Help Center> Identity and Access Management> Best Practices> Cross-Account Access Delegation and Resource Management

Cross-Account Access Delegation and Resource Management

Company A and company B have registered HUAWEI CLOUD account A and account B, respectively. If account A wants to authorize account B to manage its resources, account A can create an agency in IAM to establish a trust relationship between the two accounts.

Requirements

Account A has purchased different types of resources on HUAWEI CLOUD. Account A wants to authorize account B to manage its VPC resources in the CN East-Shanghai2 region.
Account B can authorize one or more employees (IAM users) of company B to manage account A's resources.
Account A can modify or cancel the authorization provided to account B at any time.

Solution

Account A creates an agency on the IAM console to authorize account B to manage its resources.
Account B assigns permissions to its IAM users to manage account A's resources specified in the agency.
Account A can modify or delete the agency at any time. Deleting the agency will automatically cancel the permissions assigned to account B and its IAM users for managing account A's resources.

Figure 1 Cross-account authorization model
Click to enlarge

Delegating an Account to Manage Resources

Account A performs the following procedure to delegate account B to manage its VPC resources in the CN East-Shanghai2 region.

Log in to HUAWEI CLOUD using account A. On the IAM console, choose Agencies in the navigation pane.
Click Create Agency, and enter an agency name, for example, VPC Resources O&M.
Select the Account agency type, and enter the account name of company B, for example, B-Company.
Set Validity Period to Unlimited.
Click Assign Permissions, search for and select the VPC FullAccess policy, and then select CN East-Shanghai2.
Click OK.

The agency is displayed in the agency list.

Account A can delete the created agency at any time to cancel the assigned permissions.

Managing Resources of an Account

After the agency is created, account B can switch roles to account A to manage account A's resources. To do this, account B needs to have obtained account A's account name and the agency name.

Log in to the HUAWEI CLOUD management console using account B.
Click the username in the upper right corner, and choose Switch Role.
Enter the account name of account A. The agency created by account A is displayed automatically.
Click OK to switch to account A.

Last Article: Assigning System Permissions for Common Cloud Services

Next Article: Authorizing IAM Users to Manage Resources of an Account

Did this article solve your problem?

Thank you for your score！Your feedback would help us improve the website.

Products

Compute

Application

Dedicated Cloud

Storage

Management & Deployment

Migration

Network

Enterprise Intelligence

Video

Database

Edge Cloud Services

DevCloud

Security

Cloud Communications

Internet of Things

Solutions

Industry-Specific Solutions

General-Purpose Solutions

Security

DevOps

Enterprise Intelligence

Essential Platform

Big Data

Visual Cognition

Speech and Semantics

Support

Help Center

Customer Services

Developers

Console

语言 - Language

中国站 - 简体中文

中国站 - English

International - 简体中文

International - English