Creating an Agency (by a Delegating Party)

By creating an agency, you can share your resources with another account, or delegate an individual or team to manage your resources. You do not need to share your security credentials (the password or access keys) with the delegated party. Instead, the delegated party can log in with its own account credentials and then switches the role to your account and manage your resources.

Prerequisites

Before creating an agency, complete the following operations:

Procedure

  1. Log in to the IAM console.

  2. On the IAM console, choose Agencies from the left navigation pane, and click Create Agency in the upper right corner.

    **Figure 1** Creating an agency

    Figure 1 Creating an agency

  3. Enter an agency name.

    **Figure 2** Setting the agency name

    Figure 2 Setting the agency name

  4. Specify the agency type as Account, and enter the name of a delegated account.

    Note

    • Account: Share resources with another account or delegate an individual or team to manage your resources. The delegated account can only be an account, rather than an IAM user or a federated user.

    • Cloud service: Delegate a specific service to access other services. For more information, see Cloud Service Agency.

  5. Set the validity period and enter a description for the agency.

  6. Click Next.

  7. Select the policies or roles to be attached to the agency, click Next, and select the authorization scope.

    Note

    • Assigning permissions to an agency is similar to assigning permissions to a user group. The two operations differ only in the number of available permissions. For details about how to assign permissions to a user group, see Assigning Permissions to an IAM User.

    • Agencies cannot be assigned the Security Administrator role. For account security purposes, only grant the required permissions to the agency based on the principle of least privilege (PoLP).

  8. Click OK.

    Note

    After creating an agency, provide your domain name, agency name, agency ID, and agency permissions to the delegated party. The delegated party can then switch the role to your account and manage specific resources based on the assigned permissions.