Help Center/ Identity and Access Management/ User Guide/ Agencies/ Account Delegation/ Delegating Resource Access to Another Account
Updated on 2024-07-11 GMT+08:00

Delegating Resource Access to Another Account

The agency function enables you to delegate another account to implement O&M on your resources based on assigned permissions.

You can delegate resource access only to accounts. The accounts can then delegate access to IAM users under them.

The following is the procedure for delegating resource access to another account. Account A is the delegating party and account B is the delegated party.

  1. Account A creates an agency in IAM to delegate resource access to account B.

    Figure 1 (Account A) Creating an agency

  2. (Optional) Account B assigns permissions to an IAM user to manage specific resources for account A.

    1. Create a user group, and grant it permissions required to manage account A's resources.
    2. Create a user and add the user to the user group.
    Figure 2 (Account B) Authorizing an IAM user to manage delegated resources

  3. Account B or the authorized user manages account A's resources.

    1. Use account B to log in and switch the role to account A.
    2. Switch to region A and manage account A's resources in this region.
    Figure 3 (Account B) Switching the role