Creating an Agency (by a Delegating Party)
By creating an agency, you can share your resources with another account, or delegate an individual or team to manage your resources. You do not need to share your security credentials (the password and access keys) with the delegated party. Instead, the delegated party can log in with its own account credentials and then switches the role to your account and manage your resources.
Before creating an agency, complete the following operations:
- Log in to the IAM console.
- On the IAM console, choose Agencies from the navigation pane, and click +Create Agency in the upper right corner.Figure 1 Creating an agency
- Enter an agency name.Figure 2 Setting the agency name
- Specify the agency type as Account, and enter the name of an account.
- Account: Share resources with another account or delegate an individual or team to manage your resources. You can specify the delegated account only as another account, and you cannot specify it as a federated user or IAM user.
- Cloud service: Delegate a specific service to access other services. For more information, see Cloud Service Delegation.
- Set the validity period and enter a description for the agency.
- Click Next.
- Select the permissions to be assigned to the agency, click Next, and specify the authorization scope.
- Assigning permissions to an agency is similar to assigning permissions to a user group. The two operations differ only in the number of available permissions. For details about how to assign permissions to a user group, see Assigning Permissions to a User Group.
- Agencies cannot be assigned the Security Administrator role. For account security, grant only the permissions required to agencies according to your business requirements.
- Click OK.
After creating an agency, provide your account name, agency name, agency ID, and agency permissions to the delegated party. The delegated party can then switch the role to your account and manage specific resources.
- Modifying an agencyFigure 3 Modifying an agency
- Deleting an agencyFigure 4 Deleting an agency
After you delete an agency, all permissions granted to the delegated account will be cancelled.