Help Center/ Identity and Access Management/ Best Practices/ Cross-Account Access Delegation and Resource Management
Updated on 2023-06-20 GMT+08:00
View PDF

Cross-Account Access Delegation and Resource Management

Company A and company B have created account A and account B, respectively. If account A wants to authorize account B to manage its resources, account A can create an agency in IAM to establish a trust relationship between the two accounts.

Requirements

  • Account A has purchased different types of resources on HUAWEI CLOUD. Account A wants to authorize account B to manage its VPC resources in the EU-Dublin region.
  • Account B can authorize one or more employees (IAM users) of company B to manage account A's resources.
  • Account A can modify or cancel the authorization provided to account B at any time.

Solution

  • Account A creates an agency on the IAM console to authorize account B to manage its resources.
  • Account B assigns permissions to its IAM users to manage account A's resources specified in the agency.
  • Account A can modify or delete the agency at any time. Deleting the agency will automatically cancel the permissions assigned to account B and its IAM users for managing account A's resources.
Figure 1 Cross-account authorization model

Delegating an Account to Manage Resources

Account A performs the following procedure to delegate account B to manage its VPC resources in the EU-Dublin region.

  1. Log in to HUAWEI CLOUD using account A. On the IAM console, choose Agencies in the navigation pane.
  2. Click Create Agency, and enter an agency name, for example, VPC Resources O&M.
  3. Select the Account agency type, and enter the account name of company B, for example, B-Company.
  4. Set Validity Period to Unlimited.

  5. Click Next.
  6. Select VPC FullAccess and click Next.
  7. Specify the authorization scope as Region-specific projects, and select EU-Dublin.
  8. Click OK.

    The agency is displayed in the agency list.

    Account A can modify the permissions or validity period of the agency or delete the agency based on service requirements.

Managing Resources of an Account

After the agency is created, account B can switch roles to account A to manage account A's resources. To do this, account B needs to have obtained account A's account name and the agency name.

  1. Log in to the HUAWEI CLOUD management console using account B.
  2. Click the username in the upper right corner, and choose Switch Role.

  3. Enter the account name of account A. The agency created by account A is displayed automatically.

  4. Click OK to switch to account A.