Accessing OBS Using Temporary Access Keys of an IAM Agency

The IAM agency is a function of Identity and Access Management (IAM). In scenarios such as CDN private bucket retrieval and cross-region replication, IAM agencies are required to grant other accounts or cloud services the permissions to access and to securely and efficiently manage OBS resources.

An agency is required for using cross-region replication or bucket logging of OBS.

• When creating a cross-region replication rule, you need to select or create an agency with OBS access permissions, so that you can perform replication operations. For details, see Creating an Agency for Cross-Region Replication.
• When using bucket logging to record logs, you need to select or create an agency with OBS access permissions, so that OBS can store bucket logs. For details, see Creating an Agency for Uploading Logs.

To access OBS through an agency, you need to call the IAM API to obtain temporary access keys and security tokens of an agency and use them to access OBS. The delegated accounts need to manually call APIs to obtain credentials, while the delegated cloud service systems automatically obtain credentials.

For details about IAM agencies, see Identity and Access Management User Guide.