Delegating Resource Access to Another Account
The agency function enables you to delegate another account to implement O&M on your resources based on assigned permissions.
You can delegate resource access only to accounts. The accounts can then delegate access to IAM users under them.
The following is the procedure for delegating access to resources in one account to another account. Account A is the delegating party and account B is the delegated party.
- Account A creates an agency in IAM to delegate resource access to account B.
Figure 1 (Account A) Creating an agency
- (Optional) Account B assigns permissions to an IAM user to manage specific resources for account A.
Figure 2 (Account B) Authorizing an IAM user to manage delegated resources
- Create a user group, and grant it permissions required to manage account A's resources.
- Create a user and add the user to the user group.
- Account B or the authorized user manages account A's resources.
Figure 3 (Account B) Switching the role
- Log in to account B's account and switch the role to account A.
- Switch to region A and manage account A's resources in this region.