Posted On: May 31, 2023

AWS Service Catalog now supports granting portfolio access to IAM principal (user, group or role) names with wildcards, such as ‘*’ or ‘?’. This enables flexible and efficient sharing of infrastructure-as-code templates for customers using wildcard patterns to cover multiple IAM principal names at a time. Previously, customers had to use the exact IAM principal names to share a portfolio. Customers using AWS IAM Identity Center (successor to AWS Single Sign-On) can now quickly grant their workforce users access to Service Catalog portfolio products.

Service Catalog administrators often use portfolios in a central account to organize their Service Catalog products and then share those portfolios within their AWS Organization. With today’s launch, customers can now use “*” or “?” wildcards to associate multiple IAM principal names that match a pattern (for example, role/developer_? will match developer_1, and developer_n). After associating IAM principal names to portfolios, administrators can then share these associations along with the portfolios in their AWS Organizations using Organizational Principal Name Sharing. Together, these features facilitate automatic shared portfolio access to a specific group of IAM principals across thousands of accounts. Customers using AWS Identity Center can use the “role/AWSReservedSSO_{Policyname}_*” pattern to give their workforce users access to shared AWS Service Catalog products.  

This new feature is available via the AWS API, AWS Command Line Interface (AWS CLI), and the Service Catalog console across all AWS Regions where Service Catalog is available.

To learn more about wildcard principal name association, visit the Service Catalog Developer Guide.