Use Case:
You have a Service Catalog portfolio. You need to make it visible to end users, add products and create launch roles for products.
DO NOT use your ROOT user
Create a user called labadmin, give it an an Administrator policy (optional if you have a user with an admin policy)
Login to your AWS Account using the labadmin user (or an admin user)
Use the US East (N. Virginia) region
Select and edit a Service Catalog portfolio.
Optional:
Types of security needed
Order | Purpose | Who/Principle | Permission |
---|---|---|---|
1 | Create CloudFormation templates and test them (EC2,RDS,ECS,EKS,S3,ect), Create Service Catalog Launch Roles | Admin role | Administrator |
2 | Create Service Catalog products from CloudFormation templates, manage portfolios, use Launch Roles | Service Catalog Administrator | arn:aws:iam::aws:policy/AWSServiceCatalogAdminFullAccess |
3 | Deploy and manage Service Catalog products on behalf of an end-user (EC2,RDS,ECS,EKS,S3,ect) | Launch Roles used by Service Catalog Service | per product:create,update,list,delete |
4 | Launch Service Catalog products | End users (IAM or SAML) | arn:aws:iam::aws:policy/AWSServiceCatalogEndUserFullAccess |
Login with an admin role
Right click Return to Service Catalog
Choose Portfolio list from the menu on the left.
Choose a portfolio (selet the one you created before)
Review the option in the tab
Create a S3 CloudFormation template or use this sample Right click and copy link
Choose the Products tab
Choose the Upload new product button
Fill in parameters
Choose Use a CloudFormation template
Past template in Use a CloudFormation template text box
Version title [v1]
Guidance [default]
Description [default]
Support details .. [defaults]
Choose Review button
On the Product details page choose Create product
You now have an S3 storage bucket product.
Note
Execution roles with permissions can be added to products, they will be invisible to users. This way users don’t need permissions to create or modify cloud resources. Users only need permission to view Service Catalog products.
Steps
Create a s3_launch role using the AWS IAM console or get one from your in house AWS security Administrator.
Right click Return to Service Catalog
Choose Portfolio list from the menu on the left.
Choose a portfolio (selet the one you created before)
Choose the Constraints tab
Fill in parameters
Choose Create button
The S3 product can now be launched using the new exectution role.
Cleanup process
To avoid incurring cost, please delete resources that are not needed. You can terminate the Service Catalog product deployed the by selecting Action then Terminate.
End of Lab Exercises
Thank you for using this lab.