Authorizing IAM Users to Manage Resources of an Account
Company B is a professional O&M company. It becomes a delegated party after being authorized by company A. Company B assigns permissions to one or more of its IAM users to manage company A's resources.
Requirements
- Company B wants to authorize its employees (IAM users) to manage the delegated resources of company A.
- If company A creates multiple agencies for company B, company B can allocate the agencies to different employees. This will allow each employee to only manage resources of specific agencies.
Solution
- Account B creates users on the IAM console, and grants the permissions (including Agent Operator) required for managing delegated resources to the users.
- Account B creates a custom policy with only the permissions required to manage the delegated resources of an agency. Then, account B attaches the policy to the group to which a user belongs, so that the user can only manage the resources of the agency.
Procedure
Account B performs the following procedure to authorize IAM users to manage resources of specific agencies. After authorization, the IAM users of account B can switch their roles to account A to manage account A's resources. To do this, account B needs to have obtained the account (HUAWEI ID), agency name, and agency ID of the delegating party.
- Create a user group and grant permissions to it.
- In the navigation pane, choose User Groups.
- On the User Groups page, click Create User Group.
- Enter the user group name, for example, Agency Management.
- Click OK.
The user group is displayed in the user group list.
- In the row containing the target user group, click Authorize.
- To authorize a user to manage only the resources of a specific agency, perform the following steps.
- To authorize a user to manage the resources of all agencies, go to the next step.
- On the Select Policy/Role page, click Create Policy in the upper right.
- Enter a policy name, for example, Agency 1 for Managing Company A.
- Select JSON for Policy View.
- In the Policy Content area, enter the following content:
{ "Version": "1.1", "Statement": [ { "Action": [ "iam:agencies:assume" ], "Resource": { "uri": [ "/iam/agencies/b36b1258b5dc41a4aa8255508xxx..." ] }, "Effect": "Allow" } ] }
Replace b36b1258b5dc41a4aa8255508xxx... with the agency ID obtained from a delegating party. Do not make any other changes.
- Click Next.
- Select the Agency 1 for Managing Company A agency created in the previous step or the Agent Operator role.
- The custom policy allows the user only to manage resources of a specific agency ID.
- The Agent Operator role allows the user to manage the resources of all agencies.
- Specify the authorization scope.
- Click OK.
- Create a user and add the user to the user group.
- In the navigation pane, choose Users.
- On the Users page, click Create User.
- On the Create User page, enter a username and email address.
- For Access Type, select Management console access.
- For Credential Type, select Set by user.
- Enable login protection, select a verification mode, and click Next.
- Select the user group Agency Management created in 2 and click Create.
- Switch the role.
- Log in to Huawei Cloud as the user created in 2. For more information, see Logging In as an IAM User.
- Click the username in the upper right corner, and choose Switch Role.
- Enter the account name of the delegating party. The agency created by the delegating party is displayed automatically.
If an agency other than the agencies created by the delegating party is displayed, a message is displayed indicating that you do not have access permissions. Select the correct agency in the Agency Name drop-down list box.
- Click OK to switch to the delegating account.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
