IAM Agency

By creating an agency, you can share your resources with another account, or delegate an individual or team to manage your resources. You do not need to share your security credentials (the password and access keys) with the delegated party. Instead, the delegated party can log in with its own account credentials and then switches the role to your account and manage your resources.

With RFS, you can create a stack to bind an agency with a provider and update the binding relationship by updating the stack.

RFS uses an agency only in resource operation requests, such as creating a stack (triggering deployment), creating an execution plan, deploying a stack, and deleting a stack. The agency applies only to resource operations performed by the bound provider. If the permissions provided by the agency are insufficient, resource operations may fail.

Procedure

Log in to the IAM console.
On the IAM console, choose Agencies from the navigation pane on the left, and click Create Agency in the upper right corner.
Figure 1 Creating an agency
Enter an agency name.
Set Cloud Service to RFS.
Figure 2 Creating an agency

The agency name is user-defined.

If op_svc_iac has been used for registration, you are advised to change it to RFS.
Click Next. The Authorize Agency page is displayed. You can grant permissions to the agency on this page.
Figure 3 Agency authorization
Filter specific permissions and grant them to the agency.
Figure 4 Selecting policies

You can determine the permissions to be granted to an agency. Huawei Cloud best practices do not advise you to automatically create agencies with the Tenant Administrator permission for users. The best practice is to grant management permissions (including read and write operations) to resources that may be used in a stack.
Set the authorization scope. You can select All resources or Region-specific projects.
Figure 5 Authorization scope
Click OK. The agency is created.
Figure 6