Posted On: Nov 18, 2022
AWS Service Catalog now supports the sharing of principal names when sharing a portfolio, which simplifies the workflow for granting access to portfolios shared across multiple accounts in an AWS Organization. Administrators often use portfolios in a central account to regroup and organize their AWS Service Catalog products and then share those portfolios with different accounts in their AWS Organization. Previously, to grant end users access to a shared portfolio, administrators had to associate IAM principals (groups, roles or users) with the portfolio in each recipient account.
With this new feature, AWS Service Catalog administrators can define principal names, which are names for IAM groups, roles and users, and associate them with a portfolio. When sharing a portfolio within an AWS Organization, administrators can now share these principal names along with the portfolio with all accounts in the Organization, within an Organizational Unit (OU) or with specific Organization member accounts. In each recipient account, AWS Service Catalog verifies if IAM principals with those names exists, and if they do, AWS Service Catalog automatically grants the matching IAM principals access to the shared portfolio. When administrators add or remove principal names from the shared portfolio, AWS Service Catalog automatically applies those changes in the recipient accounts.
With today’s launch, AWS Service Catalog administrators can centrally manage and control access to their shared portfolios and no longer need to associate IAM principals with portfolios in each recipient account. This new feature is available via the AWS API, AWS Command Line Interface (AWS CLI), and the AWS Service Catalog console in all AWS commercial Regions expect China Regions and AWS GovCloud (US) Regions. To learn more about how to share principal names when sharing a portfolio within an AWS Organization, visit the AWS Service Catalog Administrator Guide.