tencent cloud

Security Token Service

DocumentationSecurity Token ServiceAPI DocumentationSTS APIsAssumeRoleWithSAML

AssumeRoleWithSAML

PDF
Focus Mode
Font Size
Last updated: 2026-04-24 15:38:32

1. API Description

Domain name for API request: sts.intl.tencentcloudapi.com.

This API is used to request temporary access credentials for a role based on a SAML assertion.

Note: When called with signature method v3, header X-TC-Token could be ignored, and Authorization should be SKIP.

A maximum of 200 requests can be initiated per second for this API.

Note: when called with signature method v3, header X-TC-Token could be ignored, and Authorization should be SKIP.

We recommend you to use API Explorer
Try it
API Explorer provides a range of capabilities, including online call, signature authentication, SDK code generation, and API quick search. It enables you to view the request, response, and auto-generated examples.

2. Input Parameters

The following request parameter list only provides API request parameters and some common parameters. For the complete common parameter list, see Common Request Parameters.

Parameter Name Required Type Description
Action Yes String Common Params. The value used for this API: AssumeRoleWithSAML.
Version Yes String Common Params. The value used for this API: 2018-08-13.
Region Yes String Common Params. For more information, please see the list of regions supported by the product.
SAMLAssertion Yes String Base64-encoded SAML assertion
PrincipalArn Yes String Principal access description name
RoleArn Yes String Role access description name
RoleSessionName Yes String Session name
DurationSeconds No Integer Specifies the validity period of the temporary access credentials in seconds. Default value: 7,200s. Maximum value: 43,200s.

3. Output Parameters

Parameter Name Type Description
Credentials Credentials An object consists of the Token, TmpSecretId, and TmpSecretId
ExpiredTime Integer Indicates the expiration time of the temporary access credentials. A Unix timestamp will be returned which is accurate to the second.
Expiration String Indicates the expiration time of the temporary access credentials in UTC time in ISO 8601 format.
RequestId String The unique request ID, generated by the server, will be returned for every request (if the request fails to reach the server for other reasons, the request will not obtain a RequestId). RequestId is required for locating a problem.

4. Example

Example1 Applying for Temporary Credentials for a Role via a SAML Assertion

This example shows you how to apply for temporary credentials for a role via a SAML assertion.

Input Example

POST / HTTP/1.1
Host: sts.intl.tencentcloudapi.com
Content-Type: application/json
X-TC-Action: AssumeRoleWithSAML
<Common request parameters>

{
    "RoleArn": "qcs::cam::uin/798950673:roleName/OneLogin-Role",
    "PrincipalArn": "qcs::cam::uin/798950673:saml-provider/OneLogin",
    "SAMLAssertion": "c2FtbCBhc3NlcnRpb24=",
    "RoleSessionName": "test"
}

Output Example

{
    "Response": {
        "Credentials": {
            "Token": "1siMD***",
            "TmpSecretId": "AKID***",
            "TmpSecretKey": "q95K***"
        },
        "ExpiredTime": 1543914376,
        "Expiration": "2018-12-04T09:06:16Z",
        "RequestId": "4daec797-9cd2-4f09-9e7a-7d4c43b2a74c"
    }
}

5. Developer Resources

SDK

TencentCloud API 3.0 integrates SDKs that support various programming languages to make it easier for you to call APIs.

Command Line Interface

6. Error Code

The following only lists the error codes related to the API business logic. For other error codes, see Common Error Codes.

Error Code Description
InternalError.DbError Database error.
InternalError.EncryptError Encryption failed.
InternalError.GetAppIdError Failed to get the appid.
InternalError.GetRoleError Failed to get the role.
InternalError.GetSeedTokenError Failed to obtain the token.
InternalError.IllegalRole Invalid role.
InternalError.PbSerializeError pb packaging failed.
InternalError.SystemError Internal system error, such as network error.
InternalError.UnknownError Unknown error.
InvalidParameter.AccountNotAvaliable The account does not exist or is unavailable.
InvalidParameter.ExtendStrategyOverSize The extension policy is too large.
InvalidParameter.GrantOtherResource Unauthorized access to the resource.
InvalidParameter.OverLimit Frequency limit exceeded.
InvalidParameter.OverTimeError The expiration time exceeds the threshold.
InvalidParameter.ParamError Invalid parameter.
InvalidParameter.PolicyTooLong The policy is too long.
InvalidParameter.ResouceError Six-segment resource description error.
InvalidParameter.StrategyFormatError Policy syntax error.
InvalidParameter.StrategyInvalid Invalid policy.
InvalidParameter.TempCodeNotAvaliable Invalid temporary code.
RequestLimitExceeded Too many and frequent requests.
ResourceNotFound.RoleNotFound The role corresponding to the account does not exist.
UnauthorizedOperation Unauthorized operation.
Previous Topic: AssumeRoleWithWebIdentityNext Topic: AssumeRole

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback