Help Center> Identity and Access Management> User Guide (Kuala Lumpur Region)> User Guide> Agencies> Account Delegation> (Optional) Assigning Permissions to an IAM User (by a Delegated Party)
Updated on 2022-08-18 GMT+08:00

(Optional) Assigning Permissions to an IAM User (by a Delegated Party)

When a trust relationship is established between your account and another account, you become a delegated party. By default, only your account and the members of the admin group can manage resources for the delegating party. To authorize IAM users to manage these resources, assign permissions to the users.

You can authorize an IAM user to manage resources for all delegating parties, or authorize the user to manage resources for a specific delegating party.

Prerequisites

  • A trust relationship has been established between your account and another account.
  • You have obtained the name of the delegating account and the name and ID of the created agency.

Procedure

  1. Create a custom policy.

    This step is used to create a policy containing permissions required to manage resources for a specific agency. If you want to authorize an IAM user to manage resources for all agencies, go to 2.

    1. On the Permissions page, click Create Custom Policy.
    2. Enter a policy name.
    3. Select Global services for Scope.
    4. Select JSON for Policy View.
    5. In the Policy Content area, enter the following content:
      {
              "Version": "1.1",
              "Statement": [
                      {
                              "Action": [
                                      "iam:agencies:assume"
                              ],
                              "Resource": {
                                      "uri": [
                                              "/iam/agencies/b36b1258b5dc41a4aa8255508xxx..."
                                      ]
                              },
                              "Effect": "Allow"
                      }
              ]
      }
      • Replace b36b1258b5dc41a4aa8255508xxx... with the agency ID obtained from a delegating party. Do not make any other changes.
      • For more information about permissions, see Permissions.
    6. Click OK.

  2. Create a user group and grant permissions to it.

    1. On the User Groups page, click Create User Group.
    2. Enter a user group name.
    3. Click OK.
    4. In the row containing the user group, click Manage Permissions.
    5. On the Permissions tab page, click Assign Permissions above the policy or project list.
    6. Specify the scope. If you select Region-specific projects, select one or more projects in the drop-down list.
    7. Select the policy created in 1 or the Agent Operator role.
      • Custom policy: Allows a user to manage resources only for a specific agency.
      • Agent Operator role: Allows a user to manage resources for all agencies.
    8. Click OK.

  3. Create an IAM user and add the user to the user group.

    1. On the Users page, click Create User.
    2. On the Create User page, enter a username.
    3. For the access type, select Management console access and Set by user.
    4. Enable login protection and click Next.
    5. Select the user group created in 2 and click Create.

      After the authorization is complete, the IAM user can switch to the account of the delegating party and manage specific resources under the account.

Related Operations

The delegated account or the authorized IAM users can switch their roles to the delegating account to view and use its resources.