Help Center/ Identity and Access Management/ User Guide/ Agencies/ Account Delegation/ Creating an Agency (by a Delegating Party)
Updated on 2024-11-18 GMT+08:00

Creating an Agency (by a Delegating Party)

By creating an agency, you can share your resources with another account, or delegate an individual or team to manage your resources. You do not need to share your security credentials (the password or access keys) with the delegated party. Instead, the delegated party can log in with its own account credentials and then switches the role to your account and manage your resources.

Prerequisites

Before creating an agency, complete the following operations:

Procedure

  1. Log in to the IAM console.
  2. On the IAM console, choose Agencies from the left navigation pane, and click Create Agency in the upper right corner.

    Figure 1 Creating an agency

  3. Enter an agency name.

    Figure 2 Setting the agency name

  4. Specify the agency type as Account, and enter the name of a delegated account.

    • Account: Share resources with another account or delegate an individual or team to manage your resources. The delegated account can only be an account, rather than an IAM user or a federated user.
    • Cloud service: Delegate a specific service to access other services. For more information, see Cloud Service Agency.

  5. Set the validity period and enter a description for the agency.
  6. Click Done.

    If you do not need to authorize the agency, click Cancel to return to the agency list and view the created agency. In this case, the created agency does not have any permissions.

  7. In the displayed dialog box, click Authorize.
  8. Select the policies or roles to be attached to the agency, click Next, and select the authorization scope.

    • Assigning permissions to an agency is similar to assigning permissions to a user group. The two operations differ only in the number of available permissions. For details about how to assign permissions to a user group, see Assigning Permissions to a User Group.
    • You can assign the Security Administrator role to the agency, but we do not recommend you to do so. For account security purposes, only grant the required permissions to the agency based on the principle of least privilege (PoLP).

  9. Click OK.

    After creating an agency, provide your account name, agency name, agency ID, and agency permissions to the delegated party. The delegated party can then switch the role to your account and manage specific resources based on the assigned permissions.