Accessing Resource Across Accounts
You can grant cloud services permissions to access resources across accounts. You can attach resource policies to resources or use IAM agencies (including agencies and trust agencies) to authorize cross-account access to resources.
Either of the methods are available:
- You can attach resource policies directly to cloud services that support them. Unlike IAM identity policies, resource policies require you to specify who can access the resources.
- IAM agencies allow you to grant cross-account resource access without checking if cloud services support resource policies.
Using Agencies
Most Huawei Cloud services do not support resource policies. You can use IAM agencies to grant an account the access to cloud service resources in other accounts. In IAM, agencies are classified into two types: agencies and trust agencies. An agency allows you to specify the users or cloud services trusted by the agency in parameters. A trust agency has trust policies that specify which users and cloud services are allowed to assume this trust agency. You can configure trust relationships with both agencies and trust agencies to allow other accounts or cloud services to access resources in your account. To restrict the specific operations that other accounts or cloud services can perform on your resources, you need to configure identity policies for the IAM agency.
The following is an example:
- An IAM user under an account creates a trust agency, which need to be attached with a trust policy and an identity policy. They respectively specify the trusted users and the operation permissions of the account who assumes the trust agency.
- The following trust policy allows an IAM principal with the permission to assume trust agencies under tenant Li Si to assume the trust agency: In the trust policy, Principal indicates the entrusted entities. For details, see the JSON element reference in Principal.
{ "Version": "5.0", "Statement": [{ "Principal": { "IAM": [ "{Account Id Of LiSi}" ] }, "Effect": "Allow", "Action": [ "sts:agencies:assume" ] }] } - The following identity policy allows the trusted principals to download the specified resource (obs:::object:{bucket_name}/{object_name}) of the delegated account:
{ "Version": "5.0", "Statement": [{ "Effect": "Allow", "Action": [ "obs:object:getObject" ], "Resource": [ "obs:::object:{bucket_name}/{object_name}" ] }] }
- The following trust policy allows an IAM principal with the permission to assume trust agencies under tenant Li Si to assume the trust agency: In the trust policy, Principal indicates the entrusted entities. For details, see the JSON element reference in Principal.
- The IAM principal with the sts:agencies:assume permission calls POST /v5/agencies/assume to obtain temporary security credentials of the trust agency, and uses the temporary security credentials to call OBS APIs to download OBS object details.
Using Resource Policies
When an account uses the permissions of a resource policy to access resources of another account, the principal still works in the trusted account and does not give up permissions to assume agencies. The principal can access resources in both accounts. This is useful for executing cross-account tasks, such as copying data to or obtaining data from resources in another account.
Currently, only OBS and IAM support resource policies, which are bucket policies and trust policies, respectively. For more information about bucket policies, see Bucket Policies. For more information about trust policies, see Using Agencies.
Using RAM
The Resource Access Manager (RAM) service enables you to securely share resources across accounts. If you have multiple Huawei Cloud accounts, you can create a resource and share it with other accounts using RAM. RAM allows resource owners to centrally manage resource sharing. Resource owners can share specified resources with specified objects (including organizations, OUs, and accounts). They can also update or delete resource sharing instances at any time. Resource users can accept or reject sharing invitations, view the information about the shared resources they are using, and exit the sharing after using the shared resources. For more information about RAM, see RAM Service Overview. For the list of resources that support sharing, see Sharable Cloud Services and Resource Types.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
