Granting Permission to Obtaining Temporary Security Credentials
Description
You can use STS to obtain temporary security credentials for accessing your Huawei Cloud resources and provide them for trusted users. Temporary security credentials issued by STS are valid until they expire and they cannot be disabled. However, since the permissions assigned to temporary security credentials are evaluated each time a request is made that uses the temporary security credentials, you can achieve the effect of disabling the temporary security credentials by changing the access permissions of agencies or trust agencies even though the temporary security credentials have been issued.
By default, IAM users do not have permission to assume agencies or trust agencies to obtain temporary security credentials. You must use identity policies to grant permissions to IAM users. Although you can grant permissions directly to users, we strongly recommend that you grant permissions to user groups. This makes permissions management much easier. If a user no longer needs the permissions, you simply remove the user from the user group. If other users need the permissions, add them to the user group.
To grant an IAM user group the permissions needed to assume agencies or trust agencies to obtain temporary security credentials, you can attach a policy containing the following permissions to user groups (users in the admin group have these permissions by default):
- sts:agencies:assume permissions
- (Optional) sts::tagSession permissions. Set the session tag parameter when the trust agency is allowed to be assumed.
- (Optional) sts::setSourceIdentity permissions. Set the source identity parameter when the trust agency is allowed to be assumed.
Example of Granting Permission to Obtain Temporary Security Credentials Through a Trust Agency
The following custom policy grants permission to call the AssumeAgency API for user group testGroup to assume trust agency testAgency in account 123123123123, so the users in group testGroup have permission to assume testAgency.
{
"Version": "5.0",
"Statement": [{
"Effect": "Allow",
"Action": [
"sts:agencies:assume",
"sts::tagSession",
"sts::setSourceIdentity"
],
"Resource": [
"iam::123123123123:agency:testAgency"
]
}]
}
Example of Granting Permission to Obtain Temporary Security Credentials Through a Trust Agency in Cross-Account Scenarios
A company (company A) plans to delegate another company (company B) to manage its Huawei Cloud resources. Company A has an account 123123123123 on Huawei Cloud and company B has an account 456456456456 on Huawei Cloud.
- Company A creates a trust agency testAgency in Huawei Cloud account 123123123123 and attaches the following trust policy to the agency. Then, company A uses identity policies to define Huawei Cloud resources allowed to be managed by company B and attaches the policies to testAgency.
{ "Version": "5.0", "Statement": [{ "Effect": "Allow", "Action": [ "sts:agencies:assume", "sts::tagSession", "sts::setSourceIdentity" ], "Principal": { "IAM": [ "456456456456" ] } }] } - Company B creates the following identity policy and attaches it to user group testGroup. In this way, users in testGroup can manage Huawei Cloud resources of company A by assuming the trust agency testAgency.
{ "Version": "5.0", "Statement": [{ "Effect": "Allow", "Action": [ "sts:agencies:assume", "sts::tagSession", "sts::setSourceIdentity" ], "Resource": [ "iam::123123123123:agency:testAgency" ] }] }
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
