Granting IAM Users Permissions to Pass an Agency to a Cloud Service

For some cloud services, you must configure an agency to allow the cloud service to assume the agency and perform operations on your behalf. This is called passing an agency to the cloud service.

Agency in this section refers to both agencies and trust agencies. Both agencies and trust agencies can be passed to cloud services. However, which type of agencies can be passed to a cloud service depends on the cloud service implementation. For example, ECS supports only agencies.

For most cloud services, you only need to pass an agency during the configuration phase, rather than specifying an agency when switching agencies. For example, your application runs on an ECS instance on Huawei Cloud and requires temporary security credentials with specific permissions to access cloud resources. After deploying the application, you must pass an IAM agency to the ECS service. This IAM agency provides temporary credentials to the application. You need to attach a required identity policy to the IAM agency, which grants the permissions for your application to access cloud resources. Then, your application can use the agency credential to access Huawei Cloud whenever required.

If an IAM principal (IAM user or agency) under your account needs to pass an agency to a cloud service, the IAM principal must have the required permissions. This means that you can control who can have the permissions. If you want to allow an IAM principal to pass an agency to a cloud service, grant the iam:agencies:pass permission to the IAM principal.

Additionally, you should ensure that the permissions in the agency to be passed do not exceed the permissions of the IAM principal. For example, a user does not have the permission to operate any OBS bucket but can pass an IAM agency to a cloud service, and the agency has full bucket operation permissions. After the user passes the agency, the cloud service can perform operations on any bucket on behalf of the user.

Generally, when an IAM principal calls a cloud service API, the principal passes the agency URN as a parameter to the cloud service. The cloud service checks whether the IAM principal has the iam:agencies:pass permission. To restrict an IAM principal to pass only the allowed IAM agencies, you can use the "Resources" element in the IAM policy to specify which agencies the IAM principal can pass.

1. Create a custom identity policy and attach it to an agency to ensure that the ECS service assumes this agency that only has the minimum permissions.

   {
   	"Version": "5.0",
   	"Statement": [{
   		"Effect": "Allow",
   		"Action": [
   			"A list of the permissions the agency is allowed to use"
   		],
   		"Resource": [
   			"A list of the resources the agency is allowed to use"
   		]
   	}]
   }

2. Create an agency to be assumed by the ECS service. Attach the identity policy created in step 1 to the agency.
3. Create an identity policy to obtain and pass the agency to the ECS service, and attach the identity policy to the IAM user. In the following example, the "Resource" element is used to specify the resource URN. Replace it with the actual agency URN.

   {
   	"Version": "5.0",
   	"Statement": [{
   		"Effect": "Allow",
   		"Action": [
   			"iam:agencies:get*",
   			"iam:agencies:list*",
   			"iam:agencies:pass"
   		],
   		"Resource": [
   			"iam::{account_id}:agency:{agency_name}"
   		]
   	}]
   }

The preceding configurations allow the IAM user to grant the agency to the ECS service. Applications running on the ECS can obtain the temporary security credentials of the agency through the metadata API. The permissions of the temporary security credentials are configured in step 1.