Delegating Resource Access to Another Account
The agency function enables you to delegate another account to implement O&M on your resources based on assigned permissions.
You can delegate resource access only to accounts. The accounts can then delegate access to IAM users under them.
The following is the procedure for delegating resource access to another account. Account A is the delegating party and account B is the delegated party.
- Account A creates an agency in IAM to delegate resource access to account B.
Figure 1 (Account A) Creating an agency
- (Optional) Account B assigns permissions to an IAM user to manage specific resources for account A.
- Create a user group, and grant it permissions required to manage account A's resources.
- Create a user and add the user to the user group.
Figure 2 (Account B) Authorizing an IAM user to manage delegated resources
- Account B or the authorized user manages account A's resources.
- Use account B to log in and switch the role to account A.
- Switch to region A and manage account A's resources in this region.
Figure 3 (Account B) Switching the role
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot