Creating a Service-linked Agency
Function
This API is used to create a service-linked agency.
Authorization Information
Each account has all the permissions required to call all APIs, but IAM users must be assigned the following required identity policy-based permissions. For details about the required permissions, see Permissions Policies and Supported Actions.
|
Action |
Access Level |
Resource Type (*: required) |
Condition Key |
Alias |
Dependencies |
|---|---|---|---|---|---|
|
iam:agencies:createServiceLinkedAgencyV5 |
Write |
agency * |
- |
- |
- |
|
- |
iam:ServicePrincipal |
URI
PUT /v5/service-linked-agencies
Request Parameters
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
service_principal |
Yes |
String |
Service principal, which starts with service. and is followed by a string of 1 to 56 characters containing only letters, digits, and hyphens (-). |
|
description |
No |
String |
Description of a service-linked agency. The value cannot contain the following special characters: @#%&<>\$^* Maximum: 1000 |
Response Parameters
Status code: 201
|
Parameter |
Type |
Description |
|---|---|---|
|
agency |
Agency object |
Agency or trust agency. |
|
Parameter |
Type |
Description |
|---|---|---|
|
urn |
String |
Uniform resource name. |
|
trust_policy |
String |
JSON format of the policy document of a trust agency's trust policy. Characters =, <, >, (, ), and | are special characters in the grammar and are not included in trust policies. The question mark (?) following an element indicates that the element is optional, for example, sid_block?. The vertical bar (|) separates options, and the parentheses enclose the options, for example, ("Allow" | "Deny"). When an element allows more than one value, use commas (,), and ellipsis (...), for example, [ <policy_statement>, <policy_statement>, ... ]. The following listing describes the trust policy language grammar: policy = {
<version_block>,
<statement_block>
}
<version_block> = "Version" : ("5.0")
<statement_block> = "Statement" : [ <policy_statement>, <policy_statement>, ... ]
<policy_statement> = {
<sid_block?>,
<principal_block>,
<effect_block>,
<action_block>,
<resource_block?>,
<condition_block?>
}
<sid_block> = "Sid" : <sid_string>
<principal_block> = ("Principal" | "NotPrincipal") : <principal_map>
<principal_map> = { <principal_map_entry>, <principal_map_entry>, ... }
<principal_map_entry> = ("IAM" | "Service") : [ <principal_id_string>, ... | <service_principal_string>, ... ]
<effect_block> = "Effect" : ("Allow" | "Deny")
<action_block> = ("Action" | "NotAction") : [ <action_string>, <action_string>, ... ]
<resource_block> = ("Resource" | "NotResource") : [ <resource_string>, <resource_string>, ... ]
<condition_block> = "Condition" : { <condition_map> }
<condition_map> = {
<condition_type_string> : { <condition_key_string> : <condition_value_list> },
<condition_type_string> : { <condition_key_string> : <condition_value_list> },
...
}
<condition_value_list> = ( <condition_value> | [ <condition_value>, <condition_value>, ... ] )
<condition_value> = "string" |
|
created_at |
String |
Time when an agency or trust agency was created. |
|
description |
String |
Description of an agency or trust agency. |
|
max_session_duration |
Integer |
Maximum session duration of an agency or trust agency. The default value is 3,600 seconds. The value ranges from 3,600 to 43,200. |
|
path |
String |
Resource path, which is an empty string by default. It consists of multiple character strings. Each character string must end with a slash (/) and can only contain letters, digits, and the following special characters: .,+@=_-, for example, foo/bar/. |
|
agency_id |
String |
Agency or trust agency ID. The value contains 1 to 64 characters, including only letters, digits, and hyphens (-). |
|
agency_name |
String |
Agency or trust agency name. The value contains 1 to 64 characters, including only letters, digits, and the following special characters: _+=,.@- |
|
trust_domain_id |
String |
Delegated account ID, which is only in agencies but not in trust agencies. |
|
trust_domain_name |
String |
Delegated account name, which is only in agencies but not in trust agencies. |
Status code: 403
|
Parameter |
Type |
Description |
|---|---|---|
|
error_code |
String |
Error code. |
|
error_msg |
String |
Error message. |
|
request_id |
String |
Request ID. |
|
encoded_authorization_message |
String |
Encrypted authentication failure information, which can be decrypted using the STS5 decryption API. |
Status code: 404
|
Parameter |
Type |
Description |
|---|---|---|
|
error_code |
String |
Error code. |
|
error_msg |
String |
Error message. |
|
request_id |
String |
Request ID. |
Status code: 409
|
Parameter |
Type |
Description |
|---|---|---|
|
error_code |
String |
Error code. |
|
error_msg |
String |
Error message. |
|
request_id |
String |
Request ID. |
Example Requests
Creating a service-linked agency whose service principal is service.xxx
PUT https://{endpoint}/v5/service-linked-agencies
{
"service_principal" : "service.xxx",
"description" : "description"
}
Example Responses
Status code: 201
Successful
{
"agency" : {
"urn" : "iam::accountid:agency:service-linked-agency/service.xxx/name",
"trust_policy" : "{\"Version\":\"5.0\",\"Statement\":[{\"Action\":[\"sts:agencies:assume\",\"sts::tagSession\",\"sts::setSourceIdentity\"],\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"service.xxx\"]}}]}",
"created_at" : "2023-09-11T10:13:25.414Z",
"description" : "description",
"max_session_duration" : 3600,
"path" : "service-linked-agency/service.xxx/",
"agency_id" : "id",
"agency_name" : "name",
"trust_domain_id" : null,
"trust_domain_name" : null
}
}
Status Codes
|
Status Code |
Description |
|---|---|
|
201 |
Successful |
|
403 |
Forbidden |
|
404 |
Not found |
|
409 |
Conflict |
Error Codes
See Error Codes.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
