Help Center> Cloud Container Instance> User Guide> Permissions Management> Delegating a Federated User to Manage Resources
Updated on 2023-08-04 GMT+08:00
View PDF

Delegating a Federated User to Manage Resources

If you want to delegate a federated user of another account (account B) to manage resources in your account (account A), log in using account A, create an agency for account B, and grant namespace permissions to account B. Then, log in using account B and perform federated identity authentication for it. After the authentication is complete, account B assigns the agency permissions to the federated user so that the federated user can switch to the agency of account A. Log in to Huawei Cloud as the federated user and switch the role to manage resources in account A.

This section describes how to delegate federated users to manage resources. Figure 1 shows the operation process.

Figure 1 Process of delegating a federated user to manage resources

Procedure

To delegate account B to manage resources in account A as a federated user, perform the following steps:

  1. Create an agency (by the delegating party).

    Log in to the IAM console as the delegating party (account A). Create an agency, enter the account name of the delegated party (account B), and grant permissions of the CCI FullAccess policy to the delegated party. Users granted these permissions can create, delete, query, and update all CCI resources.

  2. Grant namespaced resource permissions to an agency account (by the delegating party).

    Log in to the CCI console as the delegating party (account A). On the Permissions Management page, grant permissions of resources in the namespace to the delegated party (account B). You can set permissions for different delegated accounts to operate Kubernetes resources under a specified namespace.

  3. Perform federated identity authentication (by the delegated party).

    Log in to the delegated party (account B) and perform federated identity authentication.

    Before delegating a federated user to manage resources, you need to perform federated identity authentication on the delegated party. The authentication process consists of two steps: Establish a trust relationship and create an identity provider, and then configure identity conversion rules.

    After an identity provider is created, a default identity conversion rule is also created. You need to click Edit Rule to update or delete the default rule and create one. If you add a new rule with the default rule not deleted, the default rule may be matched, and the new rule does not take effect.

  4. Assign permissions to a user (by the delegated party).

    If a user under the delegated party (account B) wants to manage account A's resources, the delegated party (account B) must assign agency permissions to the user. To enable a federated user to manage resources of the delegating party (account A), the delegated party (account B) needs to assign the permissions of the custom policy federation_agency to the user group (federation_group) to which the federated user belongs. federation_group is also the federated user group that is written into the identity conversion rules.

  5. Switch roles (by the delegated party).

    Account B and the federated user with agency permissions can switch their roles to the delegating party (account A) to manage its resources.

Parent topic: Permissions Management