AWS Marketplace

Resource sharing using AWS Marketplace Catalog APIs

AWS Marketplace is a curated digital catalog that customers can use to find, buy, deploy, and manage third-party software, data, and services to build solutions. AWS Marketplace simplifies procurement, provisioning, and governance of third-party software, services, and data. With AWS Marketplace Catalog API, you can programmatically create, update, and view your AWS Marketplace product listings, public offers, private offers, and resale authorizations and integrate them into your workflows.

AWS Marketplace Catalog API resource sharing enables independent software vendors (ISVs) and Channel Partners to share your entities, including products, offers, or resale authorizations, with other AWS accounts in AWS Marketplace. Resource sharing helps you save costs by avoiding resource duplication and helps you maximize the resource value by helping your team collaborate. AWS Resource Access Manager (AWS RAM) provides insights and tracking usage across accounts, so you can see who is using what. Using AWS Identity Access Management ensures that you follow the principle of least privilege.

In this post, I will show you how to use AWS Resource Access Manager and AWS Marketplace Catalog APIs to share the catalog resources across AWS accounts.

Solution overview

AWS Marketplace Catalog API Resource Sharing uses AWS Resource Access Manager (AWS RAM). AWS RAM helps you securely share the AWS resources that you create in one AWS account with all the roles and users in that account and with other AWS accounts.

To create a resource share in AWS RAM, you will follow these steps:

  1. Specify resource to share
  2. Associate managed permission
  3. Grant access to principals
  4. Create a resource share

Prerequisites

For this walkthrough, you should have the following prerequisites:

For details on how to register, refer to the Checklist to successfully registering as a seller in AWS Marketplace post. Learn more about publicly listed products in the Marketplace Seller Guide and Register as an AWS Marketplace seller Lab Workshop.

Solution walkthrough: Resource sharing using AWS Marketplace Catalog APIs

AWS RAM and AWS Marketplace Catalog APIs allow Catalog Product Offerings (entities) to be shared from one account to another account.

Start by using AWS RAM to create and manage resource shares. Then use the AWS Marketplace Catalog APIs to add to and manage resource policies in the AWS Marketplace Catalog entities.

A. Use AWS Resource Access Manager from the sharing AWS account

  1. Navigate to the AWS Management Console. In the search bar, enter AWS Resource Access Manager.
  2. Choose AWS Resource Access Manager. The AWS Resource Access Manager dashboard page displays.
  3. In the left navigation menu, select Resource shares.
  4. Select Create resource share.

B. Enter details for the resource share name

  1. For Resource Type, select AWS Marketplace Catalog Entities. The list of AWS Marketplace Catalog entities displays in your account.
  2. Select the resource entity that you want to share with the target AWS account. Select Next.
  3. On the Catalog Entities that you want to grant to the target account, select the Read-only or Full (Read + Write) Permission.
  4. To proceed to step 3 in the Resource Share Process Flow, select Next.
  5. To choose a Target Principal ID, enter the Target AWS Account ID, select Add and create resource share.

The Resource Share UI displays the status of the Resource. As the next step, the consuming account must accept the catalog entities resource share.

C. Use the Resource Access Manager from the consuming account

  1. Log in to AWS Management Console of the consuming (target) AWS account.
  2. In the console, navigate to the AWS Resource Access Manager service. Under Shared with me, there is a pending invitation to accept the resource share.  Select the resource share and select Accept resource share. If prompted, to accept the invitation, select Confirm.
  3. To test the resource share in the consuming account, select the resource share. Select Accept resource share. If prompted, to accept the invitation, select Confirm.
  4. To view the details of the catalog entities shared resource, in the left navigation menu, select the Shared Resources link.

D. Test AWS Marketplace catalog entities for resource share

To test the catalog entity resource share, follow these steps:

  1. From the consuming AWS Account, deploy a command line interface such as AWS CloudShell or AWS Command Line Interface (AWS CLI). I used AWS CLI.
  2. In AWS CLI, enter the following command Catalog API DescribeEntity action, replacing the text in brackets with your shared resource catalog entity ID that you selected in step B. In the following example, replace value of entity-id with your own information.    aws marketplace-catalog describe-entity --catalog AWSMarketplace --entity-id entity1234
  3. If the call to the DescribeEntity action is successful, the command displays the details of the entities from the Consuming AWS Account.

Attaching and managing resource policies to catalog entities

Following is a list of the Catalog API actions AWS Marketplace supports for resource sharing. In this section, I will show you how to attach and manage resource policy to catalog entities.

API action name Description
PutResourcePolicy Attach a read-only policy to your catalog entities resource.
Attach a read and write policy to your catalog entities resource. *Customers can use AWS RAM for resource sharing to take advantage of its benefits, including the ability to retrieve shared resource entities via ListEntities. However, entities shared using PutResourcePolicy API action cannot be retrieved in the ListEntities.
GetResourcePolicy View the resource policy set on your resource.
DeleteResourcePolicy Delete the resource policy from your resource.
ListEntities View all entities owned by you and shared with you.

A. Attach a resource policy to AWS Marketplace catalog entities

You can use the PutResourcePolicy API to attach a read-only policy or read-and-write policy to the catalog entities. The PutResourcePolicy request takes ResourceARN and a JSON policy in string format. To use this, in AWS CLI or your favorite API tool, enter the following request and replace the resourceArn and IAM Principal with your own information.

API POST https://catalog.marketplace.us-east-1.amazonaws.com/PutResourcePolicy HTTP/1.1 Content-type: application/json
Request {
"ResourceArn":"arn:aws:aws-marketplace:us-east-1:123456789012:AWSMarketplace/AmiProduct/prod-mpkbwlsqi3hoy",
"Policy": "{\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\",\"Principal\": {\"AWS\":\"arn:aws:iam::987654321021:user/developer\"},\"Action\": \"aws-marketplace:DescribeEntity\",\"Resource\":\"arn:aws:aws-marketplace:us-east-1:123456789012:AWSMarketplace/AmiProduct/prod-samplempkbwlsqi3hoy\"}]}"
}
Response {}

If the action is successful, the service sends the HTTP 200 response code, and the resource policy is attached to AWS Marketplace catalog entities, identified by the Amazon Resource Number (ARN).

B. View resource policy

The GetResourcePolicy API retrieves a resource-based policy of an entity that is identified by its resource ARN. The GetResourcePolicy request takes input as resource ARN. If the action is successful, the service sends HTTP 200 response code along with the JSON Policy document in string format. In the following example, replace value for resourceArn with your own information.

API Request GET https://catalog.marketplace.us-east-1.amazonaws.com/GetResourcePolicy?resourceArn=samepleresource1234
Response {
"Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"faf594c3-698b-4f43-examplef1f0e0d74ece-externalprincipals\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::123456789012:root\"},\"Action\":\"aws-marketplace:DescribeEntity\",\"Resource\":\"arn:aws:aws-marketplace:us-east-1:987654321021:AWSMarketplace/AmiProduct/exampleprf33e6790-dc7b-sample-af0a-ffba33fa92d1\"}]}"
}

The GetResourcePolicy will return HTTP 200 along with a policy JSON in string format for the given input.

C. Delete resource policy

DeleteResourcePolicy removes a resource-based policy on an entity that is identified by its resource ARN. If the action is successful, the service sends the HTTP 200 response code with an empty HTTP body. The following Catalog API action removes the resource policy from the requested ARN. In the following example, replace value of resourceArn with your own information.

API Request DELETE https://catalog.marketplace.us-east-1.amazonaws.com/DeleteResourcePolicy?resourceArn=samplearn1234
Response {}

D. View all AWS Marketplace catalog entities associated with resource sharing

The ListEntities API provides list of entities of a given type. The request takes Entity Type (Product Offering), Filter criteria, and Ownership (Self | Shared) and returns the list of entities based on the input. If the action is successful, the service sends HTTP 200 response code along with the list of entity summary objects. To retrieve the shared resources, pass the value for OwnershipType as SHARED. To use this, in AWS CLI, enter the following request:

API POST https://catalog.marketplace.us-east-1.amazonaws.com/ListEntities HTTP/1.1 Content-type: application/json
Request {
   "Catalog": "AWSMarketplace",
   "EntityType": "AmiProduct",
   "MaxResults": 10,
   "OwnershipType": "SHARED",
   "Sort": {
      "SortBy": "EntityId",
      "SortOrder": "ASCENDING"
   }
}
Response HTTP/1.1 200
Content-type: application/json{
   "EntitySummaryList": [
      {
         "EntityArn": "string",
         "EntityId": "string",
         "EntityType": "string",
         "LastModifiedDate": "string",
         "Name": "string",
         "Visibility": "string"
      }
   ],
   "NextToken": "string"
}

Cleanup

To avoid incurring future charges, delete the AWS resources that you created. Note that neither Catalog API nor AWS Resource Access Manager charge customers for resources created. However, if the AWS Marketplace catalog uses AWS services, those will be charged by AWS based on the usage.

Conclusion

In this blog post, I showed you how to use AWS Marketplace Catalog APIs and AWS Resource Access Manager to share the catalog resources across AWS accounts. You create an AWS Marketplace resource once and then share it with other accounts. This eliminates the need to provision duplicate resources in every account. Resource sharing helps you avoid resource duplication, optimizes resource value, and encourages collaboration.

Next steps

To learn more, use these links: AWS Marketplace Catalog APIs and AWS Resource Access Manager.

About the author

Chandrashekar Vishweshwara Profile Chandrashekar Vishweshwara is a Specialist Solutions Architect at Amazon Web Services with AWS Marketplace. He provides solutions to Server and SaaS products in AWS Marketplace.