Portfolio MGT.
Use Case:
You have a Service Catalog portfolio. You need to make it visible to end users, add products and create launch roles for products.
Pre-requisites:
DO NOT use your ROOT user
Create a user called labadmin, give it an an Administrator policy (optional if you have a user with an admin policy)
Login to your AWS Account using the labadmin user (or an admin user)
Use the US East (N. Virginia) region
Select and edit a Service Catalog portfolio.
Optional:
- Review the create portfolio template
- Review the EC2 compute template
Service Catalog security overview
Types of security needed
| Order | Purpose | Who/Principle | Permission |
|---|---|---|---|
| 1 | Create CloudFormation templates and test them (EC2,RDS,ECS,EKS,S3,ect), Create Service Catalog Launch Roles | Admin role | Administrator |
| 2 | Create Service Catalog products from CloudFormation templates, manage portfolios, use Launch Roles | Service Catalog Administrator | arn:aws:iam::aws:policy/AWSServiceCatalogAdminFullAccess |
| 3 | Deploy and manage Service Catalog products on behalf of an end-user (EC2,RDS,ECS,EKS,S3,ect) | Launch Roles used by Service Catalog Service | per product:create,update,list,delete |
| 4 | Launch Service Catalog products | End users (IAM or SAML) | arn:aws:iam::aws:policy/AWSServiceCatalogEndUserFullAccess |
Manage portfolios
Login with an admin role
Right click Return to Service Catalog
Choose Portfolio list from the menu on the left.
Choose a portfolio (selet the one you created before)
Review the option in the tab
- Products - to manage products in the portfolio
- Constraints - to manage launch product launch roles and other constraints
- Groups,roles, and users - tom manage which users has access to the portfolio
- Share - to share the portfolio
Add a S3 Storage bucket product
Create a S3 CloudFormation template or use this sample Right click and copy link
Choose the Products tab
Choose the Upload new product button
Fill in parameters
- Product name [mys3product]
- Description
- Owner [IT Group]
- Distributor [IT group]
Choose Use a CloudFormation template
Past template in Use a CloudFormation template text box
Version title [v1]
Guidance [default]
Description [default]
Support details .. [defaults]
Choose Review button
On the Product details page choose Create product
You now have an S3 storage bucket product.
Add an execution role to the S3 product
Note
Execution roles with permissions can be added to products, they will be invisible to users. This way users don’t need permissions to create or modify cloud resources. Users only need permission to view Service Catalog products.
Steps
Create a s3_launch role using the AWS IAM console or get one from your in house AWS security Administrator.
Right click Return to Service Catalog
Choose Portfolio list from the menu on the left.
Choose a portfolio (selet the one you created before)
Choose the Constraints tab
Fill in parameters
- Product name [mys3product]
- Constraint type [Launch]
- Method [Select IAM role]
- IAM role [Select the role you creted or was give to you]
- Description []
Choose Create button
The S3 product can now be launched using the new exectution role.
Cleanup process
To avoid incurring cost, please delete resources that are not needed. You can terminate the Service Catalog product deployed the by selecting Action then Terminate.
End of Lab Exercises
Thank you for using this lab.