- 'endpoint' => 'sts.cn-chengdu.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-hongkong',
- 'endpoint' => 'sts.cn-hongkong.aliyuncs.com',
- ],
- [
- 'regionId' => 'ap-northeast-1',
- 'endpoint' => 'sts.ap-northeast-1.aliyuncs.com',
- ],
- [
- 'regionId' => 'ap-northeast-2',
- 'endpoint' => 'sts.ap-northeast-2.aliyuncs.com',
- ],
- [
- 'regionId' => 'ap-southeast-1',
- 'endpoint' => 'sts.ap-southeast-1.aliyuncs.com',
- ],
- [
- 'regionId' => 'ap-southeast-3',
- 'endpoint' => 'sts.ap-southeast-3.aliyuncs.com',
- ],
- [
- 'regionId' => 'ap-southeast-5',
- 'endpoint' => 'sts.ap-southeast-5.aliyuncs.com',
- ],
- [
- 'regionId' => 'us-east-1',
- 'endpoint' => 'sts.us-east-1.aliyuncs.com',
- ],
- [
- 'regionId' => 'us-west-1',
- 'endpoint' => 'sts.us-west-1.aliyuncs.com',
- ],
- [
- 'regionId' => 'eu-west-1',
- 'endpoint' => 'sts.eu-west-1.aliyuncs.com',
- ],
- [
- 'regionId' => 'eu-central-1',
- 'endpoint' => 'sts.eu-central-1.aliyuncs.com',
- ],
- [
- 'regionId' => 'me-east-1',
- 'endpoint' => 'sts.me-east-1.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-hangzhou-finance',
- 'endpoint' => 'sts.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-shanghai-finance-1',
- 'endpoint' => 'sts.cn-shanghai-finance-1.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-shenzhen-finance-1',
- 'endpoint' => 'sts.aliyuncs.com',
- ],
- [
- 'regionId' => 'ap-southeast-7',
- 'endpoint' => 'sts.ap-southeast-7.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-beijing-finance-1',
- 'endpoint' => 'sts.cn-beijing-finance-1.aliyuncs.com',
- ],
- [
- 'regionId' => 'me-central-1',
- 'endpoint' => 'sts.me-central-1.aliyuncs.com',
- ],
- [
- 'regionId' => 'cn-heyuan',
- 'endpoint' => 'sts.cn-heyuan.aliyuncs.com',
+ ['regionId' => 'cn-beijing', 'regionName' => '华北2(北京)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-beijing.aliyuncs.com', 'endpoint' => 'sts.cn-beijing.aliyuncs.com', 'vpc' => 'sts-vpc.cn-beijing.aliyuncs.com'],
+ ['regionId' => 'cn-heyuan', 'regionName' => '华南2(河源)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-heyuan.aliyuncs.com', 'endpoint' => 'sts.cn-heyuan.aliyuncs.com', 'vpc' => 'sts-vpc.cn-heyuan.aliyuncs.com'],
+ ['regionId' => 'cn-zhangjiakou', 'regionName' => '华北3(张家口)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-zhangjiakou.aliyuncs.com', 'endpoint' => 'sts.cn-zhangjiakou.aliyuncs.com', 'vpc' => 'sts-vpc.cn-zhangjiakou.aliyuncs.com'],
+ ['regionId' => 'ap-northeast-2', 'regionName' => '韩国(首尔)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.ap-northeast-2.aliyuncs.com', 'endpoint' => 'sts.ap-northeast-2.aliyuncs.com', 'vpc' => 'sts-vpc.ap-northeast-2.aliyuncs.com'],
+ ['regionId' => 'ap-northeast-1', 'regionName' => '日本(东京)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.ap-northeast-1.aliyuncs.com', 'endpoint' => 'sts.ap-northeast-1.aliyuncs.com', 'vpc' => 'sts-vpc.ap-northeast-1.aliyuncs.com'],
+ ['regionId' => 'ap-southeast-1', 'regionName' => '新加坡', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.ap-southeast-1.aliyuncs.com', 'endpoint' => 'sts.ap-southeast-1.aliyuncs.com', 'vpc' => 'sts-vpc.ap-southeast-1.aliyuncs.com'],
+ ['regionId' => 'ap-southeast-3', 'regionName' => '马来西亚(吉隆坡)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.ap-southeast-3.aliyuncs.com', 'endpoint' => 'sts.ap-southeast-3.aliyuncs.com', 'vpc' => 'sts-vpc.ap-southeast-3.aliyuncs.com'],
+ ['regionId' => 'ap-southeast-5', 'regionName' => '印度尼西亚(雅加达)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.ap-southeast-5.aliyuncs.com', 'endpoint' => 'sts.ap-southeast-5.aliyuncs.com', 'vpc' => 'sts-vpc.ap-southeast-5.aliyuncs.com'],
+ ['regionId' => 'ap-southeast-7', 'regionName' => '泰国(曼谷)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.ap-southeast-7.aliyuncs.com', 'endpoint' => 'sts.ap-southeast-7.aliyuncs.com', 'vpc' => 'sts-vpc.ap-southeast-7.aliyuncs.com'],
+ ['regionId' => 'cn-wulanchabu', 'regionName' => '华北6(乌兰察布)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-wulanchabu.aliyuncs.com', 'endpoint' => 'sts.cn-wulanchabu.aliyuncs.com', 'vpc' => 'sts-vpc.cn-wulanchabu.aliyuncs.com'],
+ ['regionId' => 'cn-qingdao', 'regionName' => '华北1(青岛)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-qingdao.aliyuncs.com', 'endpoint' => 'sts.cn-qingdao.aliyuncs.com', 'vpc' => 'sts-vpc.cn-qingdao.aliyuncs.com'],
+ ['regionId' => 'cn-wuhan-lr', 'regionName' => '华中1(武汉-本地地域)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-wuhan-lr.aliyuncs.com', 'endpoint' => 'sts.cn-wuhan-lr.aliyuncs.com', 'vpc' => 'sts-vpc.cn-wuhan-lr.aliyuncs.com'],
+ ['regionId' => 'cn-shanghai', 'regionName' => '华东2(上海)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-shanghai.aliyuncs.com', 'endpoint' => 'sts.cn-shanghai.aliyuncs.com', 'vpc' => 'sts-vpc.cn-shanghai.aliyuncs.com'],
+ ['regionId' => 'cn-hongkong', 'regionName' => '中国香港', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-hongkong.aliyuncs.com', 'endpoint' => 'sts.cn-hongkong.aliyuncs.com', 'vpc' => 'sts-vpc.cn-hongkong.aliyuncs.com'],
+ ['regionId' => 'cn-shenzhen', 'regionName' => '华南1(深圳)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-shenzhen.aliyuncs.com', 'endpoint' => 'sts.cn-shenzhen.aliyuncs.com', 'vpc' => 'sts-vpc.cn-shenzhen.aliyuncs.com'],
+ ['regionId' => 'cn-nanjing', 'regionName' => '华东5(南京-本地地域)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-nanjing.aliyuncs.com', 'endpoint' => 'sts.cn-nanjing.aliyuncs.com', 'vpc' => 'sts-vpc.cn-nanjing.aliyuncs.com'],
+ ['regionId' => 'cn-fuzhou', 'regionName' => '华东6(福州-本地地域)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-fuzhou.aliyuncs.com', 'endpoint' => 'sts.cn-fuzhou.aliyuncs.com', 'vpc' => 'sts-vpc.cn-fuzhou.aliyuncs.com'],
+ ['regionId' => 'cn-chengdu', 'regionName' => '西南1(成都)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-chengdu.aliyuncs.com', 'endpoint' => 'sts.cn-chengdu.aliyuncs.com', 'vpc' => 'sts-vpc.cn-chengdu.aliyuncs.com'],
+ ['regionId' => 'cn-guangzhou', 'regionName' => '华南3(广州)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-guangzhou.aliyuncs.com', 'endpoint' => 'sts.cn-guangzhou.aliyuncs.com', 'vpc' => 'sts-vpc.cn-guangzhou.aliyuncs.com'],
+ ['regionId' => 'cn-huhehaote', 'regionName' => '华北5(呼和浩特)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-huhehaote.aliyuncs.com', 'endpoint' => 'sts.cn-huhehaote.aliyuncs.com', 'vpc' => 'sts-vpc.cn-huhehaote.aliyuncs.com'],
+ ['regionId' => 'cn-hangzhou', 'regionName' => '华东1(杭州)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-hangzhou.aliyuncs.com', 'endpoint' => 'sts.cn-hangzhou.aliyuncs.com', 'vpc' => 'sts-vpc.cn-hangzhou.aliyuncs.com'],
+ ['regionId' => 'eu-west-1', 'regionName' => '英国(伦敦)', 'areaId' => 'europeAmerica', 'areaName' => '欧洲与美洲', 'public' => 'sts.eu-west-1.aliyuncs.com', 'endpoint' => 'sts.eu-west-1.aliyuncs.com', 'vpc' => 'sts-vpc.eu-west-1.aliyuncs.com'],
+ ['regionId' => 'eu-central-1', 'regionName' => '德国(法兰克福)', 'areaId' => 'europeAmerica', 'areaName' => '欧洲与美洲', 'public' => 'sts.eu-central-1.aliyuncs.com', 'endpoint' => 'sts.eu-central-1.aliyuncs.com', 'vpc' => 'sts-vpc.eu-central-1.aliyuncs.com'],
+ ['regionId' => 'us-east-1', 'regionName' => '美国(弗吉尼亚)', 'areaId' => 'europeAmerica', 'areaName' => '欧洲与美洲', 'public' => 'sts.us-east-1.aliyuncs.com', 'endpoint' => 'sts.us-east-1.aliyuncs.com', 'vpc' => 'sts-vpc.us-east-1.aliyuncs.com'],
+ ['regionId' => 'us-west-1', 'regionName' => '美国(硅谷)', 'areaId' => 'europeAmerica', 'areaName' => '欧洲与美洲', 'public' => 'sts.us-west-1.aliyuncs.com', 'endpoint' => 'sts.us-west-1.aliyuncs.com', 'vpc' => 'sts-vpc.us-west-1.aliyuncs.com'],
+ ['regionId' => 'na-south-1', 'regionName' => '墨西哥', 'areaId' => 'europeAmerica', 'areaName' => '欧洲与美洲', 'public' => 'sts.na-south-1.aliyuncs.com', 'endpoint' => 'sts.na-south-1.aliyuncs.com', 'vpc' => 'sts-vpc.na-south-1.aliyuncs.com'],
+ ['regionId' => 'me-east-1', 'regionName' => '阿联酋(迪拜)', 'areaId' => 'middleEast', 'areaName' => '中东', 'public' => 'sts.me-east-1.aliyuncs.com', 'endpoint' => 'sts.me-east-1.aliyuncs.com', 'vpc' => 'sts-vpc.me-east-1.aliyuncs.com'],
+ ['regionId' => 'me-central-1', 'regionName' => '沙特(利雅得)', 'areaId' => 'middleEast', 'areaName' => '中东', 'public' => 'sts.me-central-1.aliyuncs.com', 'endpoint' => 'sts.me-central-1.aliyuncs.com', 'vpc' => 'sts-vpc.me-central-1.aliyuncs.com'],
+ ['regionId' => 'cn-shenzhen-finance-1', 'regionName' => '华南1 金融云', 'areaId' => 'industryCloud', 'areaName' => '行业云', 'public' => 'sts.aliyuncs.com', 'endpoint' => 'sts.aliyuncs.com', 'vpc' => 'sts-vpc.cn-shenzhen-finance-1.aliyuncs.com'],
+ ['regionId' => 'cn-beijing-finance-1', 'regionName' => '华北2 金融云(邀测)', 'areaId' => 'industryCloud', 'areaName' => '行业云', 'public' => 'sts.cn-beijing-finance-1.aliyuncs.com', 'endpoint' => 'sts.cn-beijing-finance-1.aliyuncs.com', 'vpc' => 'sts-vpc.cn-beijing-finance-1.aliyuncs.com'],
+ ['regionId' => 'cn-shanghai-finance-1', 'regionName' => '华东2 金融云', 'areaId' => 'industryCloud', 'areaName' => '行业云', 'public' => 'sts.cn-shanghai-finance-1.aliyuncs.com', 'endpoint' => 'sts.cn-shanghai-finance-1.aliyuncs.com', 'vpc' => 'sts-vpc.cn-shanghai-finance-1.aliyuncs.com'],
+ ['regionId' => 'cn-hangzhou-finance', 'regionName' => '华东1 金融云', 'areaId' => 'industryCloud', 'areaName' => '行业云', 'public' => 'sts.aliyuncs.com', 'endpoint' => 'sts.aliyuncs.com', 'vpc' => ''],
+ ],
+ 'errorCodes' => [
+ ['code' => 'AuthenticationFail.OIDCToken.AudienceNotMatch', 'message' => 'Invalid audience.', 'http_code' => 401, 'description' => 'Token中的audience不匹配'],
+ ['code' => 'AuthenticationFail.OIDCToken.Expired', 'message' => 'This JsonWebToken is expired.', 'http_code' => 401, 'description' => 'OIDC令牌过期'],
+ ['code' => 'AuthenticationFail.OIDCToken.Invalid', 'message' => 'The Jwt content is invalid that cannot be recognized.', 'http_code' => 401, 'description' => 'Jwt内容无效且无法识别。'],
+ ['code' => 'AuthenticationFail.OIDCToken.Invalid', 'message' => 'The algorithm HS256 that be specified in Jwt header is unknown.', 'http_code' => 401, 'description' => 'Jwt报头中指定的HS256算法未知。'],
+ ['code' => 'AuthenticationFail.OIDCToken.Invalid', 'message' => 'Cannot decode base64 encoded response(format invalided).', 'http_code' => 401, 'description' => '格式错误,无法解码base64编码的返回结果。'],
+ ['code' => 'AuthenticationFail.OIDCToken.Invalid', 'message' => 'The number of Jwt field should be divided into 3 parts with \'.\' .', 'http_code' => 401, 'description' => 'Jwt 需要能够被‘.’字符划分为3部分。'],
+ ['code' => 'AuthenticationFail.OIDCToken.Invalid', 'message' => 'The OIDCToken can not empty.', 'http_code' => 401, 'description' => 'OIDCToken字段不能为空值。'],
+ ['code' => 'AuthenticationFail.OIDCToken.InvalidSignature', 'message' => 'OIDC token validate failed: invalid signature.', 'http_code' => 401, 'description' => 'ODIC令牌的验证签名失败'],
+ ['code' => 'AuthenticationFail.OIDCToken.IssuerConfigurationBroken', 'message' => 'Cannot find the specific key from the discovery, kid is %s.', 'http_code' => 401, 'description' => 'OIDC Token里指定来验证签名的公钥的kid在idp的jwks uri里没有提供,kid为 %s'],
+ ['code' => 'AuthenticationFail.OIDCToken.IssuerNotMatch', 'message' => 'The issuer in the OIDC Token doesn\'t match the OIDC Provider registered.', 'http_code' => 401, 'description' => 'OIDC令牌中的issuer字段与注册的OIDC提供商不匹配。'],
+ ['code' => 'AuthenticationFail.OIDCToken.PublicKeyFingerprintMismatch', 'message' => 'The https fingerprint of this discovery is invalid.', 'http_code' => 401, 'description' => '验证指纹无效,其不在对应OIDC身份提供商的指纹列表中'],
+ ['code' => 'AuthenticationFail.SAMLAssertion.Expired', 'message' => 'Response IssueInstant is either too old or with date in the future, value:%s.', 'http_code' => 401, 'description' => 'SAML断言过期'],
+ ['code' => 'AuthenticationFail.SAMLAssertion.Invalid', 'message' => 'Bearer SubjectConfirmation invalidated by not before which is forbidden.', 'http_code' => 401, 'description' => 'SAML Assertion的SubjectConfirmation不能包含NotBefore属性。'],
+ ['code' => 'AuthenticationFail.SAMLAssertion.Invalid', 'message' => 'Can\'t find the intended audience in at least one AudienceRestriction.', 'http_code' => 401, 'description' => 'SAML Assertion的Conditions元素中找不到一个符合预期的AudienceRestriction。'],
+ ['code' => 'AuthenticationFail.SAMLAssertion.Invalid', 'message' => 'The rolearn and samlprovider pair can not be found in the Role Attibute of the SAMLAssertion.', 'http_code' => 401, 'description' => 'SAML Assertion中没有RoleArn和SamlProvider信息,需要在AttributeStatement中以Attribute形式存在,格式为:roleArn,providerArn'],
+ ['code' => 'AuthenticationFail.SAMLAssertion.Invalid', 'message' => 'Cannot decode base64 encoded response(format invalided).', 'http_code' => 401, 'description' => 'SAML Assertion的格式不正确,不是标准Base64字符串。'],
+ ['code' => 'AuthenticationFail.SAMLAssertion.Invalid', 'message' => 'The assertion schema validation failed.', 'http_code' => 401, 'description' => 'SAML Assertion的Schema校验失败,Assertion元素必须存在“ID”(唯一标识)和“IssueInstant”(签发时刻)'],
+ ['code' => 'EntityNotExist.Role', 'message' => 'The role not exists: %s.', 'http_code' => 404, 'description' => '扮演的角色不存在'],
+ ['code' => 'EntityNotExist.SAMLProvider', 'message' => 'Can not find SAML provider by ARN:%s.', 'http_code' => 404, 'description' => '无法通过ARM找到对应的SAML provider。'],
+ ['code' => 'EntityNotExist.SAMLProvider', 'message' => 'Parameter SAMLProviderArn is not valid.', 'http_code' => 404, 'description' => 'SAML身份提供商的Arn无效。'],
+ ['code' => 'EntityNotExist.User', 'message' => 'account not exists.', 'http_code' => 404, 'description' => '账号不存在'],
+ ['code' => 'EntityNotExist.User', 'message' => 'The identity account is not exists.', 'http_code' => 404, 'description' => '请求的身份信息不存在'],
+ ['code' => 'InvalidParameter', 'message' => 'Invalid role arn format:%s.', 'http_code' => 400, 'description' => '角色arn格式不合法'],
+ ['code' => 'InvalidParameter.AssumeRoleFor', 'message' => 'The parameter AssumeRoleFor is wrongly formed.', 'http_code' => 400, 'description' => '参数AssumeRoleFor不合法'],
+ ['code' => 'InvalidParameter.DurationSeconds', 'message' => 'The Min/Max value of DurationSeconds is 15min/1hr.', 'http_code' => 400, 'description' => 'DurationSeconds参数不合法,DurationSeconds最小值为15分钟,最大值为1小时'],
+ ['code' => 'InvalidParameter.DurationSeconds', 'message' => 'The Min/Max value of DurationSeconds is %s.', 'http_code' => 400, 'description' => 'DurationSeconds参数不合法。'],
+ ['code' => 'InvalidParameter.DurationSeconds', 'message' => 'The Min/Max value of DurationSeconds is 15min/12hr.', 'http_code' => 400, 'description' => 'DurationSeconds参数不合法,DurationSeconds最小值为15分钟,最大值为12小时'."\n"],
+ ['code' => 'InvalidParameter.ExternalId', 'message' => 'The parameter ExternalId is wrongly formed.', 'http_code' => 400, 'description' => '参数ExternalId不合法'],
+ ['code' => 'InvalidParameter.Policy.StarCount', 'message' => 'The count of star in policy document\'s value field is limited to %s.', 'http_code' => 400, 'description' => 'Policy中*数量超出最大限制。'],
+ ['code' => 'InvalidParameter.Policy.StarCount', 'message' => 'The count of star in policy document\'s value field is illegal.', 'http_code' => 400, 'description' => 'Policy中*数量超出最大限制。'."\n"],
+ ['code' => 'InvalidParameter.PolicyGrammar', 'message' => 'The parameter Policy has not passed grammar check.', 'http_code' => 400, 'description' => '参数Policy语法格式检查未通过。'],
+ ['code' => 'InvalidParameter.PolicyGrammar', 'message' => 'Invalid Policy.', 'http_code' => 400, 'description' => '无效的参数Policy。'],
+ ['code' => 'InvalidParameter.PolicySize', 'message' => 'The size of Policy must be smaller than 2048 bytes.', 'http_code' => 400, 'description' => 'Policy参数不合法,Policy长度必须小于2048字节。'],
+ ['code' => 'InvalidParameter.RoleArn', 'message' => 'The RoleArn can not empty.', 'http_code' => 400, 'description' => '参数RoleArn不能为空值。'],
+ ['code' => 'InvalidParameter.RoleArn', 'message' => 'The parameter RoleArn is wrongly formed.', 'http_code' => 400, 'description' => '参数RoleArn的格式错误'],
+ ['code' => 'InvalidParameter.RoleSessionName', 'message' => 'The parameter RoleSessionName is wrongly formed.', 'http_code' => 400, 'description' => '参数RoleSessionName格式错误。'],
+ ['code' => 'InvalidParameter.RoleSessionName', 'message' => 'The RoleSessionName can not empty.', 'http_code' => 400, 'description' => '参数RoleSessionName不可为空值。'],
+ ['code' => 'InvalidParameter.UserSessionName', 'message' => 'The parameter UserSessionName is invalid.', 'http_code' => 400, 'description' => '参数UserSessionName不合法'."\n"],
+ ['code' => 'InvalidVersion', 'message' => 'Specified parameter Version is not valid.', 'http_code' => 400, 'description' => '调用STS版本号错误'],
+ ['code' => 'ISVAuthenticationFail.SignatureNotMatch', 'message' => 'The IspSignature does not match.', 'http_code' => 401, 'description' => 'IspSignature签名不匹配。'],
+ ['code' => 'MissingAccessKeyId', 'message' => 'AccessKeyId is mandatory for this action.', 'http_code' => 400, 'description' => '该操作必须具有AccessKeyId。'],
+ ['code' => 'MissingParameter.OIDCProviderArn', 'message' => 'Parameter OIDCProviderArn is required.', 'http_code' => 400, 'description' => '缺少必要参数OIDCProviderArn。'],
+ ['code' => 'MissingParameter.RoleSessionName', 'message' => 'Parameter RoleSessionName is required.', 'http_code' => 400, 'description' => '缺少必要参数RoleSessionName。'],
+ ['code' => 'NoPermission', 'message' => 'Roles may not be assumed by root accounts.', 'http_code' => 403, 'description' => '主账号无角色扮演权限'],
+ ['code' => 'NoPermission', 'message' => 'You are not authorized to do this action.', 'http_code' => 403, 'description' => '您无权执行此操作。'],
+ ['code' => 'NotSupported', 'message' => 'The identity type is not supported for this action.', 'http_code' => 403, 'description' => '该身份类型不支持执行此操作。'],
+ ['code' => 'InvalidParameter.Conditions', 'message' => 'The value of Conditions is invalid.', 'http_code' => 400, 'description' => 'Conditions参数不合法'],
+ ],
+ 'changeSet' => [],
+ 'flowControl' => [
+ 'flowControlList' => [
+ ['threshold' => '100', 'countWindow' => 1, 'regionId' => '*', 'api' => 'GetCallerIdentity'],
+ ['threshold' => '100', 'countWindow' => 1, 'regionId' => '*', 'api' => 'AssumeRole'],
+ ['threshold' => '100', 'countWindow' => 1, 'regionId' => '*', 'api' => 'AssumeRoleWithOIDC'],
+ ['threshold' => '-1', 'countWindow' => 1, 'regionId' => '*'],
],
- [
- 'regionId' => 'cn-guangzhou',
- 'endpoint' => 'sts.cn-guangzhou.aliyuncs.com',
+ ],
+ 'ram' => [
+ 'productCode' => 'Sts',
+ 'productName' => '访问控制',
+ 'ramCodes' => ['sts'],
+ 'ramLevel' => '资源级',
+ 'ramConditions' => [
+ [
+ 'name' => 'acs:Service',
+ 'schema' => ['type' => 'String', 'description' => '角色可以被传递给云服务的标识,此限制条件仅适用于 PassRole 操作。取值示例:actiontrail.aliyuncs.com'],
+ ],
+ [
+ 'name' => 'ram:ServiceNames',
+ 'schema' => ['type' => 'Array<String>', 'description' => '服务角色可信的云服务标识,多值,取值示例:[\\\\\\\\\\\\\\\\\\\\\\\\&quot;ecs.aliyun.com\\\\\\\\\\\\\\\\\\\\\\\\&quot;,\\\\\\\\\\\\\\\\\\\\\\\\&quot;rds.aliyuncs.com\\\\\\\\\\\\\\\\\\\\\\\\&quot;]'],
+ ],
+ [
+ 'name' => 'sts:SourceIdentity',
+ 'schema' => ['type' => 'String', 'description' => '扮演角色时设置的源身份信息'],
+ ],
+ [
+ 'name' => 'ram:TrustedPrincipalTypes',
+ 'schema' => [
+ 'type' => 'Array<String>',
+ 'description' => '角色可信实体的类型,多值。',
+ 'enums' => ['RAM', 'Service', 'Federated-SAMLProvider', 'Federated-OIDCProvider'],
+ ],
+ ],
],
- [
- 'regionId' => 'cn-wuhan-lr',
- 'endpoint' => 'sts.cn-wuhan-lr.aliyuncs.com',
+ 'ramActions' => [
+ [
+ 'apiName' => 'AssumeRole',
+ 'description' => '获取扮演角色的临时身份凭证',
+ 'operationType' => 'get',
+ 'additionalActions' => [
+ ['action' => 'sts:SetSourceIdentity', 'validationType' => 'conditional'],
+ ],
+ 'ramAction' => [
+ 'action' => 'sts:AssumeRole',
+ 'authLevel' => 'resource',
+ 'actionConditions' => [
+ ['conditionKey' => 'sts:SourceIdentity', 'validationType' => 'conditional'],
+ ],
+ 'resources' => [
+ ['validationType' => 'always', 'product' => 'Sts', 'resourceType' => 'Role', 'arn' => 'acs:ram::{#accountId}:role/{#RoleName}'],
+ ],
+ ],
+ ],
],
- [
- 'regionId' => 'na-south-1',
- 'endpoint' => 'sts.na-south-1.aliyuncs.com',
+ 'resourceTypes' => [
+ ['validationType' => 'always', 'resourceType' => 'Role', 'arn' => 'acs:ram::{#accountId}:role/{#RoleName}'],
],
],
];