Delegating Resource Access to Another Account

The agency function enables you to delegate another account to implement O&M on your resources based on assigned permissions.

Note

You can delegate resource access only to accounts. The accounts can then delegate access to IAM users under them.

The following is the procedure for delegating access to resources in one account to another account. Account A is the delegating party and account B is the delegated party.

  1. Account A creates an agency in IAM to delegate resource access to account B.

    **Figure 1** (Account A) Creating an agency

    Figure 1 (Account A) Creating an agency

  2. (Optional) Account B assigns permissions to an IAM user to manage specific resources for account A.

    1. Create a user group, and grant it permissions required to manage account A's resources.

    2. Create a user and add the user to the user group.

    **Figure 2** (Account B) Authorizing an IAM user to manage delegated resources

    Figure 2 (Account B) Authorizing an IAM user to manage delegated resources

  3. Account B or the authorized user manages account A's resources.

    1. Log in to account B's account and switch the role to account A.

    2. Switch to region A and manage account A's resources in this region.

    **Figure 3** (Account B) Switching the role

    Figure 3 (Account B) Switching the role

last updated: 2024-05-04 03:14