Distribute AWS Marketplace license entitlements to your organization ID
AWS Marketplace buyers can now use managed entitlements to share product licenses to all accounts in your organization in AWS Organizations. Managed entitlements for AWS Marketplace help buyers automatically create licenses corresponding to product subscriptions across the AWS Marketplace catalog. This gives buyers the ability to manage and distribute access rights (or entitlements) to those licenses. License distribution, activation, and de-activation to an organization ID makes it easier for AWS Marketplace buyers to centrally govern, manage, and share your AWS Marketplace-procured licenses to all accounts in your organization. Once a license has been granted to your organization, AWS License Manager will keep track of the member accounts in the organization. Managed entitlements will ensure that accounts joining the organization automatically receive the licenses that were previously distributed.
In this blog post, I show you how this feature can help you to centrally procure software licenses and track and share with all accounts in your organization.
To use this feature, you must have the following prerequisites.
- Enable all features. You must be operating out of your organization’s management account and have enabled all features in your organization. Specific to managed entitlements, this gives AWS License Manager and AWS Marketplace the ability to keep track of AWS Organizations activity on your behalf. This includes knowing when accounts leave your organization and validating granted licenses to accounts in an organization.
- Create service-linked roles. You must create service-linked roles for AWS License Manager and AWS Marketplace. You can’t use managed entitlements fully without first enabling the AWS Marketplace and AWS License Manager service-linked roles. For managed entitlements, this permission is required so that AWS Marketplace can successfully orchestrate license workflows and distributions across multiple AWS services on your behalf. Similarly, the second permission is required for AWS License Manager to allow you to distribute a license to your entire organization. It also allows grants to be auto-accepted between management and member accounts.
To create service-linked roles, do the following:
- On the Settings page of the service console, you can see the cross-account service-linked role for AWS License Manager. To take advantage of the grant auto-accept feature, choose Link AWS Organizations accounts.
- On the Settings page of the service console, you can configure the service-linked role for AWS Marketplace.
- As a management account in an organization with all features enabled, choose Enable trusted access across your organization. This ensures that service-linked roles will be created for your organization’s linked accounts as well. Selecting just the service-linked role for the individual account means that you need to enable service-linked roles on each linked account that you want to distribute licenses.
- Associate member accounts at organization level. Member accounts must already be associated at the organization level. Member accounts should have received an invitation to join the organization and accepted it or have been manually accepted by the administrator through the AWS Organizations console.
Granting entitlements to your organization
You can distribute access to different types of products purchased on AWS Marketplace, including AMI, Containers, and Machine Learning products. AWS Marketplace issues a license in AWS License Manager for both existing and new purchases. This license represents your right to use a product in the specified account. To grant entitlements, do the following:
- Sign in to your management account and open the AWS License Manager console.
- To view the list of AWS Marketplace products that are already subscribed, in the navigation pane, choose Granted Licenses.
- Choose the license that you want to share to your organization.
- Choose Create grant.
- On the Create grant page, enter values for Grant name and AWS account ID or organization ID. To get your organization ID, open the AWS Organizations console. The ID appears in the navigation pane.
- To confirm the distribution, choose Create grant.
When a license is distributed to your organization, the license is automatically accepted across member accounts in the organization.
You can also create grants programmatically. For more information, see CreateGrant in the AWS License Manager API Reference.
Tracking entitlements granted to your organization
As the license grantor or administrator, you can track and manage the entitlements that you have shared across your AWS Organization at any time. To track entitlements, do the following:
- On the AWS License Manager console, in the navigation pane, choose Granted licenses.
- On the Granted licenses page, choose the license that you want to review.
- On the license details page, under Grants, choose the grant name that corresponds to the grant that you created to your organization ID.
On the grant details page, you can view and manage your individual account-level grant statuses. The following screenshot shows my grant details page for the grant named Ubuntu to Organization, including grant details, entitlements, and six disabled grant recipients.
To view your distributed grants programmatically, use the ListDistributedGrants API.
Activating entitlements for your organization
The accounts in your organization can begin using the AWS Marketplace product as soon as their granted license is activated. You can choose from multiple ways to activate a license that you granted your organization ID.
1. Bulk activate
To bulk-activate all individual account licenses, do the following:
- In the AWS License Manager console, go to your organization’s parent grant page and choose Activate.
- On the parent grant page, Grant Status under Grant details for the grant appears as Workflow Complete after bulk activation and deactivation.
- Activation and deactivation of licenses to an organization ID triggers individual license activations at the AWS account level. In some cases, account-level licenses might not activate due to existing licenses already active in those accounts. To check account-level grant statuses, on the Granted licenses page, choose the name of the AWS Organizations grant to see the grant’s details page.
2. Activate individual account grants
To activate only the grant for a specific account, in the specified license parent grant page, scroll to the Grants container. There, you can choose individual account grants.
3. Enable individual self-service activation
To have grant recipient accounts individually activate their own licenses, you can take no further action. Grant recipients can log in to AWS License Manager and activate their own licenses.
4. Activate grants programmatically
To activate your grants programmatically, use the CreateGrantVersion API.
Keeping track of grants to accounts in your organization
When you distribute an AWS Marketplace product license to your organization, AWS License Manager keeps track of the accounts that are being added or removed. This means that accounts being added to your organization automatically receive any licenses that are granted to the organization ID. If you previously bulk-activated all licenses across your organization, new accounts also have their licenses activated when they join. Similarly, when you remove an account from the organization, the account’s distributed license is automatically disabled.
Active workloads aren’t affected when a license gets disabled. Active workloads will continue to run and incur any applicable charges.
In this blog post, I showed you how to use managed entitlements to quickly share AWS Marketplace product licenses to your organization. This feature simplifies license distribution, activation, and de-activation to an organization ID. You can centrally govern, manage, and share your AWS Marketplace-procured licenses to all accounts in your organization.
As an AWS Marketplace buyer, you can learn more about this feature by visiting the managed entitlements detail page and reviewing documentation here. Additionally, you can automate these actions via APIs now publicly available through the AWS SDK.
About the author
Shu He, Senior Product Manager – Tech, AWS Marketplace
Shu He is a product manager based in Seattle, WA. She works with customers to design and develop products and features that make AWS Marketplace their go-to place to find, test, buy, and use software, services, and data products. Outside of work she enjoys traveling, hiking and DIY craft/home improvement projects.