AWS Cloud Operations & Migrations Blog

Ensure license compliance in AWS for ISVs using ISV seller-issued licenses

AWS License Manager helps reduce the risk of noncompliance by providing independent software vendors (ISVs) with a centralized AWS account and built-in controls to ensure only approved users and workloads can consume licenses. ISVs can use License Manager to manage and distribute software licenses to end users with and without AWS accounts. As an issuer, you can track the usage of your seller issued licenses centrally using the License Manager dashboard.

License Manager captures license capabilities as entitlements in the license. Entitlements can be represented in a limited or unlimited fashion, and can be associated with units like count, GB stored, and vCPUs. ISVs can configure their software to check licenses in or out as they are activated based on these entitlements. License entitlements also streamline upgrades and renewals by removing expensive license audits. They provide customers with a self-service tracking tool with built-in license tracking capabilities.

In this blog post, we show you how to create, track and distribute licenses using License Manager for ISVs. Our license in this blog post contains entitlements that are granted by the issuer to end users with AWS accounts. The end user consumes the license using a checkout operation. License Manager tracks the issuance and consumption of these license entitlements on an ongoing basis.

Prerequisites

Before you start using AWS License Manager, configure the settings section of the License Manager console.

Walkthrough

Step 1: Create a seller issued license

  1. From the left navigation pane of the AWS License Manager console, choose Seller issued licenses and then choose Create license.

 In Seller issued licenses, there are no licenses displayed.

Figure 1: Create a license

  1. In Create license, enter a name (for example, AcmeContainerSecurity-vCPUlicense) and an optional description.
  2. In Product name, enter a name for your product (for example, Acme Container Security).
  3. In Product SKU, enter your product SKU number.
  4. In Recipient, specify to whom (for example, Marketing) the license is being granted.
  5. Enter license start and end dates.

In License metadata, there are fields for license name, license description, product name, product SKU, recipient, and license start date and end date.

Figure 2: License details for a seller issued license

  1. In Consumption configuration, complete the Renewal frequency, Consumption configuration, and Max time to live fields.

Under Consumption configuration, Renewal frequency is set to None. Under Consumption configuration, the Provisional check box is selected. Under Max time to live (minutes), 500 is entered.

Figure 3: License consumption details

  1. In Issuer name, enter the name for the license issuer (for example, Acme). The Seller of record and Agreement URL fields are optional.

The Issuer section includes fields for the issuer name and optional fields for an AWS KMS key, the seller of record, and the agreement URL.

Figure 4: Issuer details for a seller issued license

  1. In Entitlements, enter the name for the entitlement (for example, vCPU). In Figure 5, Unit type is set to Count and Max count is set to 100. Keep the Allow check in and Overages allowed check boxes as unchecked and then choose Create license.

In Entitlement 1, the fields for a seller issuer license are set as described in the post.

Figure 5: Entitlement details for a seller issued license

You have now created a license for Acme Corporation’s Acme Container Security product. This license contains entitlements with a maximum count of 100 vCPUs. These entitlements can be consumed in the AWS account where they were created or you can grant them to end users with and without AWS accounts. See Figure 6.

In the Entitlements section for the seller issued license, 100 is displayed in the Max count column and 0 is displayed in the Usage column.

Figure 6: License details for a seller issued license in License Manager

Step 2: Create a license grant

Now create a grant for the license you created in the previous step and assign the grant to an AWS account ID.

  1. From the left navigation pane of the AWS License Manager console, choose Seller issued licenses.
  2. Choose the license ID of the license you just created and under Grants, choose Create grant.
  3. In Grant name, enter a name for this grant. In AWS account ID, enter the ID of the AWS account that will be granted this license.

In Grant details, Grant-Marketing is entered for the grant name. Under License rights, the Consumption and Distribution check boxes are selected.

Figure 7: Grant details for a seller issued license

Figure 8 shows that a grant has been created for the account.

A banner displayed in the console says the license grant was successfully created. The license details include the product (in this example, Acme Container Security), grant status (Pending acceptance), issuer (Acme), creation date (June 6, 2021), version (1), seller, license name, license status (Available), and recipient (Marketing).

Figure 8: A license grant for a seller issued license in License Manager

Step 3: Accept the grant

  1. Using the recipient’s AWS account, open the AWS License Manager console.
  2. In the left navigation pane, choose Granted licenses, and then choose the license ID for your grant.
  3. Choose Accept & activate license.

The license details include the product (in this example, Acme Container Security), grant status (Pending acceptance), issuer (Acme), creation date (June 6, 2021), version (1), seller, license name, license status (Available), and recipient (Marketing).

Figure 9: License details

Figure 10 shows that the license grant is available for consumption in the granted account.

A banner displayed in the console says the license invitation was successfully accepted and activated.

Figure 10: License grant is available to use in another AWS account

Step 4: Consume and track licenses

Now you can consume the grant and use the license in your application. This requires two steps, which are performed with the License Manager CLI. You can use any of the client libraries for License Manager in your supported application.

  1. To fetch the key fingerprint to identify a trusted license issuer, use the GetLicense API action and copy the KeyFingerprint field from the output.
$ aws license-manager get-license \
--license-arn <Enter-your-license-arn>\
--version <Enter-version-of-your-license> 

The key fingerprint that identifies the trusted license issuer appears in the output.

Figure 11: GetLicense API input and output

  1. Use the CheckoutLicense API action to consume the license.
$ aws license-manager checkout-license \
--product-sku '1Q12311asadaadfafq' \
--checkout-type 'PROVISIONAL' \
--key-fingerprint 'aws:<Enter-Account-ID>:Acme:issuer-fingerprint' \
--entitlements Name=vCPU,Value=1,Unit=Count \
--client-token '<Enter-a-unique-token-for-every-call>'

The CheckoutLicense API action uses the key fingerprint from the GetLicense API action as input.

Figure 12: checkout-license CLI usage and response

  1. Track license consumption
    1. From the left navigation pane of the AWS License Manager console, choose Seller issued licenses.
      1. Choose the license ID of the license you created earlier.
      2. In Entitlements, under Usage, confirm that the count has increased to 1.

The Usage column which previously displayed 0 now displays 1 based on license consumption in the granted account.

Figure 13: Usage column now displays 1

Conclusion

In this blog post, we demonstrated license tracking and consumption of ISV seller issued licenses. We also showed how AWS License Manager can help reduce the risk of license noncompliance for ISVs by providing them with a centralized AWS account and built-in controls to ensure that only approved users and workloads can consume licenses.

About the authors

A picture of Kanishk Mahajan

Kanishk Mahajan

Kanishk Mahajan is an ISV Solutions Architecture Lead at AWS. In this role, he leads cloud transformation and solution architecture for ISV partners and mutual customers. Kanishk specializes in management and governance, migrations and modernizations, and security and compliance. He is a Technical Field Community (TFC) member in each of those domains at AWS.

Pranjal Gururani

Pranjal Gururani

Pranjal Gururani is a Solutions Architect at AWS who is based in Seattle. Pranjal works with customers to architect cloud solutions that address their business challenges. In his free time, Pranjal enjoys hiking, kayaking, skydiving, and spending time with family.