Help Center/ Identity and Access Management/ User Guide/ Agencies/ Account Delegation/ (Optional) Assigning Permissions to an IAM User (by a Delegated Party)
Updated on 2024-12-25 GMT+08:00

(Optional) Assigning Permissions to an IAM User (by a Delegated Party)

When a trust relationship is established between your account and another account, you become a delegated party. By default, only your account and the members of the admin group can manage resources for the delegating party. To authorize IAM users to manage these resources, assign permissions to the users.

You can authorize an IAM user to manage resources for all delegating parties, or authorize the user to manage resources for a specific delegating party.

Prerequisites

  • A trust relationship has been established between your account and another account.
  • You have obtained the name of the delegating account and the name and ID of the created agency.

Procedure

  1. Create a user group and grant permissions to it.

    1. On the User Groups page, click Create User Group.
    2. Enter a user group name.
    3. Click OK.
    4. In the row containing the user group, click Authorize.
    5. Create a custom policy.

      This step is used to create a policy containing permissions required to manage resources for a specific agency. If you want to authorize an IAM user to manage resources for all agencies, go to 1.f.

      1. On the Select Policy/Role page, click Create Policy in the upper right corner of the permission list.
      2. Enter a policy name.
      3. Select JSON for Policy View.
      4. In the Policy Content area, enter the following content:
        {
                "Version": "1.1",
                "Statement": [
                        {
                                "Action": [
                                        "iam:agencies:assume"
                                ],
                                "Resource": {
                                        "uri": [
                                                "/iam/agencies/b36b1258b5dc41a4aa8255508xxx..."
                                        ]
                                },
                                "Effect": "Allow"
                        }
                ]
        }
        • Replace b36b1258b5dc41a4aa8255508xxx... with the agency ID obtained from a delegating party. Do not make any other changes.
        • For more information about permissions, see Permissions Management.
      5. Click Next.
    6. Select the policy created in the previous step or the Agent Operator role and click Next.
      • Custom policy: Allows a user to manage resources only for an agency identified by a specific ID.
      • Agent Operator role: Allows a user to manage resources for all agencies.
    7. Specify the authorization scope.
    8. Click OK.

  2. Create an IAM user and add the user to the user group.

    1. On the Users page, click Create User.
    2. On the Create User page, enter a username.
    3. Select Management console access for Access Type and then select Set by user for Credential Type.
    4. Enable login protection and click Next.
    5. Select the user group created in step 1 and click Create.

      After the authorization is complete, the IAM user can switch to the account of the delegating party and manage specific resources under the account.

Related Operations

The delegated account or the authorized IAM users can switch their roles to the delegating account to view and use its resources.