Creating an Agency (by a Delegating Party)

Prerequisites

Before creating an agency, complete the following operations:

• Understand the basic concepts of permissions.
• Determine the system-defined permissions to be assigned to the agency, and check whether the permissions have dependencies. For more details, see Assigning Dependency Roles.

Procedure

1. Log in to the IAM console.
2. On the IAM console, choose Agencies from the left navigation pane, and click Create Agency in the upper right corner.
   Figure 1 Creating an agency
   

3. Enter an agency name.
   Figure 2 Setting the agency name
   

4. Specify the agency type as Account, and enter the name of a delegated account.
   

   • Account: Share resources with another account or delegate an individual or team to manage your resources. The delegated account can only be an account, rather than an IAM user or a federated user.
   • Cloud service: Delegate a specific service to access other services. For more information, see Cloud Service Agency.

5. Set the validity period and enter a description for the agency.
6. Click Next.
7. Select the policies or roles to be attached to the agency, click Next, and select the authorization scope.
   

   • Assigning permissions to an agency is similar to assigning permissions to a user group. The two operations differ only in the number of available permissions. For details about how to assign permissions to a user group, see Assigning Permissions to a User Group.
   • You can assign the Security Administrator role to the agency, but we do not recommend you to do so. For account security purposes, only grant the required permissions to the agency based on the principle of least privilege (PoLP).

8. Click OK.
   

   After creating an agency, provide your account name, agency name, agency ID, and agency permissions to the delegated party. The delegated party can then switch the role to your account and manage specific resources based on the assigned permissions.