Help Center/ Identity and Access Management_Identity and Access Management (New Edition)/ Best Practices/ Delegating Permissions Across Accounts with Trust Agencies
Updated on 2025-11-06 GMT+08:00
View PDF
Share

Delegating Permissions Across Accounts with Trust Agencies

Company A and company B have created account A and account B, respectively. If account A wants to authorize account B to manage its resources, account A can create a trust agency in IAM to establish a trust relationship between the two accounts.

Requirements

  • Account A has purchased multiple types of resources on Huawei Cloud and wants to authorize account B to manage its VPC resources.
  • Account B wants to authorize one or more employees (IAM users) of company B to manage account A's resources.
  • Account A can modify or cancel the authorization provided to account B at any time.

Solutions

To address these requirements, the following solutions are provided:

  • Account A creates a trust agency on the IAM console to authorize account B to manage its resources.
  • Account B assigns permissions to its IAM users to manage account A's resources specified in the trust agency.
  • If the cooperation between the two companies changes, account A can modify or delete the trust agency anytime. Then permissions of account B and its IAM users for managing account A's resources are changed or cancelled automatically.
Figure 1 Cross-account authorization model

Delegating Permissions to Another Account (by the Delegating Party)

The following example describes how account A delegates account B to manage VPC resources.

  1. Log in to Huawei Cloud using account A. On the IAM console, choose Agencies in the navigation pane.
  2. On the Agencies page, click Create Trust Agency. On the displayed page, set Agency Name, for example, VPC_Resource_Delegation.
  3. Set Agency Type to Account and enter the ID of account B in Delegated Account ID.
  4. Specify Maximum Session Duration

    Figure 2 Creating a trust agency

  5. Choose whether to select External ID. The external ID of the delegated party must be unique. The external ID can be any identifier (for example, the invoice number) known only to you and the delegated party. Do not use easily-guessed information, such as the name or phone number of the delegated party. If you select External ID, the entered ID will be added to the trust policy for check to ensure that the delegated party performs correct operations. Note: After an external ID is used, you cannot switch the trust agency on the IAM console because the IAM console does not pass the external ID during the switch. In this case, the delegated party can use AssumeAgency API to pass the external ID to the target trust agency.
  6. Determine whether to enable MFA.

    After MFA is enabled, the delegated party must enter the verification code sent to the MFA device on the login page for secondary authentication before switching the trust agency on the console.

  7. Edit the trust agency after it is created. The trust policy is displayed in the Trust Policy area.
  8. Enter the description and click OK.
  9. In the displayed dialog box, click Authorize.
  10. Select VPCFullAccessPolicy and click OK.

    The trust agency is created and displayed in the agency list.

    If the cooperation between the two companies changes, account A can locate the target agency in the agency list and click Modify in the Operation column to modify the delegated account and permissions of the agency.

Assuming the Agency to Switch the Role (By the Delegated Party)

After the agency is created, account B (the delegated party) can assume the agency on the IAM console to switch to the account A and manage account A's resources. To do this, account B must have obtained the account name of account A and the trust agency name.

  1. Log in to the Huawei Cloud management console using account B.
  2. Hover over the username in the upper right corner and choose Switch Role. You can select a role switch record or choose to switch to another role.

    Figure 3 Switching the role

  3. On the displayed page, enter the account name and agency name of the delegating party. You can also click the role switch history to switch the role.

    After entering the account name of the delegating party, only the common agencies delegated to you are listed. Trust agencies are not listed. You need to manually enter the trust agency name.

    Figure 4 Entering the trust agency name

  4. Click OK. The account B is switched to account A and can manage VPC resources of account A.

Assigning Permissions to IAM Users (by the Delegated Party)

Account B assigns trust agency's permissions to an IAM user for fine-grained authorization. Then, IAM users in account B can switch to account A to manage the resources authorized by the delegating party.

Account B must have obtained the account name of the delegating company and the agency name.

  1. Create a user group.

    1. In the navigation pane, choose User Groups.
    2. On the User Groups page, click Create User Group.
    3. Enter the user group name, for example, Agency Management.
    4. Click OK.

  2. Create custom identity policies.

    1. On the Identity Policies page, click Create Identity Policy.
    2. On the displayed page, enter AssumeAgencies for Policy Name.
    3. Select JSON for Policy View.
    4. In the Policy Content area, enter the following content to allow the user to manage only the trust agency with the specified ID: 
      {
	"Version": "5.0",
	"Statement": [{
		"Effect": "Allow",
		"Action": [
			"sts:agencies:assume"
		],
		"Resource": [
			"iam::<account-a-id>:agency:VPC_Resource_Delegation"
		]
	}]
}

      Replace <account-a-id> with the account ID of the delegating party. You need to obtain it from the delegating party. You can copy other information without modification.

  3. Assign permissions to the user group.

    1. Go to the user group list. The newly created user group is displayed in the list.
    2. Locate this group and click Authorize in the Operation column.
    3. Select the custom identity policy you created, click Next, and then click OK. The authorization is complete.
      Figure 5 Authorizing a user group

  4. Create a user and add it to the user group.

    1. In the navigation pane, choose Users.
    2. On the Users page, click Create User.
    3. On the displayed page, enter the username and description.
    4. Toggle on Management Console Access and select Create an IAM User.
    5. Set Password Setting to Custom, enter a password, select Require password reset at first login, and click Next.
    6. On the Set Permissions page, select the user group Agency Management created in step 1 and click Create User.

  5. Switch the role.

    1. Log in to Huawei Cloud as the IAM user created in step 4. For details about how to log in, see Logging In as an IAM User.
    2. On the console, hover over the username in the upper right corner and click Switch Role. You can select a role from the switch record or click Switch to Another Role.
      Figure 6 Switching the role
    3. On the displayed page, enter the account name of the delegating party and the agency name.
    4. Click OK to switch to the delegating account. Then, the IAM user of account B can manage resources in account A.