Help Center/ Identity and Access Management_Identity and Access Management (New Edition)/ User Guide/ Identity/ Trust Agencies/ Trust Agency Operations Management/ Delegating Another Account for Resource Management/ (Optional) Managing Trust Agency Permissions to an IAM User (by a Delegated Party)
Updated on 2025-11-07 GMT+08:00
View PDF
Share

(Optional) Managing Trust Agency Permissions to an IAM User (by a Delegated Party)

After a trust agency relationship is established between your account and another account, your account becomes the delegated party. By default, only administrators (the root user and members of the admin group) can manage trust agency resources. You can authorize IAM users to manage trust agency resources on your behalf.

If you have created multiple trust agencies, you can grant an IAM user to manage all or specific trust agency resources. This means the IAM user can switch the role to all or specific delegating accounts.

Prerequisites

  • A trust agency relationship has been established between another account and your account.
  • You have obtained the name of the delegating account and the trust agency URN.

Procedure

  1. Create a custom identity policy.

    This step is used to create a policy containing permissions required to manage resources for a specific trust agency. If you want to grant IAM users the permissions to manage all trust agencies without fine-grained authorization, you do not need to add the Resource element in the custom identity policy.

    1. On the Identity Policies page, click Create Identity Policy.
    2. Enter a policy name.
    3. Select JSON for Policy View.
    4. In the Policy Content area, enter the content below.
      The custom identity policy only allows users to manage resources for trust agencies with the specified URN of a specified account. 
      {
	"Version": "5.0",
	"Statement": [{
		"Effect": "Allow",
		"Action": [
			"sts:agencies:assume"
		],
		"Resource": [
			"iam::<account-id>:agency:<agency-name>"
		]
	}]
}
      • You need to replace "iam::<account-id>:agency:<agency-name>" with the actual URN of the desired trust agency. You need to obtain the URN from the delegating party.
      • For more information, see Identity Policy–based Authorization.
    5. Click OK.

  2. Create a user or user group, and authorize the user or user group.

    1. On the User Groups page, click Create User Group, or on the Users page, click Create User.
    2. Configure parameters for the user group or user.
    3. In the row containing the user group or user, click Authorize in the Operation column.
    4. Select the custom identity policy created in the previous step and click Next.
    5. Click OK. If the identity policy is attached to a user group instead of a user, you need to add the user to the user group. For details about all operations, see Creating an IAM User, Assigning Permissions to an IAM User, Creating a User Group and Assigning Permissions, and Adding Users to or Removing Users from a User Group.

  3. Switch the role to the delegating account as the IAM user and manage trust agency resources under that account.

Follow-Up Operations

The delegated account or the authorized IAM users can switch their roles to the delegating account to view and use its resources.