Using a Stack Set
Set up required permissions to create a stack set with service-managed permissions.
To create a stack set with self-managed permissions, create IAM roles in each account to establish a trust relationship between the administrator and target accounts.
- Determine which Huawei Cloud account is the administrator account.
Stack sets are created in this administrator account. A target account is an account into which you create stacks in a stack set.
- Determine how to configure permissions for the stack set.
The easiest (and most lenient) permissions setup is to allow all users within the administrator account to create and update the stack sets managed through that account. If you need finer-grained control, you can set up permissions to manage required resources through IAM agencies. For details, see Creating an Agency.
- Set up permissions for users of the administrator account to perform stack set operations in all target accounts.
In the administrator account, create an agency named Administrator_account (custom) that entrusts RFS. Add the iam:tokens:assume and Tenant Administrator permissions to the agency.
In the target account, create an agency named Target_Account (custom) that entrusts the administrator account, and grant the Tenant Administrator permission.
- Set up advanced permissions for stack set operations.
In the administrator account, create an agency named Administrator_account (custom) that entrusts RFS. Use fine-grained authorization to add iam:tokens:assume and required operation permissions to the agency.
In the target account, create an agency named Target_Account (custom) that entrusts the administrator account, and grant the target account the permissions to perform operations on resources.
- Set up permissions for users of the administrator account to perform stack set operations in all target accounts.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot