Hi All,
In this blog I am going to explain how to leverage AWS service catalog to provide a self service option for end users to request AWS Services. To demonstrate the capability, I am enabling the users with an option to request an S3 bucket via service catalog.
What is AWS Service catalog
Service Catalog enables organizations to create and manage catalogs of IT services that are approved for AWS. These IT services can include everything from virtual machine images, servers, software, databases, and more to complete multi-tier application architectures. End users can quickly deploy only the approved IT services they need, following the constraints set by your organization.
Ref:- https://docs.aws.amazon.com/servicecatalog/latest/adminguide/introduction.html
Components involved in the Integration
AWS Service catalog:- The AWS service for enabling end users to request AWS Services
Cloud formation:- When a user requests for a product via AWS service catalog, a cloud formation template will be initiated and perform the build on behalf of end user.
S3 bucket:- Place where the cloud formation script is saved
IAM role:- A custom IAM role which will do the authorization of aws services onbehalf of end users.
Create the custom IAM role
Navigate to IAM and create a custom role with the permissions needed to perform the below actions.
AWS Service catalog enduser full access policy
Cloud formation template read policy
AWS Service read, write and delete permissions(the specific service which we are enabling for end users via service catalog. in this example s3 bucket bucket create, read and delete permissions).
You need to also provide trust entities to assume the Service catalog role on behalf of end users.
My final IAM permissions looks like the below:-
IAM Permissions
Custom policy permissions
Trust entity
Creating the Service catalog portfolio and product
Portfolio as the name suggests contains a portfolio of services.
To create an AWS Service catalog portfolio, navigate to AWS console-->Service catalog.
Under portfolios, click on "Create portfolio".
In the portfolio creation wizard, provide the portfolio name, description and the owner details.
Creating the product
Product is where you will be providing the code for creating the AWS product. For example, I am creating a product to "provision a S3 bucket". To create a product,open the newly created portfolio and click on "Create product"
In the create product wizard, select which product type to use. You can select either Cloud formation or terraform open source. Product type is simply the Infra-as-a-code platform which will be used to provision and manage your product.
Note:- If we select terraform open source, then the integration of terraform open source with AWS service catalog to be performed. Terraform integration script will create a parallel environment to support the AWS service catalog integration which includes a VPC, s3 buckets, etc.
Provide a friendly product name, description and owner.
In the version details, either upload the cloud formation code which contains the automation workflow or you can map to the s3 bucket where the code is placed. You can also point the product to use an existing stack.
I used a simple S3 bucket cloud formation script for this blog.
AWSTemplateFormatVersion: 2010-09-09
Parameters:
S3BucketName:
Type: String
Description: The name of the S3 bucket to create
Resources:
MyS3Bucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Ref S3BucketName
Outputs:
BucketName:
Value: !Ref MyS3Bucket
Provide the version number and description. Any new updates to the code will be handled as a new version in the existing product.
You can optionally provide the support details and tags.
Click on "create product" to create the product.
Launch Constraint
Once the product is created, the next step is create a launch constraint and attach to the product. To create a constraint, click on "create constraint" from the constraint tab next to product.
In the constraint details, select the product to which you need to enable the constraint. Select the constraint type. As we are creating S3 bucket, I am selecting the constraint type as launch.
Under the methods, provide the IAM role created in the previous step and click Create.
Provide access to IAM users
The last step of the integration is to provide the IAM users access to the product and portfolio created. To provide access, go to the Access tab next to constraint and click on 'Grant access'.
Select the IAM group or user and click on grant access to provide access to the product.
Optionally, the product can be shared to an AWS organization or account
Testing the functionality
To test the functionality, login to AWS console as a normal IAM user.
Once the IAM user logins and navigates to the service catalog, the user will be displayed with the available products.
Click on 'launch product' to launch the s3 provision request tab.
Provide a friendly name for your product request, and provide the response to the parameter. In this blog, I made S3bucket name as a parameter and pass it via Cloudformation template.
Once you click on launch product, a cloud formation job will kicks in to perform the action.
Once the user submit a request, a cloud formation stack will get initiated and the job will get executed.
The S3 bucket will get created in the AWS account.
In the next blog, I will be explaining how to integrate Service catalog with Service now. Please let me know your comments and feedback.
Top comments (0)