Portfolio Sharing - AWS Service Catalog

Portfolio Sharing

To make your AWS Service Catalog products available to users who are not in your AWS account, such as users who belong to other organizations or to other AWS accounts in your organization, you share your portfolios with them. This can be done in several ways, including account-to-account sharing, organizational sharing, and deploying catalogs using stack sets.

Before you share your products and portfolios to other accounts, you must decide whether you want to share a reference of the catalog or to deploy a copy of the catalog into each recipient account. Note that if you deploy a copy, you must redeploy if there are updates you want to propagate to the recipient accounts. You can use stack sets to deploy your catalog to many accounts at the same time. If you want to share a reference (an imported version of your portfolio that stays in sync with the original), you can use account-to-account sharing or you can share using AWS Organizations.

If you want to use stack sets to deploy a copy of your catalog, see How to set up a multi-region, multi-account catalog of company standard AWS Service Catalog products.

When you share a portfolio using account-to-account sharing or AWS Organizations, you allow an AWS Service Catalog administrator of another AWS account to import your portfolio into his or her account and distribute the products to end users in that account. This imported portfolio isn't an independent copy. The products and constraints in the imported portfolio stay in sync with changes that you make to the shared portfolio, the original portfolio that you shared. The recipient administrator, the administrator with whom you share a portfolio, cannot change the products or constraints, but can add AWS Identity and Access Management (IAM) access for end users. For more information, see Granting Access to Users.

The recipient administrator can distribute the products to end users who belong to his or her AWS account in the following ways:

  • By adding IAM users, groups, and roles to the imported portfolio.

  • By adding products from the imported portfolio to a local portfolio, a separate portfolio that the recipient administrator creates and that belongs to his or her AWS account. The recipient administrator then adds IAM users, groups, and roles to the local portfolio. The constraints that you applied to the products in the shared portfolio are also present in the local portfolio. The recipient administrator can add additional constraints to the local portfolio, but cannot remove the imported constraints.

When you add products or constraints to the shared portfolio or remove products or constraints from it, the change propagates to all imported instances of the portfolio. For example, if you remove a product from the shared portfolio, that product is also removed from the imported portfolio. It is also removed from all local portfolios that the imported product was added to. If an end user launched a product before you removed it, the end user's provisioned product continues to run, but the product becomes unavailable for future launches.

If you apply a launch constraint to a product in a shared portfolio, it propagates to all imported instances of the product. To override this launch constraint, the recipient administrator adds the product to a local portfolio and then applies a different launch constraint to it. The launch constraint that is in effect sets a launch role for the product. A launch role is an IAM role that AWS Service Catalog uses to provision AWS resources (such as EC2 instances or RDS databases) when an end user launches the product. As an administrator you can choose to designate a specific launch role ARN or a local role name. If you use the role ARN, the role will be used even if the end user belongs to a different AWS account than the one that owns the launch role. If you use a local role name, the IAM role with that name in the end user's account will be used. For more information about launch constraints and launch roles, see AWS Service Catalog Launch Constraints. The AWS account that owns the launch role provisions the AWS resources, and this account incurs the usage charges for those resources. For more information, see AWS Service Catalog Pricing.

Note

You cannot re-share products from a portfolio that has been imported or shared.

Relationship Between Shared and Imported Portfolios

The following table summarizes the relationship between an imported portfolio and a shared portfolio and the actions that an administrator who imports a portfolio can and can't take with that portfolio and the products in it.

Element of Shared Portfolio Relationship to Imported Portfolio Recipient Administrator Can Recipient Administrator Cannot
Products and product versions

Inherited.

If the portfolio creator adds products to or removes products from the shared portfolio, the change propagates to the imported portfolio.

Add imported products to local portfolios. Products stay in sync with shared portfolio.

Upload or add products to the imported portfolio or remove products from the imported portfolio.

Launch constraints

Inherited.

If the portfolio creator adds launch constraints to or removes launch constraints from a shared product, the change propagates to all imported instances of the product.

If the recipient administrator adds an imported product to a local portfolio, the imported launch constraint that is applied to that product is present in the local portfolio.

In a local portfolio, the administrator can override the imported launch constraint by applying a different one to the product.

Add launch constraints to or remove launch constraints from the imported portfolio.

Template constraints

Inherited.

If the portfolio creator adds a template constraint to or removes a template constraints from a shared product, the change propagates to all imported instances of the product.

If the recipient administrator adds an imported product to a local portfolio, the imported template constraints that are applied to that product are inherited by the local portfolio.

In a local portfolio, the administrator can add template constraints that take effect in addition to the imported constraints.

Remove the imported template constraints.

IAM users, groups, and roles Not inherited. Add IAM users, groups, and roles that are in administrator's AWS account. Not applicable.

Sharing a Portfolio

To enable an AWS Service Catalog administrator for another AWS account to distribute your products to end users, share your AWS Service Catalog portfolio with them using either account-to-account sharing or AWS Organizations.

When you share a portfolio using account-to-account sharing or Organizations, you are sharing a reference of that portfolio. The products and constraints in the imported portfolio stay in sync with changes that you make to the shared portfolio, the original portfolio that you shared. The recipient cannot change the products or constraints, but can add AWS Identity and Access Management (IAM) access for end users.

Note

You can't share a shared resource. This includes portfolios that contain a shared product.

Account-to-account sharing

To complete these steps, you must obtain the account ID of the target AWS account. You can find the ID on the My Account page in the AWS Management Console of the target account.

To share a portfolio with an AWS account

  1. Open the AWS Service Catalog console at https://console.aws.amazon.com/servicecatalog/.

  2. On the Portfolios page, select the portfolio that you want to share, then choose Actions, and Share.

  3. In the Enter AWS account ID window, type the account ID of the AWS account that you are sharing with. Then, choose Share.

  4. Send the URL to the AWS Service Catalog administrator of the target account. The URL opens the Import Portfolio page with the ARN of the shared portfolio automatically provided.

Importing a Portfolio

If an AWS Service Catalog administrator for another AWS account shares a portfolio with you, import that portfolio into your account so that you can distribute its products to your end users.

To import the portfolio, you must get a URL for importing the portfolio from the administrator.

Open the URL, and on the Import Portfolio page, choose Import. The Portfolios page displays, and the portfolio is shown in the Imported Portfolios table.

You don't need to import a portfolio if the portfolio was shared through AWS Organizations.

Sharing with AWS Organizations

You can share AWS Service Catalog portfolios using AWS Organizations. First, you must decide if you're sharing from the management account or from a delegated administrator account. If you don't want to share from your management account, register a delegated admin account and use it for sharing. Next, you must decide who to share to. You can share to the following entities:

  • An organization account.

  • An organizational unit (OU).

  • The organization itself. (This shares with every account in the organization.)

Sharing from a management account

To share a portfolio with an organization

  1. Open the AWS Service Catalog console at https://console.aws.amazon.com/servicecatalog/.

  2. On the Portfolios page, select the portfolio that you want to share, then choose Actions, and Share.

  3. In the Enter AWS account ID window, choose Organization.

  4. Select the Node Type and enter the Input Value for the organization you wish to share with.

  5. Choose Share.

Sharing from a delegated administrator account

The management account of an organization can register and de-register other accounts as delegated administrators for the organization. A delegated administrator can share AWS Service Catalog resources in their organization the same way a management account can. They are authorized to create, delete, and share portfolios, and more.

To register or de-register a delegated admin, you must use the API or CLI from the management account. For more information, see RegisterDelegatedAdministrator and DeregisterDelegatedAdministrator in the AWS Organizations API Reference.

Note

Before you can designate a delegated admin, you must call EnableAWSOrganizationsAccess.

The procedure for sharing a portfolio from a delegated admin account is the same as sharing from a management account, as seen above in Sharing from a management account.

If a member is de-registered as a delegated admin, the following occurs:

  • Portfolio shares that were created from that account are removed.

  • They can no longer create new portfolio shares.

Note

If the portfolio and shares created by a delegated admin do not get removed after the delegated admin is de-registered, register and de-register the delegated admin again. This will remove the portfolio and shares created by that account.