Sharing

Introduction

Service Catalog enables you to share Portfolios with other accounts, AWS Organizations Organizational Units (OU) or whole AWS Organizations.

In this lab you will setup a Portfolio, share it with either another account or your whole AWS Organization and use it in those target accounts.

Pre-requisites:

  1. You will require an AWS account and either access to another standalone account or one that is part of the same AWS Organization. We will refer to the 1st account as the “Sharer” and the 2nd account as the “Target”.

  2. Optionally, have a Portfolio containing at least one Product set up in the Sharer account. Otherwise, we will create it as part of the lab.

Step 1: Create a Portfolio to Share

Note: you can skip this step if you have already set up a Portfolio with one or more Products.

  • Launch the demo Stack, this template will create:
    • An EC2 Product
    • A Portfolio
    • An Admin Role
    • An End-User Role
    • Associate the Product with the Portfolio
    • Important: take note of the Region where you are creating the resources!
  • On the Create stack page, choose Next
  • On the Stack Details page, keep the default values and then choose Next
  • On the Stack Options page choose Next
  • On Review page, choose the check box for I acknowledge that AWS CloudFormation might create IAM resources with custom names and click Create stack
  • Wait for the status to chage to CREATE_COMPLETE >
  • Select the Stack named SCSharingLab
  • Select the Outputs tab
  • Click the link provided in ServiceCatalog

Now, we are going to share this Portfolio and contained Product with another account.

Step 2: Share the Portfolio

  • In the Service Catalog Console, choose the Demo Portfolio (if you specified a different name on the previous step - choose the name you provided)
    • Important: take note of the Portfolio Id, a string of the following format port-abcdefghij123
  • Select the Share tab
  • Click Share with new Account
  • You can now either:
    • Share with a specific AWS Account
    • Share with an AWS Organizations Organization or Organizational Unit

Step 3: Access the Target account

  • Login to either the AWS Account you shared with (Target), or an account that is part of the Organization or Organizationl Unit you shared with in the previous setp
  • Navigate to the Service Catalog Console
  • Select the Imported tab
    • If you have shared using an AWS Organizational Unit or whole Organization, the shared Portfolio should appear on the list
    • If you have shared with a specific AWS Account, click the Actions button and select Import portfolio
    • On the dialog box, specify the Portfolio Id you noted in the previous step

You have now successfully shared the Portfolio with another account!

Step 4: Optionally, grant access

As the administrator of the Target account, you can now grant IAM Users, Groups or Roles access to this Imported Portfolio and the Products contained within it.

  • Click the Portfolio name in the Imported tab
  • Select the Groups, roles and users tab
  • Click the Add groups, roles, users button
  • Select one or more IAM entity to grant them access

Summary

In this lab we setup a centrally managed Portfolio with a Product in it, shared it with another account (or multiple accounts), demonstrating how you can centrally manage Products while enabling users across your AWS estate to consume them.

Congratulations, you’ve successffully completed the lab!