diff options
| author | Zhineng Li <im@zhineng.li> | 2026-07-12 17:11:17 +0800 |
|---|---|---|
| committer | Zhineng Li <im@zhineng.li> | 2026-07-12 17:11:17 +0800 |
| commit | 1c7f908ce09f98fdcbf79ed2a8ae21be60eaa634 (patch) | |
| tree | 5f0857666365b7e40cdaa3733ebe1f3ba9e13c67 /data/zh_cn/sts | |
| parent | 7347bac4ab7e136157fc94777e6cf87ef9e08599 (diff) | |
| download | afterglow-metadata-full-1c7f908ce09f98fdcbf79ed2a8ae21be60eaa634.tar.gz afterglow-metadata-full-1c7f908ce09f98fdcbf79ed2a8ae21be60eaa634.zip | |
update APIs 20260712
Diffstat (limited to 'data/zh_cn/sts')
| -rw-r--r-- | data/zh_cn/sts/2015-04-01/api-docs.php | 1167 |
1 files changed, 432 insertions, 735 deletions
diff --git a/data/zh_cn/sts/2015-04-01/api-docs.php b/data/zh_cn/sts/2015-04-01/api-docs.php index b0e7efc..1b99579 100644 --- a/data/zh_cn/sts/2015-04-01/api-docs.php +++ b/data/zh_cn/sts/2015-04-01/api-docs.php @@ -1,28 +1,18 @@ <?php return [ 'version' => '1.0', - 'info' => [ - 'style' => 'RPC', - 'product' => 'Sts', - 'version' => '2015-04-01', - ], + 'info' => ['style' => 'RPC', 'product' => 'Sts', 'version' => '2015-04-01'], 'directories' => [ [ - 'id' => 120773, - 'title' => '角色扮演', + 'children' => ['AssumeRole', 'AssumeRoleWithSAML', 'AssumeRoleWithOIDC'], 'type' => 'directory', - 'children' => [ - 'AssumeRole', - 'AssumeRoleWithSAML', - 'AssumeRoleWithOIDC', - ], + 'title' => '角色扮演', + 'id' => 95516, ], [ - 'id' => 120777, - 'title' => '调用身份', + 'children' => ['GetCallerIdentity'], 'type' => 'directory', - 'children' => [ - 'GetCallerIdentity', - ], + 'title' => '调用身份', + 'id' => 95524, ], ], 'components' => [ @@ -31,117 +21,77 @@ 'apis' => [ 'AssumeRole' => [ 'summary' => '通过调用AssumeRole接口,获取一个扮演RAM角色的临时身份凭证(STS Token)。', - 'methods' => [ - 'post', - 'get', - ], - 'schemes' => [ - 'https', - ], + 'methods' => ['post', 'get'], + 'schemes' => ['https'], 'security' => [ [ 'AK' => [], ], ], 'operationType' => 'readAndWrite', - 'systemTags' => [ - 'operationType' => 'get', - 'riskType' => 'high', - 'chargeType' => 'free', - ], + 'systemTags' => ['operationType' => 'get', 'riskType' => 'high', 'chargeType' => 'free'], 'parameters' => [ [ 'name' => 'DurationSeconds', 'in' => 'query', - 'schema' => [ - 'description' => 'Token有效期。单位:秒。'."\n" - ."\n" - .'Token有效期最小值为900秒,最大值为要扮演角色的`MaxSessionDuration`时间。默认值为3600秒。'."\n" - ."\n" - .'您可以通过CreateRole或UpdateRole设置角色最大会话时间`MaxSessionDuration`。更多信息,请参见[CreateRole](~~28710~~)或[UpdateRole](~~28712~~)。', - 'type' => 'integer', - 'format' => 'int64', - 'required' => false, - 'example' => '3600', - ], + 'schema' => ['description' => 'Token有效期。单位:秒。'."\n" + ."\n" + .'Token有效期最小值为900秒,最大值为要扮演角色的`MaxSessionDuration`时间。默认值为3600秒。'."\n" + ."\n" + .'您可以通过CreateRole或UpdateRole设置角色最大会话时间`MaxSessionDuration`。更多信息,请参见[CreateRole](~~28710~~)或[UpdateRole](~~28712~~)。', 'type' => 'integer', 'format' => 'int64', 'required' => false, 'example' => '3600'], ], [ 'name' => 'Policy', 'in' => 'query', - 'schema' => [ - 'description' => '为STS Token额外添加的一个权限策略,进一步限制STS Token的权限。具体如下:'."\n" - ."\n" - .'- 如果指定该权限策略,则STS Token最终的权限策略取RAM角色权限策略与该权限策略的交集。'."\n" - .'- 如果不指定该权限策略,则STS Token最终的权限策略取RAM角色的权限策略。'."\n" - ."\n" - .'长度为1~2048个字符。'."\n" - ."\n" - .'关于权限策略元素和示例,请参见[权限策略基本元素](~~93738~~)和[权限策略示例库](~~210969~~)。', - 'type' => 'string', - 'required' => false, - 'example' => '{"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}', - ], + 'schema' => ['description' => '为STS Token额外添加的一个权限策略,进一步限制STS Token的权限。具体如下:'."\n" + ."\n" + .'- 如果指定该权限策略,则STS Token最终的权限策略取RAM角色权限策略与该权限策略的交集。'."\n" + .'- 如果不指定该权限策略,则STS Token最终的权限策略取RAM角色的权限策略。'."\n" + ."\n" + .'长度为1~2048个字符。'."\n" + ."\n" + .'关于权限策略元素和示例,请参见[权限策略基本元素](~~93738~~)和[权限策略示例库](~~210969~~)。', 'type' => 'string', 'required' => false, 'example' => '{"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}'], ], [ 'name' => 'RoleArn', 'in' => 'query', - 'schema' => [ - 'description' => '要扮演的RAM角色ARN。'."\n" - ."\n" - .'该角色是可信实体为阿里云账号类型的RAM角色。更多信息,请参见[创建可信实体为阿里云账号的RAM角色](~~93691~~)或[CreateRole](~~28710~~)。'."\n" - ."\n" - .'格式:`acs:ram::<account_id>:role/<role_name>` 。'."\n" - ."\n" - .'您可以通过RAM控制台或API查看角色ARN。具体如下:'."\n" - ."\n" - .'- RAM控制台:请参见[查看RAM角色的ARN](~~39744~~)。'."\n" - .'- API:请参见[ListRoles](~~28713~~)或[GetRole](~~28711~~)。', - 'type' => 'string', - 'required' => true, - 'example' => 'acs:ram::123456789012****:role/adminrole', - ], + 'schema' => ['description' => '要扮演的RAM角色ARN。'."\n" + ."\n" + .'该角色是可信实体为阿里云账号类型的RAM角色。更多信息,请参见[创建可信实体为阿里云账号的RAM角色](~~93691~~)或[CreateRole](~~28710~~)。'."\n" + ."\n" + .'格式:`acs:ram::<account_id>:role/<role_name>` 。'."\n" + ."\n" + .'您可以通过RAM控制台或API查看角色ARN。具体如下:'."\n" + ."\n" + .'- RAM控制台:请参见[查看RAM角色的ARN](~~39744~~)。'."\n" + .'- API:请参见[ListRoles](~~28713~~)或[GetRole](~~28711~~)。', 'type' => 'string', 'required' => true, 'example' => 'acs:ram::123456789012****:role/adminrole'], ], [ 'name' => 'RoleSessionName', 'in' => 'query', - 'schema' => [ - 'description' => '角色会话名称。'."\n" - ."\n" - .'该参数为用户自定义参数。通常设置为调用该API的用户身份,例如:用户名。在操作审计日志中,即使是同一个RAM角色执行的操作,也可以根据不同的`RoleSessionName`来区分实际操作者,以实现用户级别的访问审计。'."\n" - ."\n" - .'长度为2~64个字符,可包含英文字母、数字和特殊字符`.@-_`。', - 'type' => 'string', - 'required' => true, - 'example' => 'alice', - ], + 'schema' => ['description' => '角色会话名称。'."\n" + ."\n" + .'该参数为用户自定义参数。通常设置为调用该API的用户身份,例如:用户名。在操作审计日志中,即使是同一个RAM角色执行的操作,也可以根据不同的`RoleSessionName`来区分实际操作者,以实现用户级别的访问审计。'."\n" + ."\n" + .'长度为2~64个字符,可包含英文字母、数字和特殊字符`.@-_`。', 'type' => 'string', 'required' => true, 'example' => 'alice'], ], [ 'name' => 'ExternalId', 'in' => 'query', - 'schema' => [ - 'description' => '角色外部ID。'."\n" - ."\n" - .'该参数为外部提供的用于表示角色的参数信息,主要功能是防止混淆代理人问题。更多信息,请参见[使用ExternalId防止混淆代理人问题](~~2361741~~)。'."\n" - ."\n" - .'长度为2~1224个字符,可包含英文字母、数字和特殊字符`=,.@:/-_`。正则为:`[\\w+=,.@:\\/-]*`。', - 'type' => 'string', - 'required' => false, - 'example' => 'abcd1234', - ], + 'schema' => ['description' => '角色外部ID。'."\n" + ."\n" + .'该参数为外部提供的用于表示角色的参数信息,主要功能是防止混淆代理人问题。更多信息,请参见[使用ExternalId防止混淆代理人问题](~~2361741~~)。'."\n" + ."\n" + .'长度为2~1224个字符,可包含英文字母、数字和特殊字符`=,.@:/-_`。正则为:`[\\w+=,.@:\\/-]*`。', 'type' => 'string', 'required' => false, 'example' => 'abcd1234'], ], [ 'name' => 'SourceIdentity', 'in' => 'query', - 'schema' => [ - 'description' => '源身份信息。'."\n" - ."\n" - .'在扮演角色时,可以指定扮演者的源身份(SourceIdentity)作为会话的初始身份标识。 该源身份的值在持续扮演角色的链式会话中将一直存在,中途不可更改,可确保操作的可追溯性和安全性。'."\n" - ."\n" - .'SourceIdentity 长度为 2~64 个字符,可包含英文字母、数字、以及特殊字符:`=,.@-_`。正则为:`[\\w+=,.@-]*`。您不能使用以`acs:`、`aliyun:`、`alibabacloud:` 开头的值,这些前缀为阿里云内部使用。', - 'type' => 'string', - 'required' => false, - 'example' => 'Alice', - ], + 'schema' => ['description' => '源身份信息。'."\n" + ."\n" + .'在扮演角色时,可以指定扮演者的源身份(SourceIdentity)作为会话的初始身份标识。 该源身份的值在持续扮演角色的链式会话中将一直存在,中途不可更改,可确保操作的可追溯性和安全性。'."\n" + ."\n" + .'SourceIdentity 长度为 2~64 个字符,可包含英文字母、数字、以及特殊字符:`=,.@-_`。正则为:`[\\w+=,.@-]*`。您不能使用以`acs:`、`aliyun:`、`alibabacloud:` 开头的值,这些前缀为阿里云内部使用。', 'type' => 'string', 'required' => false, 'example' => 'Alice'], ], ], 'responses' => [ @@ -151,131 +101,57 @@ 'description' => '返回参数。', 'type' => 'object', 'properties' => [ - 'RequestId' => [ - 'description' => '请求ID。', - 'type' => 'string', - 'example' => '6894B13B-6D71-4EF5-88FA-F32781734A7F', - ], + 'RequestId' => ['description' => '请求ID。', 'type' => 'string', 'example' => '6894B13B-6D71-4EF5-88FA-F32781734A7F'], 'AssumedRoleUser' => [ 'description' => '角色扮演时的临时身份。', 'type' => 'object', 'properties' => [ - 'AssumedRoleId' => [ - 'description' => '临时身份的ID。', - 'type' => 'string', - 'example' => '34458433936495****:alice', - ], - 'Arn' => [ - 'description' => '临时身份的ARN。', - 'type' => 'string', - 'example' => 'acs:ram::123456789012****:role/adminrole/alice', - ], + 'AssumedRoleId' => ['description' => '临时身份的ID。', 'type' => 'string', 'example' => '34458433936495****:alice'], + 'Arn' => ['description' => '临时身份的ARN。', 'type' => 'string', 'example' => 'acs:ram::123456789012****:role/adminrole/alice'], ], ], 'Credentials' => [ 'description' => '访问凭证。'."\n", 'type' => 'object', 'properties' => [ - 'SecurityToken' => [ - 'description' => '安全令牌。'."\n" - .'> 安全令牌的长度不固定,我们强烈建议您不要对安全令牌的最大长度做任何限制。', - 'type' => 'string', - 'example' => '********', - ], - 'Expiration' => [ - 'description' => 'Token到期失效时间(UTC时间)。', - 'type' => 'string', - 'example' => '2015-04-09T11:52:19Z', - ], - 'AccessKeySecret' => [ - 'description' => '访问密钥。', - 'type' => 'string', - 'example' => 'wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****', - ], - 'AccessKeyId' => [ - 'description' => '访问密钥ID。', - 'type' => 'string', - 'example' => 'STS.L4aBSCSJVMuKg5U1****', - ], + 'SecurityToken' => ['description' => '安全令牌。'."\n" + .'> 安全令牌的长度不固定,我们强烈建议您不要对安全令牌的最大长度做任何限制。', 'type' => 'string', 'example' => '********'], + 'Expiration' => ['description' => 'Token到期失效时间(UTC时间)。', 'type' => 'string', 'example' => '2015-04-09T11:52:19Z'], + 'AccessKeySecret' => ['description' => '访问密钥。', 'type' => 'string', 'example' => 'wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****'], + 'AccessKeyId' => ['description' => '访问密钥ID。', 'type' => 'string', 'example' => 'STS.L4aBSCSJVMuKg5U1****'], ], ], - 'SourceIdentity' => [ - 'description' => '源身份信息。'."\n" - ."\n" - .'在扮演角色时,可以指定扮演者的源身份(SourceIdentity)作为会话的初始身份标识。 该源身份的值在持续扮演角色的链式会话中将一直存在,中途不可更改,可确保操作的可追溯性和安全性。'."\n" - ."\n" - .'如果没有设置源身份信息,则该字段不会返回。', - 'type' => 'string', - 'example' => 'Alice', - ], + 'SourceIdentity' => ['description' => '源身份信息。'."\n" + ."\n" + .'在扮演角色时,可以指定扮演者的源身份(SourceIdentity)作为会话的初始身份标识。 该源身份的值在持续扮演角色的链式会话中将一直存在,中途不可更改,可确保操作的可追溯性和安全性。'."\n" + ."\n" + .'如果没有设置源身份信息,则该字段不会返回。', 'type' => 'string', 'example' => 'Alice'], ], ], ], ], 'errorCodes' => [ 400 => [ - [ - 'errorCode' => 'InvalidParameter.DurationSeconds', - 'errorMessage' => 'The Min/Max value of DurationSeconds is 15min/1hr.', - ], - [ - 'errorCode' => 'InvalidParameter.ExternalId', - 'errorMessage' => 'The parameter ExternalId is wrongly formed.', - ], - [ - 'errorCode' => 'InvalidParameter.RoleArn', - 'errorMessage' => 'The parameter RoleArn is wrongly formed.', - ], - [ - 'errorCode' => 'InvalidParameter.RoleSessionName', - 'errorMessage' => 'The parameter RoleSessionName is wrongly formed.', - ], - [ - 'errorCode' => 'InvalidParameter.SerialNumber', - 'errorMessage' => 'The parameter SerialNumber is wrongly formed.', - ], - [ - 'errorCode' => 'InvalidParameter.TokenCode', - 'errorMessage' => 'The parameter TokenCode is wrongly formed.', - ], - [ - 'errorCode' => 'InvalidParameter.PolicyGrammar', - 'errorMessage' => 'The parameter Policy has not passed grammar check.', - ], - [ - 'errorCode' => 'InvalidParameter.PolicySize', - 'errorMessage' => 'The size of Policy must be smaller than 2048 bytes.', - ], - [ - 'errorCode' => 'InvalidParameter.ContentType', - 'errorMessage' => 'The ContentType request header must be either "application/json" or "application/x-www-form-urlencoded".', - ], + ['errorCode' => 'InvalidParameter.DurationSeconds', 'errorMessage' => 'The Min/Max value of DurationSeconds is 15min/1hr.', 'description' => 'DurationSeconds参数不合法,DurationSeconds最小值为15分钟,最大值为1小时'], + ['errorCode' => 'InvalidParameter.ExternalId', 'errorMessage' => 'The parameter ExternalId is wrongly formed.', 'description' => '参数ExternalId不合法'], + ['errorCode' => 'InvalidParameter.RoleArn', 'errorMessage' => 'The parameter RoleArn is wrongly formed.', 'description' => '参数RoleArn的格式错误'], + ['errorCode' => 'InvalidParameter.RoleSessionName', 'errorMessage' => 'The parameter RoleSessionName is wrongly formed.', 'description' => '参数RoleSessionName格式错误。'], + ['errorCode' => 'InvalidParameter.SerialNumber', 'errorMessage' => 'The parameter SerialNumber is wrongly formed.', 'description' => ''], + ['errorCode' => 'InvalidParameter.TokenCode', 'errorMessage' => 'The parameter TokenCode is wrongly formed.', 'description' => ''], + ['errorCode' => 'InvalidParameter.PolicyGrammar', 'errorMessage' => 'The parameter Policy has not passed grammar check.', 'description' => '参数Policy语法格式检查未通过。'], + ['errorCode' => 'InvalidParameter.PolicySize', 'errorMessage' => 'The size of Policy must be smaller than 2048 bytes.', 'description' => 'Policy参数不合法,Policy长度必须小于2048字节。'], + ['errorCode' => 'InvalidParameter.ContentType', 'errorMessage' => 'The ContentType request header must be either "application/json" or "application/x-www-form-urlencoded".', 'description' => ''], ], 403 => [ - [ - 'errorCode' => 'NoPermission', - 'errorMessage' => 'You are not authorized to do this action. You should be authorized by RAM.', - ], - [ - 'errorCode' => 'AuthenticationFail.ApiUsername', - 'errorMessage' => 'The specified api username is not legal.', - ], - [ - 'errorCode' => 'AuthenticationFail.ApiPassword', - 'errorMessage' => 'The specified api password is not legal.', - ], + ['errorCode' => 'NoPermission', 'errorMessage' => 'You are not authorized to do this action. You should be authorized by RAM.', 'description' => ''], + ['errorCode' => 'AuthenticationFail.ApiUsername', 'errorMessage' => 'The specified api username is not legal.', 'description' => ''], + ['errorCode' => 'AuthenticationFail.ApiPassword', 'errorMessage' => 'The specified api password is not legal.', 'description' => ''], ], [ - [ - 'errorCode' => 'EntityNotExist.Role', - 'errorMessage' => 'The specified Role not exists .', - ], + ['errorCode' => 'EntityNotExist.Role', 'errorMessage' => 'The specified Role not exists .', 'description' => ''], ], 500 => [ - [ - 'errorCode' => 'InternalError', - 'errorMessage' => 'STS Server Internal Error happened, please send the RequestId to us.', - ], + ['errorCode' => 'InternalError', 'errorMessage' => 'STS Server Internal Error happened, please send the RequestId to us.', 'description' => ''], ], ], 'responseDemo' => '[{"type":"json","example":"{\\n \\"RequestId\\": \\"6894B13B-6D71-4EF5-88FA-F32781734A7F\\",\\n \\"AssumedRoleUser\\": {\\n \\"AssumedRoleId\\": \\"34458433936495****:alice\\",\\n \\"Arn\\": \\"acs:ram::123456789012****:role/adminrole/alice\\"\\n },\\n \\"Credentials\\": {\\n \\"SecurityToken\\": \\"********\\",\\n \\"Expiration\\": \\"2015-04-09T11:52:19Z\\",\\n \\"AccessKeySecret\\": \\"wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****\\",\\n \\"AccessKeyId\\": \\"STS.L4aBSCSJVMuKg5U1****\\"\\n },\\n \\"SourceIdentity\\": \\"Alice\\"\\n}","errorExample":""},{"type":"xml","example":"<AssumeRoleResponse>\\n <Credentials>\\n <AccessKeyId>STS.L4aBSCSJVMuKg5U1****</AccessKeyId>\\n <AccessKeySecret>wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****</AccessKeySecret>\\n <Expiration>2015-04-09T11:52:19Z</Expiration>\\n <SecurityToken>********</SecurityToken>\\n </Credentials>\\n <AssumedRoleUser>\\n <Arn>acs:ram::123456789012****:role/adminrole/alice</Arn>\\n <AssumedRoleId>34458433936495****:alice</AssumedRoleId>\\n </AssumedRoleUser>\\n <RequestId>6894B13B-6D71-4EF5-88FA-F32781734A7F</RequestId>\\n</AssumeRoleResponse>","errorExample":""}]', @@ -304,110 +180,101 @@ .'STS Token自颁发后将在一段时间内有效,建议您设置合理的Token有效期,并在有效期内重复使用,以避免业务请求速率上升后,STS Token颁发的速率限制影响到业务。具体速率限制,请参见[STS服务调用次数是否有上限](~~39744~~)。您可以通过请求参数`DurationSeconds`设置Token有效期。'."\n" ."\n" .'在移动端上传或下载OSS文件等场景下,其访问量较大,即使重复使用STS Token也可能无法满足限流要求。为避免STS的限流成为OSS访问量的瓶颈,您可以尝试OSS的**在URL中包含签名**的方案。更多信息,请参见[在URL中包含签名](~~31952~~)和[服务端签名后直传](~~31926~~)。', - ], - 'AssumeRoleWithSAML' => [ - 'summary' => '进行SAML角色SSO时,通过调用AssumeRoleWithSAML接口,获取扮演RAM角色的临时身份凭证(STS Token)。', - 'methods' => [ - 'post', - 'get', + 'changeSet' => [], + 'flowControl' => [ + 'flowControlList' => [ + ['threshold' => '100', 'countWindow' => 1, 'regionId' => '*', 'api' => 'AssumeRole'], + ], ], - 'schemes' => [ - 'https', + 'ramActions' => [ + [ + 'operationType' => 'get', + 'ramAction' => [ + 'action' => 'sts:AssumeRole', + 'authLevel' => 'resource', + 'actionConditions' => [ + ['conditionKey' => 'sts:SourceIdentity', 'validationType' => 'conditional'], + ], + 'resources' => [ + ['validationType' => 'always', 'product' => 'Sts', 'resourceType' => 'Role', 'arn' => 'acs:ram::{#accountId}:role/{#RoleName}'], + ], + ], + 'additionalActions' => [ + ['action' => 'sts:SetSourceIdentity', 'validationType' => 'conditional'], + ], + ], ], + ], + 'AssumeRoleWithOIDC' => [ + 'methods' => ['get', 'post'], + 'schemes' => ['https'], 'security' => [ [ - 'Anonymous' => [], + 'ARS_OIDC' => [], ], ], 'operationType' => 'readAndWrite', - 'systemTags' => [ - 'operationType' => 'get', - 'riskType' => 'high', - 'chargeType' => 'free', - ], + 'deprecated' => false, + 'systemTags' => ['operationType' => 'get', 'riskType' => 'high', 'chargeType' => 'free'], 'parameters' => [ [ - 'name' => 'SAMLProviderArn', + 'name' => 'OIDCProviderArn', 'in' => 'query', - 'schema' => [ - 'description' => 'RAM中创建的SAML身份提供商的ARN。'."\n" - ."\n" - .'格式:`acs:ram::<account_id>:saml-provider/<saml_provider_id>`。'."\n" - ."\n" - .'您可以通过RAM控制台或API查看身份提供商的ARN。具体如下:'."\n" - ."\n" - .'- RAM控制台:请参见[查看SAML身份提供商基本信息](~~116795~~)。'."\n" - .'- API:请参见[GetSAMLProvider](~~186833~~)或[ListSAMLProviders](~~186851~~)。', - 'type' => 'string', - 'required' => false, - 'docRequired' => true, - 'example' => 'acs:ram::123456789012****:saml-provider/company1', - ], + 'schema' => ['title' => 'OIDC Provider的ARN', 'description' => 'OIDC身份提供商的ARN。'."\n" + ."\n" + .'您可以通过RAM控制台或API查看OIDC身份提供商的ARN。具体如下:'."\n" + ."\n" + .'- RAM控制台:请参见[查看OIDC身份提供商信息](~~327123~~)。'."\n" + .'- API:请参见[GetOIDCProvider](~~327126~~)或[ListOIDCProviders](~~327127~~) 。', 'type' => 'string', 'required' => false, 'docRequired' => true, 'example' => 'acs:ram::113511544585****:oidc-provider/TestOidcIdp'], ], [ 'name' => 'RoleArn', 'in' => 'query', - 'schema' => [ - 'description' => '要扮演的RAM角色的ARN。'."\n" - ."\n" - .'该角色是可信实体为SAML身份提供商的RAM角色。更多信息,请参见[创建可信实体为身份提供商的RAM角色](~~116805~~)或[CreateRole](~~28710~~)。'."\n" - ."\n" - .'格式:`acs:ram::<account_id>:role/<role_name>`。'."\n" - ."\n" - .'您可以通过RAM控制台或API查看角色ARN。具体如下:'."\n" - ."\n" - .'- RAM控制台:请参见[如何查看RAM角色的ARN?](~~39744~~)。'."\n" - .'- API:请参见[ListRoles](~~28713~~)或[GetRole](~~28711~~)。', - 'type' => 'string', - 'required' => false, - 'docRequired' => true, - 'example' => 'acs:ram::123456789012****:role/adminrole', - ], + 'schema' => ['title' => '需要扮演的角色的ARN', 'description' => '需要扮演的RAM角色ARN。'."\n" + ."\n" + .'您可以通过RAM控制台或API查看角色ARN。具体如下:'."\n" + ."\n" + .'- RAM控制台:请参见[如何查看RAM角色的ARN](~~39744~~)。'."\n" + .'- API:请参见[ListRoles](~~28713~~)或[GetRole](~~28711~~) 。', 'type' => 'string', 'required' => false, 'docRequired' => true, 'example' => 'acs:ram::113511544585****:role/testoidc'], ], [ - 'name' => 'SAMLAssertion', + 'name' => 'OIDCToken', 'in' => 'query', - 'schema' => [ - 'description' => 'Base64编码后的SAML断言。'."\n" - ."\n" - .'长度为4~100000个字符。'."\n" - ."\n" - .'> 需要从IdP获取完整的SAML响应,不能是单独的SAML断言字段。', - 'type' => 'string', - 'required' => false, - 'docRequired' => true, - 'example' => 'base64_encoded_saml_assertion', - ], + 'schema' => ['title' => 'OIDC的ID Token,需输入原始Token,无需Base64解码', 'description' => '由外部IdP签发的OIDC令牌(OIDC Token)。'."\n" + ."\n" + .'长度:4~20000个字符。'."\n" + ."\n" + .'> 需要输入原始OIDC Token,无需Base64解码。', 'type' => 'string', 'required' => false, 'docRequired' => true, 'example' => 'eyJraWQiOiJKQzl3eHpyaHFKMGd0****'], ], [ 'name' => 'Policy', 'in' => 'query', - 'schema' => [ - 'description' => '为STS Token额外添加的一个权限策略,进一步限制STS Token的权限。具体如下:'."\n" - ."\n" - .'- 如果指定该权限策略,则STS Token最终的权限取RAM角色权限策略与该权限策略的交集。'."\n" - .'- 如果不指定该权限策略,则STS Token最终的权限就是RAM角色的权限。'."\n" - ."\n" - .'长度为1~2048个字符。', - 'type' => 'string', - 'required' => false, - 'example' => 'url_encoded_policy', - ], + 'schema' => ['title' => '权限策略。 生成STS Token时可以指定一个额外的权限策略,以进一步限制STS Token的权限。若不指定则返回的Token拥有指定角色的所有权限。', 'description' => '为STS Token额外添加的一个权限策略,进一步限制STS Token的权限。具体如下:'."\n" + ."\n" + .'- 如果指定该权限策略,则STS Token最终的权限取RAM角色权限策略与该权限策略的交集。'."\n" + .'- 如果不指定该权限策略,则STS Token最终的权限就是RAM角色的权限。'."\n" + ."\n" + .'长度:1~2048个字符。', 'type' => 'string', 'required' => false, 'example' => '{"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}'], ], [ 'name' => 'DurationSeconds', 'in' => 'query', - 'schema' => [ - 'description' => 'Token有效期。单位:秒。'."\n" - ."\n" - .'Token有效期最小值为900秒,最大值为`MaxSessionDuration`设置的时间,默认值为3600秒。'."\n" - ."\n" - .'您可以通过CreateRole或UpdateRole接口设置角色最大会话时间`MaxSessionDuration`。更多信息,请参见[CreateRole](~~28710~~)或[UpdateRole](~~28712~~)。', - 'type' => 'integer', - 'format' => 'int64', - 'required' => false, - 'example' => '3600', - ], + 'schema' => ['title' => 'Session过期时间,单位为秒。', 'description' => 'Token有效期。单位:秒。'."\n" + ."\n" + .'默认值:3600。最小值:900。最大值:`MaxSessionDuration`设置的时间。'."\n" + ."\n" + .'关于设置角色最大会话时间`MaxSessionDuration`的具体操作,请参见[CreateRole](~~28710~~)或[UpdateRole](~~28712~~)。', 'type' => 'integer', 'format' => 'int64', 'required' => false, 'example' => '3600'], + ], + [ + 'name' => 'RoleSessionName', + 'in' => 'query', + 'schema' => ['title' => '用户自定义参数。此参数用来区分不同的令牌,可用于用户级别的访问审计。', 'description' => '角色会话名称。'."\n" + ."\n" + .'该参数为用户自定义参数。通常设置为调用该API的用户身份,例如:用户名。在操作审计日志中,即使是同一个RAM角色执行的操作,也可以根据不同的RoleSessionName来区分实际操作者,以实现用户级别的访问审计。'."\n" + ."\n" + .'格式:包含英文字母、数字、半角句号(.)、at(@)、短划线(-)和下划线(_)。'."\n" + ."\n" + .'长度:2~64个字符。', 'type' => 'string', 'required' => true, 'docRequired' => true, 'example' => 'TestOidcAssumedRoleSession'], ], ], 'responses' => [ @@ -416,231 +283,135 @@ 'description' => '返回参数。', 'type' => 'object', 'properties' => [ - 'RequestId' => [ - 'description' => '请求ID。', - 'type' => 'string', - 'example' => '6894B13B-6D71-4EF5-88FA-F32781734A7F', - ], - 'SAMLAssertionInfo' => [ - 'description' => 'SAML断言中的部分信息。', + 'RequestId' => ['description' => '请求ID。', 'type' => 'string', 'example' => '3D57EAD2-8723-1F26-B69C-F8707D8B565D'], + 'OIDCTokenInfo' => [ + 'description' => '解析的OIDC Token信息。', 'type' => 'object', 'properties' => [ - 'SubjectType' => [ - 'description' => 'SAML断言中`NameID`的格式。当前缀为`urn:oasis:names:tc:SAML:2.0:nameid-format:`时,前缀会被移除。例如:`persistent/transient`。', - 'type' => 'string', - 'example' => 'persistent', - ], - 'Subject' => [ - 'description' => 'SAML断言中`Subject - NameID`字段的值。', - 'type' => 'string', - 'example' => 'alice@example.com', - ], - 'Issuer' => [ - 'description' => 'SAML断言中`Issuer`字段的值。', - 'type' => 'string', - 'example' => 'http://example.com/adfs/services/trust', - ], - 'Recipient' => [ - 'description' => 'SAML断言中`Subject - SubjectConfirmation - SubjectConfirmationData`字段中`Recipient`属性的值。', - 'type' => 'string', - 'example' => 'https://signin.aliyun.com/saml-role/SSO', - ], + 'Subject' => ['description' => 'OIDC主体。'."\n" + ."\n" + .'对应OIDC Token中的`sub`字段值。'."\n", 'type' => 'string', 'example' => 'KryrkIdjylZb7agUgCEf****'], + 'Issuer' => ['description' => 'OIDC颁发者URL。'."\n" + ."\n" + .'对应OIDC Token中的`iss`字段值。', 'type' => 'string', 'example' => 'https://dev-xxxxxx.okta.com'], + 'ClientIds' => ['description' => 'OIDC受众。多个之间用半角逗号(,)分隔。'."\n" + ."\n" + .'对应OIDC Token中的`aud`字段值。', 'type' => 'string', 'example' => '496271242565057****'], + 'ExpirationTime' => ['description' => 'OIDC Token的过期时间。', 'type' => 'string', 'example' => '2021-10-20T04:27:09Z'], + 'IssuanceTime' => ['description' => 'OIDC Token的签发时间。', 'type' => 'string', 'example' => '2021-10-20T03:27:09Z'], + 'VerificationInfo' => ['description' => 'OIDC Token的检验信息。更多信息,请参见[管理OIDC身份提供商](~~327123~~)。', 'type' => 'string', 'example' => 'Success'], ], ], 'AssumedRoleUser' => [ 'description' => '角色扮演临时身份。', 'type' => 'object', 'properties' => [ - 'AssumedRoleId' => [ - 'description' => '临时身份的ID。', - 'type' => 'string', - 'example' => '34458433936495****:alice', - ], - 'Arn' => [ - 'description' => '临时身份的ARN。', - 'type' => 'string', - 'example' => 'acs:sts::123456789012****:assumed-role/AdminRole/alice', - ], + 'AssumedRoleId' => ['description' => '临时身份的ID。', 'type' => 'string', 'example' => '33157794895460****'], + 'Arn' => ['description' => '临时身份的ARN。', 'type' => 'string', 'example' => 'acs:ram::113511544585****:role/testoidc/TestOidcAssumedRoleSession'], ], ], 'Credentials' => [ - 'description' => '访问凭证。', + 'description' => '临时访问凭证(STS Token)。', 'type' => 'object', 'properties' => [ - 'SecurityToken' => [ - 'description' => '安全令牌。'."\n" - .'> 安全令牌的长度不固定,我们强烈建议您不要对安全令牌的最大长度做任何限制。', - 'type' => 'string', - 'example' => '********', - ], - 'Expiration' => [ - 'description' => 'Token到期失效时间(UTC时间)。', - 'type' => 'string', - 'example' => '2015-04-09T11:52:19Z', - ], - 'AccessKeySecret' => [ - 'description' => '访问密钥。', - 'type' => 'string', - 'example' => 'wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****', - ], - 'AccessKeyId' => [ - 'description' => '访问密钥ID。', - 'type' => 'string', - 'example' => 'STS.L4aBSCSJVMuKg5U1****', - ], + 'SecurityToken' => ['description' => '安全令牌。'."\n" + .'> 安全令牌的长度不固定,我们强烈建议您不要对安全令牌的最大长度做任何限制。', 'type' => 'string', 'example' => 'CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz****'], + 'Expiration' => ['description' => 'Token到期失效时间(UTC时间)。', 'type' => 'string', 'example' => '2021-10-20T04:27:09Z'], + 'AccessKeySecret' => ['description' => '访问密钥。', 'type' => 'string', 'example' => 'CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2****'], + 'AccessKeyId' => ['description' => '访问密钥ID。', 'type' => 'string', 'example' => 'STS.NUgYrLnoC37mZZCNnAbez****'], ], ], - 'SourceIdentity' => [ - 'description' => '源身份信息。'."\n" - ."\n" - .'在扮演角色时,可以指定扮演者的源身份(SourceIdentity)作为会话的初始身份标识。 该源身份的值在持续扮演角色的链式会话中将一直存在,中途不可更改,可确保操作的可追溯性和安全性。'."\n" - ."\n" - .'如果没有设置源身份信息,则该字段不会返回。', - 'type' => 'string', - 'example' => 'Alice', - ], + 'SourceIdentity' => ['description' => '源身份信息。'."\n" + ."\n" + .'在扮演角色时,可以指定扮演者的源身份(SourceIdentity)作为会话的初始身份标识。 该源身份的值在持续扮演角色的链式会话中将一直存在,中途不可更改,可确保操作的可追溯性和安全性。'."\n" + ."\n" + .'如果没有设置源身份信息,则该字段不会返回。', 'type' => 'string', 'example' => 'Alice'], ], ], ], ], - 'errorCodes' => [ - 500 => [ - [ - 'errorCode' => 'InternalError', - 'errorMessage' => 'STS Server Internal Error happened, please send the RequestId to us.', - ], - ], - ], - 'responseDemo' => '[{"type":"json","example":"{\\n \\"RequestId\\": \\"6894B13B-6D71-4EF5-88FA-F32781734A7F\\",\\n \\"SAMLAssertionInfo\\": {\\n \\"SubjectType\\": \\"persistent\\",\\n \\"Subject\\": \\"alice@example.com\\",\\n \\"Issuer\\": \\"http://example.com/adfs/services/trust\\",\\n \\"Recipient\\": \\"https://signin.aliyun.com/saml-role/SSO\\"\\n },\\n \\"AssumedRoleUser\\": {\\n \\"AssumedRoleId\\": \\"34458433936495****:alice\\",\\n \\"Arn\\": \\"acs:sts::123456789012****:assumed-role/AdminRole/alice\\"\\n },\\n \\"Credentials\\": {\\n \\"SecurityToken\\": \\"********\\",\\n \\"Expiration\\": \\"2015-04-09T11:52:19Z\\",\\n \\"AccessKeySecret\\": \\"wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****\\",\\n \\"AccessKeyId\\": \\"STS.L4aBSCSJVMuKg5U1****\\"\\n },\\n \\"SourceIdentity\\": \\"Alice\\"\\n}","errorExample":""},{"type":"xml","example":"<AssumeRoleWithSAMLResponse>\\n <Credentials>\\n <AccessKeyId>STS.L4aBSCSJVMuKg5U1****</AccessKeyId>\\n <AccessKeySecret>wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****</AccessKeySecret>\\n <Expiration>2015-04-09T11:52:19Z</Expiration>\\n <SecurityToken>********</SecurityToken>\\n </Credentials>\\n <AssumedRoleUser>\\n <arn>acs:sts::1234567890123456:assumed-role/AdminRole/alice</arn>\\n <AssumedRoleId>34458433936495****:alice</AssumedRoleId>\\n </AssumedRoleUser>\\n <SAMLAssertionInfo>\\n <SubjectType>persistent</SubjectType>\\n <Subject>alice@example.com</Subject>\\n <Recipient>https://signin.aliyun.com/saml-role/SSO</Recipient>\\n <Issuer>http://example.com/adfs/services/trust</Issuer>\\n </SAMLAssertionInfo>\\n <RequestId>6894B13B-6D71-4EF5-88FA-F32781734A7F</RequestId>\\n</AssumeRoleWithSAMLResponse>","errorExample":""}]', - 'title' => 'SAML角色SSO时获取扮演角色的临时身份凭证', + 'title' => 'OIDC角色SSO时获取扮演角色的临时身份凭证', + 'summary' => '进行OIDC角色SSO时,通过调用AssumeRoleWithOIDC接口,获取扮演RAM角色的临时身份凭证(STS Token)。', 'description' => '### 前提条件'."\n" ."\n" - .'- 确保已从外部身份提供商(IdP)获取到SAML响应。'."\n" - .'- 确保已在RAM中创建了SAML身份提供商。具体操作,请参见[创建SAML身份提供商](~~116083~~)或[CreateSAMLProvider](~~186846~~) 。'."\n" - .'- 确保已在RAM中创建了可信实体为SAML身份提供商的RAM角色。具体操作,请参见[创建可信实体为身份提供商的RAM角色](~~116805~~)或[CreateRole](~~28710~~) 。', - 'requestParamsDescription' => '> 由于AssumeRoleWithSAML接口使用SAML断言进行身份认证,可以匿名访问,因此不需要提供公共请求参数中的`Signature`、`SignatureMethod`、`SignatureVersion`和`AccessKeyId`参数。关于公共请求参数的详情,请参见[公共请求参数](~~315526~~)。', - ], - 'AssumeRoleWithOIDC' => [ - 'summary' => '进行OIDC角色SSO时,通过调用AssumeRoleWithOIDC接口,获取扮演RAM角色的临时身份凭证(STS Token)。', - 'methods' => [ - 'get', - 'post', - ], - 'schemes' => [ - 'https', + .'- 确保已从外部身份提供商(IdP)获取到OIDC令牌(OIDC Token)。'."\n" + .'- 确保已在RAM中创建了OIDC身份提供商。具体操作,请参见[创建OIDC身份提供商](~~327123~~)或[CreateOIDCProvider](~~327135~~) 。'."\n" + .'- 确保已在RAM中创建了可信实体为OIDC身份提供商的RAM角色。具体操作,请参见[创建可信实体为身份提供商的RAM角色](~~116805~~)或[CreateRole](~~28710~~) 。', + 'requestParamsDescription' => '> 由于AssumeRoleWithOIDC接口使用OIDC Token进行身份认证,可以匿名访问,因此不需要提供公共请求参数中的`Signature`、`SignatureMethod`、`SignatureVersion`和`AccessKeyId`参数。关于公共请求参数的详情,请参见[公共请求参数](~~315526~~)。', + 'changeSet' => [], + 'flowControl' => [ + 'flowControlList' => [ + ['threshold' => '100', 'countWindow' => 1, 'regionId' => '*', 'api' => 'AssumeRoleWithOIDC'], + ], ], + 'ramActions' => [], + 'responseDemo' => '[{"type":"json","example":"{\\n \\"RequestId\\": \\"3D57EAD2-8723-1F26-B69C-F8707D8B565D\\",\\n \\"OIDCTokenInfo\\": {\\n \\"Subject\\": \\"KryrkIdjylZb7agUgCEf****\\",\\n \\"Issuer\\": \\"https://dev-xxxxxx.okta.com\\",\\n \\"ClientIds\\": \\"496271242565057****\\",\\n \\"ExpirationTime\\": \\"2021-10-20T04:27:09Z\\",\\n \\"IssuanceTime\\": \\"2021-10-20T03:27:09Z\\",\\n \\"VerificationInfo\\": \\"Success\\"\\n },\\n \\"AssumedRoleUser\\": {\\n \\"AssumedRoleId\\": \\"33157794895460****\\",\\n \\"Arn\\": \\"acs:ram::113511544585****:role/testoidc/TestOidcAssumedRoleSession\\"\\n },\\n \\"Credentials\\": {\\n \\"SecurityToken\\": \\"CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz****\\",\\n \\"Expiration\\": \\"2021-10-20T04:27:09Z\\",\\n \\"AccessKeySecret\\": \\"CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2****\\",\\n \\"AccessKeyId\\": \\"STS.NUgYrLnoC37mZZCNnAbez****\\"\\n },\\n \\"SourceIdentity\\": \\"Alice\\"\\n}","errorExample":""},{"type":"xml","example":"<?xml version=\\"1.0\\" encoding=\\"UTF-8\\" ?>\\n<AssumeRoleWithOIDCResponse>\\n\\t<RequestId>3D57EAD2-8723-1F26-B69C-F8707D8B565D</RequestId>\\n\\t<OIDCTokenInfo>\\n\\t\\t<Subject>KryrkIdjylZb7agUgCEf****</Subject>\\n\\t\\t<Issuer>https://dev-xxxxxx.okta.com</Issuer>\\n\\t\\t<ClientIds>496271242565057****</ClientIds>\\n\\t</OIDCTokenInfo>\\n\\t<AssumedRoleUser>\\n\\t\\t<AssumedRoleId>33157794895460****</AssumedRoleId>\\n\\t\\t<Arn>acs:ram::113511544585****:role/testoidc/TestOidcAssumedRoleSession</Arn>\\n\\t</AssumedRoleUser>\\n\\t<Credentials>\\n\\t\\t<SecurityToken>CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz****</SecurityToken>\\n\\t\\t<Expiration>2021-10-20T04:27:09Z</Expiration>\\n\\t\\t<AccessKeySecret>CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2****</AccessKeySecret>\\n\\t\\t<AccessKeyId>STS.NUgYrLnoC37mZZCNnAbez****</AccessKeyId>\\n\\t</Credentials>\\n</AssumeRoleWithOIDCResponse>\\t\\n","errorExample":""}]', + ], + 'AssumeRoleWithSAML' => [ + 'summary' => '进行SAML角色SSO时,通过调用AssumeRoleWithSAML接口,获取扮演RAM角色的临时身份凭证(STS Token)。', + 'methods' => ['post', 'get'], + 'schemes' => ['https'], 'security' => [ [ - 'ARS_OIDC' => [], + 'Anonymous' => [], ], ], 'operationType' => 'readAndWrite', - 'deprecated' => false, - 'systemTags' => [ - 'operationType' => 'get', - 'riskType' => 'high', - 'chargeType' => 'free', - ], + 'systemTags' => ['operationType' => 'get', 'riskType' => 'high', 'chargeType' => 'free'], 'parameters' => [ [ - 'name' => 'OIDCProviderArn', + 'name' => 'SAMLProviderArn', 'in' => 'query', - 'schema' => [ - 'title' => 'OIDC Provider的ARN', - 'description' => 'OIDC身份提供商的ARN。'."\n" - ."\n" - .'您可以通过RAM控制台或API查看OIDC身份提供商的ARN。具体如下:'."\n" - ."\n" - .'- RAM控制台:请参见[查看OIDC身份提供商信息](~~327123~~)。'."\n" - .'- API:请参见[GetOIDCProvider](~~327126~~)或[ListOIDCProviders](~~327127~~) 。', - 'type' => 'string', - 'required' => false, - 'docRequired' => true, - 'example' => 'acs:ram::113511544585****:oidc-provider/TestOidcIdp', - ], + 'schema' => ['description' => 'RAM中创建的SAML身份提供商的ARN。'."\n" + ."\n" + .'格式:`acs:ram::<account_id>:saml-provider/<saml_provider_id>`。'."\n" + ."\n" + .'您可以通过RAM控制台或API查看身份提供商的ARN。具体如下:'."\n" + ."\n" + .'- RAM控制台:请参见[查看SAML身份提供商基本信息](~~116795~~)。'."\n" + .'- API:请参见[GetSAMLProvider](~~186833~~)或[ListSAMLProviders](~~186851~~)。', 'type' => 'string', 'required' => false, 'docRequired' => true, 'example' => 'acs:ram::123456789012****:saml-provider/company1'], ], [ 'name' => 'RoleArn', 'in' => 'query', - 'schema' => [ - 'title' => '需要扮演的角色的ARN', - 'description' => '需要扮演的RAM角色ARN。'."\n" - ."\n" - .'您可以通过RAM控制台或API查看角色ARN。具体如下:'."\n" - ."\n" - .'- RAM控制台:请参见[如何查看RAM角色的ARN](~~39744~~)。'."\n" - .'- API:请参见[ListRoles](~~28713~~)或[GetRole](~~28711~~) 。', - 'type' => 'string', - 'required' => false, - 'docRequired' => true, - 'example' => 'acs:ram::113511544585****:role/testoidc', - ], + 'schema' => ['description' => '要扮演的RAM角色的ARN。'."\n" + ."\n" + .'该角色是可信实体为SAML身份提供商的RAM角色。更多信息,请参见[创建可信实体为身份提供商的RAM角色](~~116805~~)或[CreateRole](~~28710~~)。'."\n" + ."\n" + .'格式:`acs:ram::<account_id>:role/<role_name>`。'."\n" + ."\n" + .'您可以通过RAM控制台或API查看角色ARN。具体如下:'."\n" + ."\n" + .'- RAM控制台:请参见[如何查看RAM角色的ARN?](~~39744~~)。'."\n" + .'- API:请参见[ListRoles](~~28713~~)或[GetRole](~~28711~~)。', 'type' => 'string', 'required' => false, 'docRequired' => true, 'example' => 'acs:ram::123456789012****:role/adminrole'], ], [ - 'name' => 'OIDCToken', + 'name' => 'SAMLAssertion', 'in' => 'query', - 'schema' => [ - 'title' => 'OIDC的ID Token,需输入原始Token,无需Base64解码', - 'description' => '由外部IdP签发的OIDC令牌(OIDC Token)。'."\n" - ."\n" - .'长度:4~20000个字符。'."\n" - ."\n" - .'> 需要输入原始OIDC Token,无需Base64解码。', - 'type' => 'string', - 'required' => false, - 'docRequired' => true, - 'example' => 'eyJraWQiOiJKQzl3eHpyaHFKMGd0****', - ], + 'schema' => ['description' => 'Base64编码后的SAML断言。'."\n" + ."\n" + .'长度为4~100000个字符。'."\n" + ."\n" + .'> 需要从IdP获取完整的SAML响应,不能是单独的SAML断言字段。', 'type' => 'string', 'required' => false, 'docRequired' => true, 'example' => 'base64_encoded_saml_assertion'], ], [ 'name' => 'Policy', 'in' => 'query', - 'schema' => [ - 'title' => '权限策略。 生成STS Token时可以指定一个额外的权限策略,以进一步限制STS Token的权限。若不指定则返回的Token拥有指定角色的所有权限。', - 'description' => '为STS Token额外添加的一个权限策略,进一步限制STS Token的权限。具体如下:'."\n" - ."\n" - .'- 如果指定该权限策略,则STS Token最终的权限取RAM角色权限策略与该权限策略的交集。'."\n" - .'- 如果不指定该权限策略,则STS Token最终的权限就是RAM角色的权限。'."\n" - ."\n" - .'长度:1~2048个字符。', - 'type' => 'string', - 'required' => false, - 'example' => '{"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}', - ], + 'schema' => ['description' => '为STS Token额外添加的一个权限策略,进一步限制STS Token的权限。具体如下:'."\n" + ."\n" + .'- 如果指定该权限策略,则STS Token最终的权限取RAM角色权限策略与该权限策略的交集。'."\n" + .'- 如果不指定该权限策略,则STS Token最终的权限就是RAM角色的权限。'."\n" + ."\n" + .'长度为1~2048个字符。', 'type' => 'string', 'required' => false, 'example' => 'url_encoded_policy'], ], [ 'name' => 'DurationSeconds', 'in' => 'query', - 'schema' => [ - 'title' => 'Session过期时间,单位为秒。', - 'description' => 'Token有效期。单位:秒。'."\n" - ."\n" - .'默认值:3600。最小值:900。最大值:`MaxSessionDuration`设置的时间。'."\n" - ."\n" - .'关于设置角色最大会话时间`MaxSessionDuration`的具体操作,请参见[CreateRole](~~28710~~)或[UpdateRole](~~28712~~)。', - 'type' => 'integer', - 'format' => 'int64', - 'required' => false, - 'example' => '3600', - ], - ], - [ - 'name' => 'RoleSessionName', - 'in' => 'query', - 'schema' => [ - 'title' => '用户自定义参数。此参数用来区分不同的令牌,可用于用户级别的访问审计。', - 'description' => '角色会话名称。'."\n" - ."\n" - .'该参数为用户自定义参数。通常设置为调用该API的用户身份,例如:用户名。在操作审计日志中,即使是同一个RAM角色执行的操作,也可以根据不同的RoleSessionName来区分实际操作者,以实现用户级别的访问审计。'."\n" - ."\n" - .'格式:包含英文字母、数字、半角句号(.)、at(@)、短划线(-)和下划线(_)。'."\n" - ."\n" - .'长度:2~64个字符。', - 'type' => 'string', - 'required' => true, - 'docRequired' => true, - 'example' => 'TestOidcAssumedRoleSession', - ], + 'schema' => ['description' => 'Token有效期。单位:秒。'."\n" + ."\n" + .'Token有效期最小值为900秒,最大值为`MaxSessionDuration`设置的时间,默认值为3600秒。'."\n" + ."\n" + .'您可以通过CreateRole或UpdateRole接口设置角色最大会话时间`MaxSessionDuration`。更多信息,请参见[CreateRole](~~28710~~)或[UpdateRole](~~28712~~)。', 'type' => 'integer', 'format' => 'int64', 'required' => false, 'example' => '3600'], ], ], 'responses' => [ @@ -649,138 +420,75 @@ 'description' => '返回参数。', 'type' => 'object', 'properties' => [ - 'RequestId' => [ - 'description' => '请求ID。', - 'type' => 'string', - 'example' => '3D57EAD2-8723-1F26-B69C-F8707D8B565D', - ], - 'OIDCTokenInfo' => [ - 'description' => '解析的OIDC Token信息。', + 'RequestId' => ['description' => '请求ID。', 'type' => 'string', 'example' => '6894B13B-6D71-4EF5-88FA-F32781734A7F'], + 'SAMLAssertionInfo' => [ + 'description' => 'SAML断言中的部分信息。', 'type' => 'object', 'properties' => [ - 'Subject' => [ - 'description' => 'OIDC主体。'."\n" - ."\n" - .'对应OIDC Token中的`sub`字段值。'."\n", - 'type' => 'string', - 'example' => 'KryrkIdjylZb7agUgCEf****', - ], - 'Issuer' => [ - 'description' => 'OIDC颁发者URL。'."\n" - ."\n" - .'对应OIDC Token中的`iss`字段值。', - 'type' => 'string', - 'example' => 'https://dev-xxxxxx.okta.com', - ], - 'ClientIds' => [ - 'description' => 'OIDC受众。多个之间用半角逗号(,)分隔。'."\n" - ."\n" - .'对应OIDC Token中的`aud`字段值。', - 'type' => 'string', - 'example' => '496271242565057****', - ], - 'ExpirationTime' => [ - 'description' => 'OIDC Token的过期时间。', - 'type' => 'string', - 'example' => '2021-10-20T04:27:09Z', - ], - 'IssuanceTime' => [ - 'description' => 'OIDC Token的签发时间。', - 'type' => 'string', - 'example' => '2021-10-20T03:27:09Z', - ], - 'VerificationInfo' => [ - 'description' => 'OIDC Token的检验信息。更多信息,请参见[管理OIDC身份提供商](~~327123~~)。', - 'type' => 'string', - 'example' => 'Success', - ], + 'SubjectType' => ['description' => 'SAML断言中`NameID`的格式。当前缀为`urn:oasis:names:tc:SAML:2.0:nameid-format:`时,前缀会被移除。例如:`persistent/transient`。', 'type' => 'string', 'example' => 'persistent'], + 'Subject' => ['description' => 'SAML断言中`Subject - NameID`字段的值。', 'type' => 'string', 'example' => 'alice@example.com'], + 'Issuer' => ['description' => 'SAML断言中`Issuer`字段的值。', 'type' => 'string', 'example' => 'http://example.com/adfs/services/trust'], + 'Recipient' => ['description' => 'SAML断言中`Subject - SubjectConfirmation - SubjectConfirmationData`字段中`Recipient`属性的值。', 'type' => 'string', 'example' => 'https://signin.aliyun.com/saml-role/SSO'], ], ], 'AssumedRoleUser' => [ 'description' => '角色扮演临时身份。', 'type' => 'object', 'properties' => [ - 'AssumedRoleId' => [ - 'description' => '临时身份的ID。', - 'type' => 'string', - 'example' => '33157794895460****', - ], - 'Arn' => [ - 'description' => '临时身份的ARN。', - 'type' => 'string', - 'example' => 'acs:ram::113511544585****:role/testoidc/TestOidcAssumedRoleSession', - ], + 'AssumedRoleId' => ['description' => '临时身份的ID。', 'type' => 'string', 'example' => '34458433936495****:alice'], + 'Arn' => ['description' => '临时身份的ARN。', 'type' => 'string', 'example' => 'acs:sts::123456789012****:assumed-role/AdminRole/alice'], ], ], 'Credentials' => [ - 'description' => '临时访问凭证(STS Token)。', + 'description' => '访问凭证。', 'type' => 'object', 'properties' => [ - 'SecurityToken' => [ - 'description' => '安全令牌。'."\n" - .'> 安全令牌的长度不固定,我们强烈建议您不要对安全令牌的最大长度做任何限制。', - 'type' => 'string', - 'example' => 'CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz****', - ], - 'Expiration' => [ - 'description' => 'Token到期失效时间(UTC时间)。', - 'type' => 'string', - 'example' => '2021-10-20T04:27:09Z', - ], - 'AccessKeySecret' => [ - 'description' => '访问密钥。', - 'type' => 'string', - 'example' => 'CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2****', - ], - 'AccessKeyId' => [ - 'description' => '访问密钥ID。', - 'type' => 'string', - 'example' => 'STS.NUgYrLnoC37mZZCNnAbez****', - ], + 'SecurityToken' => ['description' => '安全令牌。'."\n" + .'> 安全令牌的长度不固定,我们强烈建议您不要对安全令牌的最大长度做任何限制。', 'type' => 'string', 'example' => '********'], + 'Expiration' => ['description' => 'Token到期失效时间(UTC时间)。', 'type' => 'string', 'example' => '2015-04-09T11:52:19Z'], + 'AccessKeySecret' => ['description' => '访问密钥。', 'type' => 'string', 'example' => 'wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****'], + 'AccessKeyId' => ['description' => '访问密钥ID。', 'type' => 'string', 'example' => 'STS.L4aBSCSJVMuKg5U1****'], ], ], - 'SourceIdentity' => [ - 'description' => '源身份信息。'."\n" - ."\n" - .'在扮演角色时,可以指定扮演者的源身份(SourceIdentity)作为会话的初始身份标识。 该源身份的值在持续扮演角色的链式会话中将一直存在,中途不可更改,可确保操作的可追溯性和安全性。'."\n" - ."\n" - .'如果没有设置源身份信息,则该字段不会返回。', - 'type' => 'string', - 'example' => 'Alice', - ], + 'SourceIdentity' => ['description' => '源身份信息。'."\n" + ."\n" + .'在扮演角色时,可以指定扮演者的源身份(SourceIdentity)作为会话的初始身份标识。 该源身份的值在持续扮演角色的链式会话中将一直存在,中途不可更改,可确保操作的可追溯性和安全性。'."\n" + ."\n" + .'如果没有设置源身份信息,则该字段不会返回。', 'type' => 'string', 'example' => 'Alice'], ], ], ], ], - 'responseDemo' => '[{"type":"json","example":"{\\n \\"RequestId\\": \\"3D57EAD2-8723-1F26-B69C-F8707D8B565D\\",\\n \\"OIDCTokenInfo\\": {\\n \\"Subject\\": \\"KryrkIdjylZb7agUgCEf****\\",\\n \\"Issuer\\": \\"https://dev-xxxxxx.okta.com\\",\\n \\"ClientIds\\": \\"496271242565057****\\",\\n \\"ExpirationTime\\": \\"2021-10-20T04:27:09Z\\",\\n \\"IssuanceTime\\": \\"2021-10-20T03:27:09Z\\",\\n \\"VerificationInfo\\": \\"Success\\"\\n },\\n \\"AssumedRoleUser\\": {\\n \\"AssumedRoleId\\": \\"33157794895460****\\",\\n \\"Arn\\": \\"acs:ram::113511544585****:role/testoidc/TestOidcAssumedRoleSession\\"\\n },\\n \\"Credentials\\": {\\n \\"SecurityToken\\": \\"CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz****\\",\\n \\"Expiration\\": \\"2021-10-20T04:27:09Z\\",\\n \\"AccessKeySecret\\": \\"CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2****\\",\\n \\"AccessKeyId\\": \\"STS.NUgYrLnoC37mZZCNnAbez****\\"\\n },\\n \\"SourceIdentity\\": \\"Alice\\"\\n}","errorExample":""},{"type":"xml","example":"<?xml version=\\"1.0\\" encoding=\\"UTF-8\\" ?>\\n<AssumeRoleWithOIDCResponse>\\n\\t<RequestId>3D57EAD2-8723-1F26-B69C-F8707D8B565D</RequestId>\\n\\t<OIDCTokenInfo>\\n\\t\\t<Subject>KryrkIdjylZb7agUgCEf****</Subject>\\n\\t\\t<Issuer>https://dev-xxxxxx.okta.com</Issuer>\\n\\t\\t<ClientIds>496271242565057****</ClientIds>\\n\\t</OIDCTokenInfo>\\n\\t<AssumedRoleUser>\\n\\t\\t<AssumedRoleId>33157794895460****</AssumedRoleId>\\n\\t\\t<Arn>acs:ram::113511544585****:role/testoidc/TestOidcAssumedRoleSession</Arn>\\n\\t</AssumedRoleUser>\\n\\t<Credentials>\\n\\t\\t<SecurityToken>CAIShwJ1q6Ft5B2yfSjIr5bSEsj4g7BihPWGWHz****</SecurityToken>\\n\\t\\t<Expiration>2021-10-20T04:27:09Z</Expiration>\\n\\t\\t<AccessKeySecret>CVwjCkNzTMupZ8NbTCxCBRq3K16jtcWFTJAyBEv2****</AccessKeySecret>\\n\\t\\t<AccessKeyId>STS.NUgYrLnoC37mZZCNnAbez****</AccessKeyId>\\n\\t</Credentials>\\n</AssumeRoleWithOIDCResponse>\\t\\n","errorExample":""}]', - 'title' => 'OIDC角色SSO时获取扮演角色的临时身份凭证', + 'errorCodes' => [ + 500 => [ + ['errorCode' => 'InternalError', 'errorMessage' => 'STS Server Internal Error happened, please send the RequestId to us.', 'description' => ''], + ], + ], + 'title' => 'SAML角色SSO时获取扮演角色的临时身份凭证', 'description' => '### 前提条件'."\n" ."\n" - .'- 确保已从外部身份提供商(IdP)获取到OIDC令牌(OIDC Token)。'."\n" - .'- 确保已在RAM中创建了OIDC身份提供商。具体操作,请参见[创建OIDC身份提供商](~~327123~~)或[CreateOIDCProvider](~~327135~~) 。'."\n" - .'- 确保已在RAM中创建了可信实体为OIDC身份提供商的RAM角色。具体操作,请参见[创建可信实体为身份提供商的RAM角色](~~116805~~)或[CreateRole](~~28710~~) 。', - 'requestParamsDescription' => '> 由于AssumeRoleWithOIDC接口使用OIDC Token进行身份认证,可以匿名访问,因此不需要提供公共请求参数中的`Signature`、`SignatureMethod`、`SignatureVersion`和`AccessKeyId`参数。关于公共请求参数的详情,请参见[公共请求参数](~~315526~~)。', + .'- 确保已从外部身份提供商(IdP)获取到SAML响应。'."\n" + .'- 确保已在RAM中创建了SAML身份提供商。具体操作,请参见[创建SAML身份提供商](~~116083~~)或[CreateSAMLProvider](~~186846~~) 。'."\n" + .'- 确保已在RAM中创建了可信实体为SAML身份提供商的RAM角色。具体操作,请参见[创建可信实体为身份提供商的RAM角色](~~116805~~)或[CreateRole](~~28710~~) 。', + 'requestParamsDescription' => '> 由于AssumeRoleWithSAML接口使用SAML断言进行身份认证,可以匿名访问,因此不需要提供公共请求参数中的`Signature`、`SignatureMethod`、`SignatureVersion`和`AccessKeyId`参数。关于公共请求参数的详情,请参见[公共请求参数](~~315526~~)。', + 'changeSet' => [], + 'flowControl' => [ + 'flowControlList' => [], + ], + 'ramActions' => [], + 'responseDemo' => '[{"type":"json","example":"{\\n \\"RequestId\\": \\"6894B13B-6D71-4EF5-88FA-F32781734A7F\\",\\n \\"SAMLAssertionInfo\\": {\\n \\"SubjectType\\": \\"persistent\\",\\n \\"Subject\\": \\"alice@example.com\\",\\n \\"Issuer\\": \\"http://example.com/adfs/services/trust\\",\\n \\"Recipient\\": \\"https://signin.aliyun.com/saml-role/SSO\\"\\n },\\n \\"AssumedRoleUser\\": {\\n \\"AssumedRoleId\\": \\"34458433936495****:alice\\",\\n \\"Arn\\": \\"acs:sts::123456789012****:assumed-role/AdminRole/alice\\"\\n },\\n \\"Credentials\\": {\\n \\"SecurityToken\\": \\"********\\",\\n \\"Expiration\\": \\"2015-04-09T11:52:19Z\\",\\n \\"AccessKeySecret\\": \\"wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****\\",\\n \\"AccessKeyId\\": \\"STS.L4aBSCSJVMuKg5U1****\\"\\n },\\n \\"SourceIdentity\\": \\"Alice\\"\\n}","errorExample":""},{"type":"xml","example":"<AssumeRoleWithSAMLResponse>\\n <Credentials>\\n <AccessKeyId>STS.L4aBSCSJVMuKg5U1****</AccessKeyId>\\n <AccessKeySecret>wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****</AccessKeySecret>\\n <Expiration>2015-04-09T11:52:19Z</Expiration>\\n <SecurityToken>********</SecurityToken>\\n </Credentials>\\n <AssumedRoleUser>\\n <arn>acs:sts::1234567890123456:assumed-role/AdminRole/alice</arn>\\n <AssumedRoleId>34458433936495****:alice</AssumedRoleId>\\n </AssumedRoleUser>\\n <SAMLAssertionInfo>\\n <SubjectType>persistent</SubjectType>\\n <Subject>alice@example.com</Subject>\\n <Recipient>https://signin.aliyun.com/saml-role/SSO</Recipient>\\n <Issuer>http://example.com/adfs/services/trust</Issuer>\\n </SAMLAssertionInfo>\\n <RequestId>6894B13B-6D71-4EF5-88FA-F32781734A7F</RequestId>\\n</AssumeRoleWithSAMLResponse>","errorExample":""}]', ], 'GetCallerIdentity' => [ 'summary' => '调用GetCallerIdentity获取当前调用者的身份信息。', - 'methods' => [ - 'post', - 'get', - ], - 'schemes' => [ - 'https', - ], + 'methods' => ['post', 'get'], + 'schemes' => ['https'], 'security' => [ [ 'AK' => [], ], ], 'operationType' => 'read', - 'systemTags' => [ - 'operationType' => 'get', - 'riskType' => 'none', - 'chargeType' => 'free', - ], + 'systemTags' => ['operationType' => 'get', 'riskType' => 'none', 'chargeType' => 'free'], 'parameters' => [], 'responses' => [ 200 => [ @@ -788,196 +496,185 @@ 'description' => '返回参数。', 'type' => 'object', 'properties' => [ - 'IdentityType' => [ - 'description' => '身份类型。取值:'."\n" - ."\n" - .'- Account:阿里云账号(主账号)。'."\n" - .'- RAMUser:RAM用户。'."\n" - .'- AssumedRoleUser:RAM角色。', - 'type' => 'string', - 'example' => 'RAMUser', - ], - 'AccountId' => [ - 'description' => '当前调用者所属阿里云账号ID。', - 'type' => 'string', - 'example' => '196813200012****', - ], - 'RequestId' => [ - 'description' => '请求ID。', - 'type' => 'string', - 'example' => '3C87BF47-3724-5443-ADC1-5AEAD9A03EB1', - ], - 'PrincipalId' => [ - 'description' => '身份标识。', - 'type' => 'string', - 'example' => '28877424437521****', - ], - 'UserId' => [ - 'description' => '用户ID。具体如下:'."\n" - ."\n" - .'- 如果当前调用者是阿里云账号,则返回阿里云账号ID。'."\n" - .'- 如果当前调用者是RAM用户,则返回RAM用户ID。'."\n" - ."\n" - .'> 仅限当前调用者是阿里云账号或RAM用户时返回该参数。', - 'type' => 'string', - 'example' => '216959339000****', - ], - 'Arn' => [ - 'description' => '当前调用者的ARN。', - 'type' => 'string', - 'example' => 'acs:ram::196813200012****:user/admin', - ], - 'RoleId' => [ - 'description' => 'RAM角色ID。'."\n" - ."\n" - .'> 仅限当前调用者是RAM角色时返回该参数。', - 'type' => 'string', - 'example' => '33537620082992****', - ], + 'IdentityType' => ['description' => '身份类型。取值:'."\n" + ."\n" + .'- Account:阿里云账号(主账号)。'."\n" + .'- RAMUser:RAM用户。'."\n" + .'- AssumedRoleUser:RAM角色。', 'type' => 'string', 'example' => 'RAMUser'], + 'AccountId' => ['description' => '当前调用者所属阿里云账号ID。', 'type' => 'string', 'example' => '196813200012****'], + 'RequestId' => ['description' => '请求ID。', 'type' => 'string', 'example' => '3C87BF47-3724-5443-ADC1-5AEAD9A03EB1'], + 'PrincipalId' => ['description' => '身份标识。', 'type' => 'string', 'example' => '28877424437521****'], + 'UserId' => ['description' => '用户ID。具体如下:'."\n" + ."\n" + .'- 如果当前调用者是阿里云账号,则返回阿里云账号ID。'."\n" + .'- 如果当前调用者是RAM用户,则返回RAM用户ID。'."\n" + ."\n" + .'> 仅限当前调用者是阿里云账号或RAM用户时返回该参数。', 'type' => 'string', 'example' => '216959339000****'], + 'Arn' => ['description' => '当前调用者的ARN。', 'type' => 'string', 'example' => 'acs:ram::196813200012****:user/admin'], + 'RoleId' => ['description' => 'RAM角色ID。'."\n" + ."\n" + .'> 仅限当前调用者是RAM角色时返回该参数。', 'type' => 'string', 'example' => '33537620082992****'], ], ], ], ], 'errorCodes' => [ 500 => [ - [ - 'errorCode' => 'InternalError', - 'errorMessage' => 'STS Server Internal Error happened, please send the RequestId to us.', - ], + ['errorCode' => 'InternalError', 'errorMessage' => 'STS Server Internal Error happened, please send the RequestId to us.', 'description' => ''], ], ], - 'responseDemo' => '[{"type":"json","example":"{\\n \\"IdentityType\\": \\"RAMUser\\",\\n \\"AccountId\\": \\"196813200012****\\",\\n \\"RequestId\\": \\"3C87BF47-3724-5443-ADC1-5AEAD9A03EB1\\",\\n \\"PrincipalId\\": \\"28877424437521****\\",\\n \\"UserId\\": \\"216959339000****\\",\\n \\"Arn\\": \\"acs:ram::196813200012****:user/admin\\",\\n \\"RoleId\\": \\"33537620082992****\\"\\n}","errorExample":""},{"type":"xml","example":"","errorExample":""}]', 'title' => '获取当前调用者的身份信息', + 'changeSet' => [], + 'flowControl' => [ + 'flowControlList' => [ + ['threshold' => '100', 'countWindow' => 1, 'regionId' => '*', 'api' => 'GetCallerIdentity'], + ], + ], + 'ramActions' => [], + 'responseDemo' => '[{"type":"json","example":"{\\n \\"IdentityType\\": \\"RAMUser\\",\\n \\"AccountId\\": \\"196813200012****\\",\\n \\"RequestId\\": \\"3C87BF47-3724-5443-ADC1-5AEAD9A03EB1\\",\\n \\"PrincipalId\\": \\"28877424437521****\\",\\n \\"UserId\\": \\"216959339000****\\",\\n \\"Arn\\": \\"acs:ram::196813200012****:user/admin\\",\\n \\"RoleId\\": \\"33537620082992****\\"\\n}","errorExample":""},{"type":"xml","example":"","errorExample":""}]', ], ], 'endpoints' => [ - [ - 'regionId' => 'cn-qingdao', - 'endpoint' => 'sts.cn-qingdao.aliyuncs.com', - ], - [ - 'regionId' => 'cn-beijing', - 'endpoint' => 'sts.cn-beijing.aliyuncs.com', - ], - [ - 'regionId' => 'cn-zhangjiakou', - 'endpoint' => 'sts.cn-zhangjiakou.aliyuncs.com', - ], - [ - 'regionId' => 'cn-huhehaote', - 'endpoint' => 'sts.cn-huhehaote.aliyuncs.com', - ], - [ - 'regionId' => 'cn-wulanchabu', - 'endpoint' => 'sts.cn-wulanchabu.aliyuncs.com', - ], - [ - 'regionId' => 'cn-hangzhou', - 'endpoint' => 'sts.cn-hangzhou.aliyuncs.com', - ], - [ - 'regionId' => 'cn-shanghai', - 'endpoint' => 'sts.cn-shanghai.aliyuncs.com', - ], - [ - 'regionId' => 'cn-nanjing', - 'endpoint' => 'sts.cn-nanjing.aliyuncs.com', - ], - [ - 'regionId' => 'cn-fuzhou', - 'endpoint' => 'sts.cn-fuzhou.aliyuncs.com', - ], - [ - 'regionId' => 'cn-shenzhen', - 'endpoint' => 'sts.cn-shenzhen.aliyuncs.com', - ], - [ - 'regionId' => 'cn-chengdu', - 'endpoint' => 'sts.cn-chengdu.aliyuncs.com', - ], - [ - 'regionId' => 'cn-hongkong', - 'endpoint' => 'sts.cn-hongkong.aliyuncs.com', - ], - [ - 'regionId' => 'ap-northeast-1', - 'endpoint' => 'sts.ap-northeast-1.aliyuncs.com', - ], - [ - 'regionId' => 'ap-northeast-2', - 'endpoint' => 'sts.ap-northeast-2.aliyuncs.com', - ], - [ - 'regionId' => 'ap-southeast-1', - 'endpoint' => 'sts.ap-southeast-1.aliyuncs.com', - ], - [ - 'regionId' => 'ap-southeast-3', - 'endpoint' => 'sts.ap-southeast-3.aliyuncs.com', - ], - [ - 'regionId' => 'ap-southeast-5', - 'endpoint' => 'sts.ap-southeast-5.aliyuncs.com', - ], - [ - 'regionId' => 'us-east-1', - 'endpoint' => 'sts.us-east-1.aliyuncs.com', - ], - [ - 'regionId' => 'us-west-1', - 'endpoint' => 'sts.us-west-1.aliyuncs.com', - ], - [ - 'regionId' => 'eu-west-1', - 'endpoint' => 'sts.eu-west-1.aliyuncs.com', - ], - [ - 'regionId' => 'eu-central-1', - 'endpoint' => 'sts.eu-central-1.aliyuncs.com', - ], - [ - 'regionId' => 'me-east-1', - 'endpoint' => 'sts.me-east-1.aliyuncs.com', - ], - [ - 'regionId' => 'cn-hangzhou-finance', - 'endpoint' => 'sts.aliyuncs.com', - ], - [ - 'regionId' => 'cn-shanghai-finance-1', - 'endpoint' => 'sts.cn-shanghai-finance-1.aliyuncs.com', - ], - [ - 'regionId' => 'cn-shenzhen-finance-1', - 'endpoint' => 'sts.aliyuncs.com', - ], - [ - 'regionId' => 'ap-southeast-7', - 'endpoint' => 'sts.ap-southeast-7.aliyuncs.com', - ], - [ - 'regionId' => 'cn-beijing-finance-1', - 'endpoint' => 'sts.cn-beijing-finance-1.aliyuncs.com', - ], - [ - 'regionId' => 'me-central-1', - 'endpoint' => 'sts.me-central-1.aliyuncs.com', - ], - [ - 'regionId' => 'cn-heyuan', - 'endpoint' => 'sts.cn-heyuan.aliyuncs.com', + ['regionId' => 'cn-beijing', 'regionName' => '华北2(北京)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-beijing.aliyuncs.com', 'endpoint' => 'sts.cn-beijing.aliyuncs.com', 'vpc' => 'sts-vpc.cn-beijing.aliyuncs.com'], + ['regionId' => 'cn-heyuan', 'regionName' => '华南2(河源)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-heyuan.aliyuncs.com', 'endpoint' => 'sts.cn-heyuan.aliyuncs.com', 'vpc' => 'sts-vpc.cn-heyuan.aliyuncs.com'], + ['regionId' => 'cn-zhangjiakou', 'regionName' => '华北3(张家口)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-zhangjiakou.aliyuncs.com', 'endpoint' => 'sts.cn-zhangjiakou.aliyuncs.com', 'vpc' => 'sts-vpc.cn-zhangjiakou.aliyuncs.com'], + ['regionId' => 'ap-northeast-2', 'regionName' => '韩国(首尔)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.ap-northeast-2.aliyuncs.com', 'endpoint' => 'sts.ap-northeast-2.aliyuncs.com', 'vpc' => 'sts-vpc.ap-northeast-2.aliyuncs.com'], + ['regionId' => 'ap-northeast-1', 'regionName' => '日本(东京)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.ap-northeast-1.aliyuncs.com', 'endpoint' => 'sts.ap-northeast-1.aliyuncs.com', 'vpc' => 'sts-vpc.ap-northeast-1.aliyuncs.com'], + ['regionId' => 'ap-southeast-1', 'regionName' => '新加坡', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.ap-southeast-1.aliyuncs.com', 'endpoint' => 'sts.ap-southeast-1.aliyuncs.com', 'vpc' => 'sts-vpc.ap-southeast-1.aliyuncs.com'], + ['regionId' => 'ap-southeast-3', 'regionName' => '马来西亚(吉隆坡)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.ap-southeast-3.aliyuncs.com', 'endpoint' => 'sts.ap-southeast-3.aliyuncs.com', 'vpc' => 'sts-vpc.ap-southeast-3.aliyuncs.com'], + ['regionId' => 'ap-southeast-5', 'regionName' => '印度尼西亚(雅加达)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.ap-southeast-5.aliyuncs.com', 'endpoint' => 'sts.ap-southeast-5.aliyuncs.com', 'vpc' => 'sts-vpc.ap-southeast-5.aliyuncs.com'], + ['regionId' => 'ap-southeast-7', 'regionName' => '泰国(曼谷)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.ap-southeast-7.aliyuncs.com', 'endpoint' => 'sts.ap-southeast-7.aliyuncs.com', 'vpc' => 'sts-vpc.ap-southeast-7.aliyuncs.com'], + ['regionId' => 'cn-wulanchabu', 'regionName' => '华北6(乌兰察布)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-wulanchabu.aliyuncs.com', 'endpoint' => 'sts.cn-wulanchabu.aliyuncs.com', 'vpc' => 'sts-vpc.cn-wulanchabu.aliyuncs.com'], + ['regionId' => 'cn-qingdao', 'regionName' => '华北1(青岛)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-qingdao.aliyuncs.com', 'endpoint' => 'sts.cn-qingdao.aliyuncs.com', 'vpc' => 'sts-vpc.cn-qingdao.aliyuncs.com'], + ['regionId' => 'cn-wuhan-lr', 'regionName' => '华中1(武汉-本地地域)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-wuhan-lr.aliyuncs.com', 'endpoint' => 'sts.cn-wuhan-lr.aliyuncs.com', 'vpc' => 'sts-vpc.cn-wuhan-lr.aliyuncs.com'], + ['regionId' => 'cn-shanghai', 'regionName' => '华东2(上海)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-shanghai.aliyuncs.com', 'endpoint' => 'sts.cn-shanghai.aliyuncs.com', 'vpc' => 'sts-vpc.cn-shanghai.aliyuncs.com'], + ['regionId' => 'cn-hongkong', 'regionName' => '中国香港', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-hongkong.aliyuncs.com', 'endpoint' => 'sts.cn-hongkong.aliyuncs.com', 'vpc' => 'sts-vpc.cn-hongkong.aliyuncs.com'], + ['regionId' => 'cn-shenzhen', 'regionName' => '华南1(深圳)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-shenzhen.aliyuncs.com', 'endpoint' => 'sts.cn-shenzhen.aliyuncs.com', 'vpc' => 'sts-vpc.cn-shenzhen.aliyuncs.com'], + ['regionId' => 'cn-nanjing', 'regionName' => '华东5(南京-本地地域)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-nanjing.aliyuncs.com', 'endpoint' => 'sts.cn-nanjing.aliyuncs.com', 'vpc' => 'sts-vpc.cn-nanjing.aliyuncs.com'], + ['regionId' => 'cn-fuzhou', 'regionName' => '华东6(福州-本地地域)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-fuzhou.aliyuncs.com', 'endpoint' => 'sts.cn-fuzhou.aliyuncs.com', 'vpc' => 'sts-vpc.cn-fuzhou.aliyuncs.com'], + ['regionId' => 'cn-chengdu', 'regionName' => '西南1(成都)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-chengdu.aliyuncs.com', 'endpoint' => 'sts.cn-chengdu.aliyuncs.com', 'vpc' => 'sts-vpc.cn-chengdu.aliyuncs.com'], + ['regionId' => 'cn-guangzhou', 'regionName' => '华南3(广州)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-guangzhou.aliyuncs.com', 'endpoint' => 'sts.cn-guangzhou.aliyuncs.com', 'vpc' => 'sts-vpc.cn-guangzhou.aliyuncs.com'], + ['regionId' => 'cn-huhehaote', 'regionName' => '华北5(呼和浩特)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-huhehaote.aliyuncs.com', 'endpoint' => 'sts.cn-huhehaote.aliyuncs.com', 'vpc' => 'sts-vpc.cn-huhehaote.aliyuncs.com'], + ['regionId' => 'cn-hangzhou', 'regionName' => '华东1(杭州)', 'areaId' => 'asiaPacific', 'areaName' => '亚太', 'public' => 'sts.cn-hangzhou.aliyuncs.com', 'endpoint' => 'sts.cn-hangzhou.aliyuncs.com', 'vpc' => 'sts-vpc.cn-hangzhou.aliyuncs.com'], + ['regionId' => 'eu-west-1', 'regionName' => '英国(伦敦)', 'areaId' => 'europeAmerica', 'areaName' => '欧洲与美洲', 'public' => 'sts.eu-west-1.aliyuncs.com', 'endpoint' => 'sts.eu-west-1.aliyuncs.com', 'vpc' => 'sts-vpc.eu-west-1.aliyuncs.com'], + ['regionId' => 'eu-central-1', 'regionName' => '德国(法兰克福)', 'areaId' => 'europeAmerica', 'areaName' => '欧洲与美洲', 'public' => 'sts.eu-central-1.aliyuncs.com', 'endpoint' => 'sts.eu-central-1.aliyuncs.com', 'vpc' => 'sts-vpc.eu-central-1.aliyuncs.com'], + ['regionId' => 'us-east-1', 'regionName' => '美国(弗吉尼亚)', 'areaId' => 'europeAmerica', 'areaName' => '欧洲与美洲', 'public' => 'sts.us-east-1.aliyuncs.com', 'endpoint' => 'sts.us-east-1.aliyuncs.com', 'vpc' => 'sts-vpc.us-east-1.aliyuncs.com'], + ['regionId' => 'us-west-1', 'regionName' => '美国(硅谷)', 'areaId' => 'europeAmerica', 'areaName' => '欧洲与美洲', 'public' => 'sts.us-west-1.aliyuncs.com', 'endpoint' => 'sts.us-west-1.aliyuncs.com', 'vpc' => 'sts-vpc.us-west-1.aliyuncs.com'], + ['regionId' => 'na-south-1', 'regionName' => '墨西哥', 'areaId' => 'europeAmerica', 'areaName' => '欧洲与美洲', 'public' => 'sts.na-south-1.aliyuncs.com', 'endpoint' => 'sts.na-south-1.aliyuncs.com', 'vpc' => 'sts-vpc.na-south-1.aliyuncs.com'], + ['regionId' => 'me-east-1', 'regionName' => '阿联酋(迪拜)', 'areaId' => 'middleEast', 'areaName' => '中东', 'public' => 'sts.me-east-1.aliyuncs.com', 'endpoint' => 'sts.me-east-1.aliyuncs.com', 'vpc' => 'sts-vpc.me-east-1.aliyuncs.com'], + ['regionId' => 'me-central-1', 'regionName' => '沙特(利雅得)', 'areaId' => 'middleEast', 'areaName' => '中东', 'public' => 'sts.me-central-1.aliyuncs.com', 'endpoint' => 'sts.me-central-1.aliyuncs.com', 'vpc' => 'sts-vpc.me-central-1.aliyuncs.com'], + ['regionId' => 'cn-shenzhen-finance-1', 'regionName' => '华南1 金融云', 'areaId' => 'industryCloud', 'areaName' => '行业云', 'public' => 'sts.aliyuncs.com', 'endpoint' => 'sts.aliyuncs.com', 'vpc' => 'sts-vpc.cn-shenzhen-finance-1.aliyuncs.com'], + ['regionId' => 'cn-beijing-finance-1', 'regionName' => '华北2 金融云(邀测)', 'areaId' => 'industryCloud', 'areaName' => '行业云', 'public' => 'sts.cn-beijing-finance-1.aliyuncs.com', 'endpoint' => 'sts.cn-beijing-finance-1.aliyuncs.com', 'vpc' => 'sts-vpc.cn-beijing-finance-1.aliyuncs.com'], + ['regionId' => 'cn-shanghai-finance-1', 'regionName' => '华东2 金融云', 'areaId' => 'industryCloud', 'areaName' => '行业云', 'public' => 'sts.cn-shanghai-finance-1.aliyuncs.com', 'endpoint' => 'sts.cn-shanghai-finance-1.aliyuncs.com', 'vpc' => 'sts-vpc.cn-shanghai-finance-1.aliyuncs.com'], + ['regionId' => 'cn-hangzhou-finance', 'regionName' => '华东1 金融云', 'areaId' => 'industryCloud', 'areaName' => '行业云', 'public' => 'sts.aliyuncs.com', 'endpoint' => 'sts.aliyuncs.com', 'vpc' => ''], + ], + 'errorCodes' => [ + ['code' => 'AuthenticationFail.OIDCToken.AudienceNotMatch', 'message' => 'Invalid audience.', 'http_code' => 401, 'description' => 'Token中的audience不匹配'], + ['code' => 'AuthenticationFail.OIDCToken.Expired', 'message' => 'This JsonWebToken is expired.', 'http_code' => 401, 'description' => 'OIDC令牌过期'], + ['code' => 'AuthenticationFail.OIDCToken.Invalid', 'message' => 'The Jwt content is invalid that cannot be recognized.', 'http_code' => 401, 'description' => 'Jwt内容无效且无法识别。'], + ['code' => 'AuthenticationFail.OIDCToken.Invalid', 'message' => 'The algorithm HS256 that be specified in Jwt header is unknown.', 'http_code' => 401, 'description' => 'Jwt报头中指定的HS256算法未知。'], + ['code' => 'AuthenticationFail.OIDCToken.Invalid', 'message' => 'Cannot decode base64 encoded response(format invalided).', 'http_code' => 401, 'description' => '格式错误,无法解码base64编码的返回结果。'], + ['code' => 'AuthenticationFail.OIDCToken.Invalid', 'message' => 'The number of Jwt field should be divided into 3 parts with \'.\' .', 'http_code' => 401, 'description' => 'Jwt 需要能够被‘.’字符划分为3部分。'], + ['code' => 'AuthenticationFail.OIDCToken.Invalid', 'message' => 'The OIDCToken can not empty.', 'http_code' => 401, 'description' => 'OIDCToken字段不能为空值。'], + ['code' => 'AuthenticationFail.OIDCToken.InvalidSignature', 'message' => 'OIDC token validate failed: invalid signature.', 'http_code' => 401, 'description' => 'ODIC令牌的验证签名失败'], + ['code' => 'AuthenticationFail.OIDCToken.IssuerConfigurationBroken', 'message' => 'Cannot find the specific key from the discovery, kid is %s.', 'http_code' => 401, 'description' => 'OIDC Token里指定来验证签名的公钥的kid在idp的jwks uri里没有提供,kid为 %s'], + ['code' => 'AuthenticationFail.OIDCToken.IssuerNotMatch', 'message' => 'The issuer in the OIDC Token doesn\'t match the OIDC Provider registered.', 'http_code' => 401, 'description' => 'OIDC令牌中的issuer字段与注册的OIDC提供商不匹配。'], + ['code' => 'AuthenticationFail.OIDCToken.PublicKeyFingerprintMismatch', 'message' => 'The https fingerprint of this discovery is invalid.', 'http_code' => 401, 'description' => '验证指纹无效,其不在对应OIDC身份提供商的指纹列表中'], + ['code' => 'AuthenticationFail.SAMLAssertion.Expired', 'message' => 'Response IssueInstant is either too old or with date in the future, value:%s.', 'http_code' => 401, 'description' => 'SAML断言过期'], + ['code' => 'AuthenticationFail.SAMLAssertion.Invalid', 'message' => 'Bearer SubjectConfirmation invalidated by not before which is forbidden.', 'http_code' => 401, 'description' => 'SAML Assertion的SubjectConfirmation不能包含NotBefore属性。'], + ['code' => 'AuthenticationFail.SAMLAssertion.Invalid', 'message' => 'Can\'t find the intended audience in at least one AudienceRestriction.', 'http_code' => 401, 'description' => 'SAML Assertion的Conditions元素中找不到一个符合预期的AudienceRestriction。'], + ['code' => 'AuthenticationFail.SAMLAssertion.Invalid', 'message' => 'The rolearn and samlprovider pair can not be found in the Role Attibute of the SAMLAssertion.', 'http_code' => 401, 'description' => 'SAML Assertion中没有RoleArn和SamlProvider信息,需要在AttributeStatement中以Attribute形式存在,格式为:roleArn,providerArn'], + ['code' => 'AuthenticationFail.SAMLAssertion.Invalid', 'message' => 'Cannot decode base64 encoded response(format invalided).', 'http_code' => 401, 'description' => 'SAML Assertion的格式不正确,不是标准Base64字符串。'], + ['code' => 'AuthenticationFail.SAMLAssertion.Invalid', 'message' => 'The assertion schema validation failed.', 'http_code' => 401, 'description' => 'SAML Assertion的Schema校验失败,Assertion元素必须存在“ID”(唯一标识)和“IssueInstant”(签发时刻)'], + ['code' => 'EntityNotExist.Role', 'message' => 'The role not exists: %s.', 'http_code' => 404, 'description' => '扮演的角色不存在'], + ['code' => 'EntityNotExist.SAMLProvider', 'message' => 'Can not find SAML provider by ARN:%s.', 'http_code' => 404, 'description' => '无法通过ARM找到对应的SAML provider。'], + ['code' => 'EntityNotExist.SAMLProvider', 'message' => 'Parameter SAMLProviderArn is not valid.', 'http_code' => 404, 'description' => 'SAML身份提供商的Arn无效。'], + ['code' => 'EntityNotExist.User', 'message' => 'account not exists.', 'http_code' => 404, 'description' => '账号不存在'], + ['code' => 'EntityNotExist.User', 'message' => 'The identity account is not exists.', 'http_code' => 404, 'description' => '请求的身份信息不存在'], + ['code' => 'InvalidParameter', 'message' => 'Invalid role arn format:%s.', 'http_code' => 400, 'description' => '角色arn格式不合法'], + ['code' => 'InvalidParameter.AssumeRoleFor', 'message' => 'The parameter AssumeRoleFor is wrongly formed.', 'http_code' => 400, 'description' => '参数AssumeRoleFor不合法'], + ['code' => 'InvalidParameter.DurationSeconds', 'message' => 'The Min/Max value of DurationSeconds is 15min/1hr.', 'http_code' => 400, 'description' => 'DurationSeconds参数不合法,DurationSeconds最小值为15分钟,最大值为1小时'], + ['code' => 'InvalidParameter.DurationSeconds', 'message' => 'The Min/Max value of DurationSeconds is %s.', 'http_code' => 400, 'description' => 'DurationSeconds参数不合法。'], + ['code' => 'InvalidParameter.DurationSeconds', 'message' => 'The Min/Max value of DurationSeconds is 15min/12hr.', 'http_code' => 400, 'description' => 'DurationSeconds参数不合法,DurationSeconds最小值为15分钟,最大值为12小时'."\n"], + ['code' => 'InvalidParameter.ExternalId', 'message' => 'The parameter ExternalId is wrongly formed.', 'http_code' => 400, 'description' => '参数ExternalId不合法'], + ['code' => 'InvalidParameter.Policy.StarCount', 'message' => 'The count of star in policy document\'s value field is limited to %s.', 'http_code' => 400, 'description' => 'Policy中*数量超出最大限制。'], + ['code' => 'InvalidParameter.Policy.StarCount', 'message' => 'The count of star in policy document\'s value field is illegal.', 'http_code' => 400, 'description' => 'Policy中*数量超出最大限制。'."\n"], + ['code' => 'InvalidParameter.PolicyGrammar', 'message' => 'The parameter Policy has not passed grammar check.', 'http_code' => 400, 'description' => '参数Policy语法格式检查未通过。'], + ['code' => 'InvalidParameter.PolicyGrammar', 'message' => 'Invalid Policy.', 'http_code' => 400, 'description' => '无效的参数Policy。'], + ['code' => 'InvalidParameter.PolicySize', 'message' => 'The size of Policy must be smaller than 2048 bytes.', 'http_code' => 400, 'description' => 'Policy参数不合法,Policy长度必须小于2048字节。'], + ['code' => 'InvalidParameter.RoleArn', 'message' => 'The RoleArn can not empty.', 'http_code' => 400, 'description' => '参数RoleArn不能为空值。'], + ['code' => 'InvalidParameter.RoleArn', 'message' => 'The parameter RoleArn is wrongly formed.', 'http_code' => 400, 'description' => '参数RoleArn的格式错误'], + ['code' => 'InvalidParameter.RoleSessionName', 'message' => 'The parameter RoleSessionName is wrongly formed.', 'http_code' => 400, 'description' => '参数RoleSessionName格式错误。'], + ['code' => 'InvalidParameter.RoleSessionName', 'message' => 'The RoleSessionName can not empty.', 'http_code' => 400, 'description' => '参数RoleSessionName不可为空值。'], + ['code' => 'InvalidParameter.UserSessionName', 'message' => 'The parameter UserSessionName is invalid.', 'http_code' => 400, 'description' => '参数UserSessionName不合法'."\n"], + ['code' => 'InvalidVersion', 'message' => 'Specified parameter Version is not valid.', 'http_code' => 400, 'description' => '调用STS版本号错误'], + ['code' => 'ISVAuthenticationFail.SignatureNotMatch', 'message' => 'The IspSignature does not match.', 'http_code' => 401, 'description' => 'IspSignature签名不匹配。'], + ['code' => 'MissingAccessKeyId', 'message' => 'AccessKeyId is mandatory for this action.', 'http_code' => 400, 'description' => '该操作必须具有AccessKeyId。'], + ['code' => 'MissingParameter.OIDCProviderArn', 'message' => 'Parameter OIDCProviderArn is required.', 'http_code' => 400, 'description' => '缺少必要参数OIDCProviderArn。'], + ['code' => 'MissingParameter.RoleSessionName', 'message' => 'Parameter RoleSessionName is required.', 'http_code' => 400, 'description' => '缺少必要参数RoleSessionName。'], + ['code' => 'NoPermission', 'message' => 'Roles may not be assumed by root accounts.', 'http_code' => 403, 'description' => '主账号无角色扮演权限'], + ['code' => 'NoPermission', 'message' => 'You are not authorized to do this action.', 'http_code' => 403, 'description' => '您无权执行此操作。'], + ['code' => 'NotSupported', 'message' => 'The identity type is not supported for this action.', 'http_code' => 403, 'description' => '该身份类型不支持执行此操作。'], + ['code' => 'InvalidParameter.Conditions', 'message' => 'The value of Conditions is invalid.', 'http_code' => 400, 'description' => 'Conditions参数不合法'], + ], + 'changeSet' => [], + 'flowControl' => [ + 'flowControlList' => [ + ['threshold' => '100', 'countWindow' => 1, 'regionId' => '*', 'api' => 'GetCallerIdentity'], + ['threshold' => '100', 'countWindow' => 1, 'regionId' => '*', 'api' => 'AssumeRole'], + ['threshold' => '100', 'countWindow' => 1, 'regionId' => '*', 'api' => 'AssumeRoleWithOIDC'], + ['threshold' => '-1', 'countWindow' => 1, 'regionId' => '*'], ], - [ - 'regionId' => 'cn-guangzhou', - 'endpoint' => 'sts.cn-guangzhou.aliyuncs.com', + ], + 'ram' => [ + 'productCode' => 'Sts', + 'productName' => '访问控制', + 'ramCodes' => ['sts'], + 'ramLevel' => '资源级', + 'ramConditions' => [ + [ + 'name' => 'acs:Service', + 'schema' => ['type' => 'String', 'description' => '角色可以被传递给云服务的标识,此限制条件仅适用于 PassRole 操作。取值示例:actiontrail.aliyuncs.com'], + ], + [ + 'name' => 'ram:ServiceNames', + 'schema' => ['type' => 'Array<String>', 'description' => '服务角色可信的云服务标识,多值,取值示例:[\\\\\\\\\\\\\\\\\\\\\\\\"ecs.aliyun.com\\\\\\\\\\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\\\\\\\\\\"rds.aliyuncs.com\\\\\\\\\\\\\\\\\\\\\\\\"]'], + ], + [ + 'name' => 'sts:SourceIdentity', + 'schema' => ['type' => 'String', 'description' => '扮演角色时设置的源身份信息'], + ], + [ + 'name' => 'ram:TrustedPrincipalTypes', + 'schema' => [ + 'type' => 'Array<String>', + 'description' => '角色可信实体的类型,多值。', + 'enums' => ['RAM', 'Service', 'Federated-SAMLProvider', 'Federated-OIDCProvider'], + ], + ], ], - [ - 'regionId' => 'cn-wuhan-lr', - 'endpoint' => 'sts.cn-wuhan-lr.aliyuncs.com', + 'ramActions' => [ + [ + 'apiName' => 'AssumeRole', + 'description' => '获取扮演角色的临时身份凭证', + 'operationType' => 'get', + 'additionalActions' => [ + ['action' => 'sts:SetSourceIdentity', 'validationType' => 'conditional'], + ], + 'ramAction' => [ + 'action' => 'sts:AssumeRole', + 'authLevel' => 'resource', + 'actionConditions' => [ + ['conditionKey' => 'sts:SourceIdentity', 'validationType' => 'conditional'], + ], + 'resources' => [ + ['validationType' => 'always', 'product' => 'Sts', 'resourceType' => 'Role', 'arn' => 'acs:ram::{#accountId}:role/{#RoleName}'], + ], + ], + ], ], - [ - 'regionId' => 'na-south-1', - 'endpoint' => 'sts.na-south-1.aliyuncs.com', + 'resourceTypes' => [ + ['validationType' => 'always', 'resourceType' => 'Role', 'arn' => 'acs:ram::{#accountId}:role/{#RoleName}'], ], ], ]; |
