Delegating Permissions Across Accounts with Agencies

Company A and company B have created account A and account B, respectively. If account A wants to authorize account B to manage its resources, account A can create an agency in IAM to establish a trust relationship between the two accounts.

Requirements

Account A has purchased different types of resources on Huawei Cloud. Account A wants to authorize account B to manage its VPC resources in the CN-Hong Kong region.
Account B can authorize one or more employees (IAM users) of company B to manage account A's resources.
Account A can modify or cancel the authorization provided to account B at any time.

Solution

Account A creates an agency on the IAM console to authorize account B to manage its resources.
Account B assigns permissions to its IAM users to manage account A's resources specified in the agency.
Account A can modify or delete the agency at any time. Deleting the agency will automatically cancel the permissions assigned to account B and its IAM users for managing account A's resources.

Figure 1 Cross-account authorization model
Click to enlarge

Delegating Permissions to Another Account (by a Delegating Party)

Account A performs the following procedure to delegate account B to manage its VPC resources in the CN-Hong Kong region.

Log in to Huawei Cloud using account A. On the IAM console, choose Agencies in the navigation pane.
Click Create Agency, and enter an agency name, for example, VPC Resources O&M.
Select the Account agency type, and enter the delegated account name, for example, B-Company.
Set Validity Period to Unlimited.

Figure 2 Creating an agency
Click OK.
In the displayed dialog box, click Authorize.
Select VPC FullAccess and click Next.
Specify the permission scope as Region-specific projects and select CN-Hong Kong.
Click OK.

The agency is displayed in the agency list.

Account A can modify the delegated account, permissions, or validity period of the agency as service requirement changes.

Switching the Role (By a Delegated Party)

After the agency is created, account B can switch roles to account A to manage account A's resources. To do this, account B needs to have obtained account A's account name and the agency name.

Log in to the Huawei Cloud management console using account B.
Click the username in the upper right corner, and choose Switch Role.

Figure 3 Switching roles
Enter the account name of the delegating party. The agency created by the delegating party is displayed automatically.

Figure 4 Switching roles
Click OK. Account B switches to account A to manage the VPC resources in the CN-Hong Kong region under account A.

Assigning Agency Permissions (by a Delegated Party)

Account B assigns agency permissions to an IAM user for fine-grained authorization. After the agency permissions are assigned, IAM users in account B can switch to account A to manage the resources authorized by the delegating party.

To do this, account B needs to have obtained the account name, agency name, and agency ID of the delegating party.

Create a user group and assign permissions to it.
1. In the navigation pane, choose User Groups.
2. On the User Groups page, click Create User Group.
3. Enter the user group name, for example, Agency Management.
4. Click OK.
  The user group is displayed in the user group list.
5. In the row containing the target user group, click Authorize in the Operation column.
  - To authorize a user to manage only a specific agency, proceed with the following.
  - To authorize a user to manage all agencies, go to the next step.
  1. In the Select Policy/Role step, click Create Policy in the upper right.
  2. Enter a policy name, for example, Agency 1 for Managing Company A.
  3. Select JSON for Policy View.
  4. In the Policy Content area, enter the following content:
```
{
        "Version": "1.1",
        "Statement": [
                {
                        "Action": [
                                "iam:agencies:assume"
                        ],
                        "Resource": {
                                "uri": [
                                        "/iam/agencies/b36b1258b5dc41a4aa8255508xxx..."
                                ]
                        },
                        "Effect": "Allow"
                }
        ]
}
```
    Replace b36b1258b5dc41a4aa8255508xxx... with the agency ID obtained from a delegating party. Do not make any other changes.
  5. Click Next.
6. Select the Agency 1 for Managing Company A agency created in the previous step or the Agent Operator role.
  - The custom policy only allows the user to manage resources of a specific agency ID.
  - The Agent Operator role allows the user to manage the resources of all agencies.
7. Specify the authorization scope.
8. Click OK.
Create a user and add the user to the user group.
1. In the navigation pane, choose Users.
2. On the Users page, click Create User.
3. On the Create User page, enter a username and email address.
4. For Access Type, select Management console access.
5. For Credential Type, select Set by user.
6. Enable login protection, select a verification mode, and click Next.
7. Select the user group Agency Management created in step 1 and click Create.
Switch the role.
1. Log in to Huawei Cloud as the IAM user created in step 2. For more information, see Logging In as an IAM User.
2. Click the username in the upper right corner and choose Switch Role.
  Figure 5 Switching roles
3. Enter the account name of the delegating party. The agency created by the delegating party is displayed automatically.
  
  If an agency other than the agencies created by the delegating party is displayed, a message is displayed indicating that you do not have access permissions. In this case, you can delete the agency name and select the correct agency from the Agency Name drop-down list box.
4. Click OK to switch to the delegating account. The IAM user then can manage resources of account A based on the assigned agency permissions.