Creating a Trust Agency

Function

This API is used to create a trust agency.

Trust agencies can only have identity policies attached, and are only compatible with cloud services that support identity policies. For details, see "Cloud Services for Using Identity Policies and Trust Agencies" in the Identity and Access Management User Guide.

Authorization Information

Each account has all the permissions required to call all APIs, but IAM users must be assigned the following required identity policy-based permissions. For details about the required permissions, see Permissions Policies and Supported Actions.

Action	Access Level	Resource Type (*: required)	Condition Key	Alias	Dependencies
iam:agencies:createV5	Write	agency *	-	-	-

URI

POST /v5/agencies

Request Parameters

**Table 1** Request body parameters
Parameter	Mandatory	Type	Description
agency_name	Yes	String	Trust agency name. The value can contain 1 to 64 characters. Only letters, digits, hyphens (-), and the following special characters are allowed: _+=,.@
path	No	String	Resource path, which is an empty string by default. It consists of multiple character strings. Each character string must end with a slash (/) and can only contain letters, digits, and the following special characters: .,+@=_-, for example, foo/bar/.
trust_policy	Yes	String	JSON format of the policy document of a trust agency's trust policy. Characters =, <, >, (, ), and \| are special characters in the grammar and are not included in trust policies. The question mark (?) following an element indicates that the element is optional, for example, sid_block?. The vertical bar (\|) separates options, and the parentheses enclose the options, for example, ("Allow" \| "Deny"). When an element allows more than one value, use commas (,), and ellipsis (...), for example, [ <policy_statement>, <policy_statement>, ... ]. The following listing describes the trust policy language grammar: policy = { <version_block>, <statement_block> } <version_block> = "Version" : ("5.0") <statement_block> = "Statement" : [ <policy_statement>, <policy_statement>, ... ] <policy_statement> = { <sid_block?>, <principal_block>, <effect_block>, <action_block>, <resource_block?>, <condition_block?> } <sid_block> = "Sid" : <sid_string> <principal_block> = ("Principal" \| "NotPrincipal") : <principal_map> <principal_map> = { <principal_map_entry>, <principal_map_entry>, ... } <principal_map_entry> = ("IAM" \| "Service") : [ <principal_id_string>, ... \| <service_principal_string>, ... ] <effect_block> = "Effect" : ("Allow" \| "Deny") <action_block> = ("Action" \| "NotAction") : [ <action_string>, <action_string>, ... ] <resource_block> = ("Resource" \| "NotResource") : [ <resource_string>, <resource_string>, ... ] <condition_block> = "Condition" : { <condition_map> } <condition_map> = { <condition_type_string> : { <condition_key_string> : <condition_value_list> }, <condition_type_string> : { <condition_key_string> : <condition_value_list> }, ... } <condition_value_list> = ( <condition_value> \| [ <condition_value>, <condition_value>, ... ] ) <condition_value> = "string"
max_session_duration	No	Integer	Maximum session duration of a trust agency. The value ranges from 3,600 to 43,200. The default value is 3,600 seconds.
description	No	String	Description of the trust agency. The value is a string that can contain up to 1,000 characters. By default, the value is an empty string. Maximum: 1000

Response Parameters

Status code: 201

**Table 2** Response body parameters
Parameter	Type	Description
agency	TrustAgency object	Trust agency.

**Table 3** TrustAgency
Parameter	Type	Description
urn	String	Uniform resource name.
trust_policy	String	JSON format of the policy document of a trust agency's trust policy. Characters =, <, >, (, ), and \| are special characters in the grammar and are not included in trust policies. The question mark (?) following an element indicates that the element is optional, for example, sid_block?. The vertical bar (\|) separates options, and the parentheses enclose the options, for example, ("Allow" \| "Deny"). When an element allows more than one value, use commas (,), and ellipsis (...), for example, [ <policy_statement>, <policy_statement>, ... ]. The following listing describes the trust policy language grammar: policy = { <version_block>, <statement_block> } <version_block> = "Version" : ("5.0") <statement_block> = "Statement" : [ <policy_statement>, <policy_statement>, ... ] <policy_statement> = { <sid_block?>, <principal_block>, <effect_block>, <action_block>, <resource_block?>, <condition_block?> } <sid_block> = "Sid" : <sid_string> <principal_block> = ("Principal" \| "NotPrincipal") : <principal_map> <principal_map> = { <principal_map_entry>, <principal_map_entry>, ... } <principal_map_entry> = ("IAM" \| "Service") : [ <principal_id_string>, ... \| <service_principal_string>, ... ] <effect_block> = "Effect" : ("Allow" \| "Deny") <action_block> = ("Action" \| "NotAction") : [ <action_string>, <action_string>, ... ] <resource_block> = ("Resource" \| "NotResource") : [ <resource_string>, <resource_string>, ... ] <condition_block> = "Condition" : { <condition_map> } <condition_map> = { <condition_type_string> : { <condition_key_string> : <condition_value_list> }, <condition_type_string> : { <condition_key_string> : <condition_value_list> }, ... } <condition_value_list> = ( <condition_value> \| [ <condition_value>, <condition_value>, ... ] ) <condition_value> = "string"
created_at	String	Time when a trust agency is created.
description	String	Description of a trust agency.
max_session_duration	Integer	Maximum session duration of a trust agency. The value ranges from 3,600 to 43,200. The default value is 3,600 seconds.
path	String	Resource path, which is an empty string by default. It consists of multiple character strings. Each character string must end with a slash (/) and can only contain letters, digits, and the following special characters: .,+@=_-, for example, foo/bar/.
agency_id	String	Trust agency ID. The value must contain 1 to 64 characters. Only letters, digits, and hyphens (-) are allowed.
agency_name	String	Trust agency name. The value can contain 1 to 64 characters. Only letters, digits, hyphens (-), and the following special characters are allowed: _+=,.@
trust_domain_id	String	Delegated account ID, which is only in agencies but not in trust agencies.
trust_domain_name	String	Delegated account name, which is only in agencies but not in trust agencies.

Status code: 400

**Table 4** Response body parameters
Parameter	Type	Description
error_code	String	Error code.
error_msg	String	Error message.

Status code: 403

**Table 5** Response body parameters
Parameter	Type	Description
error_code	String	Error code.
error_msg	String	Error message.
request_id	String	Request ID.
encoded_authorization_message	String	Encrypted authentication failure information, which can be decrypted using the STS5 decryption API.

Status code: 409

**Table 6** Response body parameters
Parameter	Type	Description
error_code	String	Error code.
error_msg	String	Error message.
request_id	String	Request ID.

Example Requests

Creating a trust agency name

POST https://{endpoint}/v5/agencies

{
  "agency_name" : "name",
  "path" : "",
  "trust_policy" : "{\"Version\":\"5.0\",\"Statement\":[{\"Action\":[\"sts:agencies:assume\",\"sts::tagSession\",\"sts::setSourceIdentity\"],\"Effect\":\"Allow\",\"Principal\":{\"IAM\":[\"xxx\"]}}]}",
  "max_session_duration" : 3600,
  "description" : "description"
}

Example Responses

Status code: 201

Successful

{
  "agency" : {
    "urn" : "iam::accountid:agency:name",
    "trust_policy" : "{\"Version\":\"5.0\",\"Statement\":[{\"Action\":[\"sts:agencies:assume\",\"sts::tagSession\",\"sts::setSourceIdentity\"],\"Effect\":\"Allow\",\"Principal\":{\"IAM\":[\"xxx\"]}}]}",
    "created_at" : "2023-09-21T01:17:19.590Z",
    "description" : "description",
    "max_session_duration" : 3600,
    "path" : "",
    "agency_id" : "string",
    "agency_name" : "name",
    "trust_domain_id" : null,
    "trust_domain_name" : null
  }
}