Due to operational interdependencies between various cloud services, certain services require collaboration with others. To facilitate this, you need to create a cloud service delegation, authorizing the service to act on your behalf. This enables the service to access other cloud services using your permissions and perform specific resource management tasks for you.
The IAM service currently supports two delegation creation modes:
1. Create a cloud service delegation on the IAM Console.
a. Taking OBS as an example: Delegate operational permissions to OBS, allowing it to access other services (e.g., querying monitoring data from AOM) on your behalf.
2. When using a resource in the cloud service console, the system may prompt you to automatically create a delegation to enable cross-service collaboration.
a. Taking the creation of an SFS delegation for Scalable File Service (SFS) as an example:
i. Create a file system on the SFS Console.
ii. On the Create File System page, enable Static Data Encryption.
iii. A pop-up window will prompt you to confirm the creation of an SFS delegation. Click Confirm, and the system automatically creates an SFS delegation in the current project and grants the KMS CMKFullAccess permission. Once authorized, SFS can obtain KMS keys for encrypting or decrypting the file system.
iv. You can view the created delegation in the Delegation List on the IAM Console.
Creating a Cloud Service Delegation on the IAM Console
Step 1: Log in to the IAM Console.
Step 2: In the left navigation pane of IAM, click Delegate.
Step 3: On the Delegation List page, click + Create Delegation in the upper-right corner.
Step 4: On the Create Delegation page, configure the Delegation Name.
Step 5: Select Cloud Service as the Delegation Type, then choose the target cloud service under Cloud Service.
Step 6: Select the Duration.
Step 7: (Optional) Enter a Description. It is recommended to provide details.
Step 8: Click Next to proceed to the Delegated authorization page.
Step 9: Check the permissions to be granted to the delegation, click Next, then define the permission scope to complete authorization.
Step 10: Click Confirm to finish creating the delegation.