All Products
Search

This Product

    Resource Access Management:FAQ about RAM roles and STS tokens

    Document Center

    Resource Access Management:FAQ about RAM roles and STS tokens

    Last Updated:Jun 26, 2025

    This topic provides answers to some frequently asked questions about Resource Access Management (RAM) roles and Security Token Service (STS) tokens.

    Why is the error message "You are not authorized to do this action. You should be authorized by RAM." reported when using STS?

    When you call the AssumeRole operation to obtain an STS token, the following error message may be returned:

    Error message: You are not authorized to do this action. You should be authorized by RAM.

    You can refer to the following information to troubleshoot the error:

    • You are using an Alibaba Cloud account to call the operation.

      The AssumeRole operation cannot be called by an Alibaba Cloud account. You must use a RAM user or a RAM role to call this operation.

    • The RAM user or RAM role that initiates the call lacks the required permission policy to assume roles through STS.

      You need to attach the system policy (AliyunSTSAssumeRoleAccess) or a custom policy to the RAM user or RAM role that initiates the call. For an example of a custom policy, see Policy example.

    • The trust policy of the RAM role that you want to assume does not include the RAM user or RAM role that is initiating the call.

      You need to modify the trust policy of the RAM role that you want to assume to allow the RAM user or RAM role to assume this RAM role. For more information, see Edit the trust policy of a RAM role.

    Who is allowed to call the AssumeRole operation?

    The AssumeRole operation is used to obtain an STS token to assume a RAM role. Only RAM users or RAM roles can call this operation. Alibaba Cloud accounts cannot call this operation.

    What are the types of RAM roles? What entities can assume these roles?

    Based on different trusted entities in RAM, the following three types of RAM roles are supported:

    • RAM role whose trusted entity is an Alibaba Cloud account: RAM users within an Alibaba Cloud account can assume this type of RAM role. RAM users that assume this type of RAM role can belong to their owner Alibaba Cloud accounts or other Alibaba Cloud accounts. This type of RAM role is used for cross-account access and temporary authorization.

    • RAM role whose trusted entity is an Alibaba Cloud service: Alibaba Cloud services can assume this type of RAM role. RAM roles that a trusted Alibaba Cloud service can assume are classified into two types: normal service role and service-linked role. For more information about service-linked roles, see service-linked roles. This type of RAM role is used to authorize access across Alibaba Cloud services.

    • RAM role whose trusted entity is an identity provider (IdP): Users of a trusted IdP can assume this type of RAM role. This type of RAM role is used to implement role-based single sign-on (SSO) between Alibaba Cloud and a trusted IdP.

    How do I restrict specific RAM users to assume specific RAM roles?

    1. Modify the RAM role trust policy.

      In the trust policy of the RAM role, use Principal to specify the RAM users that are allowed to assume this role. In the policy, <account-id> specifies the Alibaba Cloud account ID, and <user-name> specifies the RAM user name. For more information, see Edit the trust policy of a RAM role.

      Trust policy example:

      {
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "RAM": [
                    "acs:ram::<account-id>:user/<user-name>"
                ]
            }
        }
    ],
    "Version": "1"
}

    2. Grant the RAM user permissions to assume roles.

      Grant the RAM user the system policy (AliyunSTSAssumeRoleAccess) or a custom policy. A custom policy can further narrow the scope of roles that can be assumed.

      In the custom policy, use Resource to specify the ARN of the RAM role that can be assumed. In the policy, <account-id> specifies the Alibaba Cloud account ID, and <role-name> specifies the RAM role name. For more information, see Create a custom policy and Grant permissions to a RAM user.

      Policy example:

      {
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Resource": "acs:ram:*:<account-id>:role/<role-name>"
        }
    ],
    "Version": "1"
}

    How do I view the ARN of a RAM role?

    1. Log on to the RAM console.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. Click the name of the target RAM role.

    4. In the Basic Information section, view the RAM role ARN. RAM角色ARN

    Is the number of STS API requests limited?

    The AssumeRole operation can be called up to 100 times per second. This limit is shared by an Alibaba Cloud account and all RAM users and RAM roles within the account.

    If the number of API requests exceeds the upper limit, one of the following error messages is returned:

    • Error messages

      Error code

      Error message

      Throttling.Api

      Request was denied due to api flow control.

      Throttling.User

      Request was denied due to user flow control.

      Throttling

      Request was denied due to flow control.

    • HTTP status code 302

    If one of the preceding error messages is returned, you need to reduce the number of concurrent API calls. If your business scenario requires a higher concurrent call rate, you can submit a ticket to request a quota increase.

    What are the permissions of an STS token?

    AssumeRole The permissions of an STS token are the intersection of the permissions of the specified RAM role and the permissions specified in the Policy parameter when you call the AssumeRole operation.

    Note

    If you do not specify the Policy parameter when you call the AssumeRole operation, the returned STS token will have all the permissions of the specified RAM role.

    What is the validity period of an STS token?

    The validity period of an STS token ranges from 900 seconds to the maximum session duration that you specify. The default validity period is 3,600 seconds.

    Note

    If I obtained multiple STS tokens at different points in time, are the old and new tokens valid at the same time?

    All STS tokens are valid before they expire, regardless of whether new STS tokens have been created.

    What do I do if STS tokens are disclosed?

    If the STS tokens that are obtained after a RAM user assumes a RAM role are disclosed, perform the following steps to disable the STS tokens:

    1. Log on to the RAM console.

    2. Detach all policies from the RAM role.

      For more information, see Revoke permissions from a RAM role.

    3. Delete the RAM role.

      For more information, see Delete a RAM role.

      After the RAM role is deleted, all STS tokens that were obtained by assuming this RAM role and have not expired will immediately become invalid.

    If you still need to use this RAM role, you can create a new role with the same name and attach the same policies to continue your tasks with the newly created RAM role.

    What is the maximum length for an STS token?

    Alibaba Cloud STS does not impose limits on the length of STS tokens. We strongly recommend that you do not specify a maximum length for STS tokens.