Delegating Resource Access to Another Account¶
The agency function enables you to delegate another account to implement O&M on your resources based on assigned permissions.
Note
You can delegate resource access only to accounts. The accounts can then delegate access to IAM users under them.
The following is the procedure for delegating resource access to another account. Account A is the delegating party and account B is the delegated party.
Account A creates an agency in IAM to delegate resource access to account B.
(Optional) Account B assigns permissions to an IAM user to manage specific resources for account A.
Create a user group, and grant it permissions required to manage account A's resources.
Create a user and add the user to the user group.
Account B or the authorized user manages account A's resources.
Use account B to log in and switch the role to account A.
Switch to region A and manage account A's resources in this region.