AWS Marketplace
Automating distribution of AWS Marketplace entitlements with AWS Private Marketplace and AWS Service Catalog
AWS Marketplace admins are responsible for managing AWS Marketplace approved products using AWS Private Marketplace and distributing entitlement to products using AWS License Manager. The challenge is managing AWS Marketplace products subscriptions and entitlements with minimal operational overhead as the number of participating AWS Organizations child accounts grow.
In a multi-account AWS environment, AWS Marketplace admins can create a list of approved products for procurement and allow the users to subscribe to these products using AWS Private Marketplace. Often there is a central list of approved products that must be distributed across the entire AWS Organization. This list should be accessible to the end users and applications, even if they don’t necessarily have AWS Marketplace subscribe permissions. In this case, we can use AWS License Manager to share product entitlements. An entitlement is a right to use an AWS Marketplace product into a linked account. A common entitlement distribution method is to manually create a per-account grant with AWS License Manager and share the grant with a linked account. These manual steps can be prone to error and increase linearly with the number of accounts.
In this blog post, Martin and I demonstrate how you can use event-based automation of AWS Marketplace product entitlement license grants with AWS License Manager. We also show how to distribute your AWS Marketplace products via AWS Service Catalog. The centralized product entitlement license grant ensures that only the intended accounts receive license grants. It also ensure that license activation is based on users’ AWS Organization enrollment, thereby eliminating common license activation and grant creation issues. In the case of distribution of subscribed AWS Marketplace products using an AWS Service Catalog portfolio, the benefits include centralized automation, catalog management, and enforcement of further product launch constraints.
Solution overview
AWS Marketplace enables you to subscribe to software products and services from the curated public catalog. It also enables you to create a Private Marketplace experience, which involves a catalog of only approved products. In this solution, we are using an AWS Private Marketplace experience associated to the management account. The management account is used as a central hub for distributing entitlements to all of the linked accounts in AWS Organizations.
After you have subscribed to an AWS Marketplace product, you can distribute the product entitlement to accounts in your AWS Organization. In this solution, we use both AWS License Manager and AWS Service Catalog to distribute approved, server-based AWS Marketplace products with active subscriptions.
This automated entitlement distribution solution replaces two workflows. The first workflow is the creation and activation of subscribed products licenses, which is replaced by automating AWS License Manager grants. The second automated workflow replaces manual AWS Service Catalog portfolio creation, product definition, and association of subscribed Private Marketplace product to portfolio tasks. The trigger to automated distribution is an Amazon EventBridge rule that watches out for the ImporttoServiceCatalog
API call made by Private Marketplace admins.
The following diagram represents a high-level flow of the solution architecture. A Private Marketplace administrator triggers this flow by initiating an AWS Marketplace product Copy to Service Catalog action. EventBridge traps this action. It then invokes an AWS Lambda function that implements and monitors the necessary license grants and product distribution tasks with AWS License Manager and AWS Service Catalog respectively.
Prerequisites
- Child accounts must be enrolled in the same AWS Organizations as the management account.
- Your Private Marketplace experience must be in enabled state.
- Enable License Manager with trust access for your AWS Organizations linked AWS Accounts.
- Enable trusted access for AWS Marketplace – License Management.
Solution walkthrough
This walkthrough assumes that Private Marketplace is enabled in your AWS management account. To enable this feature, see Creating and managing a Private Marketplace in the AWS Marketplace Buyer Guide.
To implement automated distribution of Private Marketplace entitlement with AWS Service Catalog, complete the following steps.
- Check that the Private Marketplace experience is enabled.
- Enable AWS Organizations trust access for relevant AWS services.
- Create a stack for automated distribution of Private Marketplace entitlement.
- Share AWS Service Catalog portfolio.
- Test the solution.
Step 1: Check that the Private Marketplace experience is enabled
To validate that the Private Marketplace experience is enabled, check your AWS Marketplace console. Alternatively, in a terminal window, run the following AWS Command Line Interface (AWS CLI) commands.
- List the Private Marketplace experience or experiences in the account. This command takes an
<EntityId>
of the experience of interest. A Private Marketplace experience associates accounts to approved products, including options to define specific look and feel. An EntityId is a unique identifier for experience listed in the output of this step. For this post, the experience name is DemoExperience. In a terminal window, run the following AWS Command Line Interface (AWS CLI) commands.
aws marketplace-catalog list-entities \
--catalog AWSMarketplace \
--entity-type Experience \
--region us-east-1 \
--query "EntitySummaryList"
- Describe the Private Marketplace experience of interest. The output status of the experience should be Enabled.
aws marketplace-catalog describe-entity \
--catalog AWSMarketplace \
--region us-east-1 \
--entity-id <EntityId>
If the experience is not enabled, enable the experience by following the steps in configuring your Private Marketplace. Then run the step 1.2 command again to confirm that the experience status is Enabled.
Step 2: Enable AWS Organizations trust access for relevant AWS services
You must now confirm that AWS Service Catalog, AWS License Manager and AWS Marketplace are in the list of service principals with AWS Organizations trust access. In a terminal window, run the following AWS CLI command.
aws organizations list-aws-service-access-for-organization \
--query 'EnabledServicePrincipals[*].ServicePrincipal'
If the desired services aren’t in the list, enable AWS Organizations trust access for them with the following command.
export principals=('servicecatalog.amazonaws.com' 'license-manager.amazonaws.com' 'license-manager.member-account.amazonaws.com' 'license-management.marketplace.amazonaws.com' )
for i in ${principals[@]}; do aws organizations enable-aws-service-access --service-principal $i; done
aws license-manager update-service-settings \
--organization-configuration EnableIntegration=true
Step 3: Create a stack to automate the distribution of Private Marketplace entitlement
You must now create a stack that deploys AWS resources. For this, you need an AWS Lambda function, an EventBridge rule, and an AWS License grant and activation. You also need an AWS Service Catalog portfolio from the provided AWS CloudFormation template in the management AWS account that is also the payer account. The template implements event-driven automation, which in turn generates subscribed AWS Marketplace product entitlement grants for child accounts on AWS License Manager. It also adds the subscribed AWS Marketplace products to the AWS Service Catalog portfolio, which you share across your landing zone in step 4.
The Lambda function receives an event from EventBridge with the product information. It verifies that the portfolio is shared with the relevant organizational unit. Then it associates products of type MARKETPLACE with the shared portfolio. In case of failed verification, it handles errors and log relevant information.
This template performs the following functions automatically:
- The Private Marketplace admin triggers the
ImporttoServicecatalog
API call by choosing Copy to Service Catalog in AWS Marketplace product. - The EventBridge rule catches the API call and publishes the event message to a Lambda function resource named
privatemarketplace
. - For
"type":"MARKETPLACE"
products and"status":"CREATED"
events, the function triggers the following automated portfolio management tasks in AWS Service Catalog:- Validates that the portfolio is shared.
- Updates the portfolio with new Private Marketplace product association.
- Gracefully handles any exception.
- For subscribed AWS Marketplace product events, the function triggers the following automated AWS License Manager tasks:
- On the management account AWS License Manager, grant the subscribed product license to the child account.
- On the child account AWS License Manager, accept and activate granted subscribed product license.
Step 4: Share AWS Service Catalog Private Marketplace portfolio
To share your Private Marketplace experience with AWS Service Catalog, do the following:
- In the AWS Service Catalog console, navigate to your portfolio and choose the PrivateMarketplace portfolio created as part of the automation stack deployed in Step 3.
- Select the Share tab and choose Share.
- Choose Share with specific Account or with Organization Type.
- Choose Organization and select Organization from the drop down.
- Provide your AWS Organizations ID and choose Share. You can find the Organization ID on AWS Organizations in the AWS console.
Step 5: Test the solution
You must now trigger the automated distribution Private Marketplace entitlement with AWS Service Catalog. To do that, follow these steps:
- Log in to your AWS management account. Navigate to the subscribed Private Marketplace product in Private Marketplace.
- Select the product and choose Continue to Launch.
- On the Launch configuration page, under Choose Action, select Copy to Service Catalog.
- Select the Region where you created your AWS Service Catalog portfolio.
- Choose Copy to Service Catalog.
- Navigate to the AWS Service Catalog portfolio and confirm that the product is associated.
- On any child account, navigate to the AWS Service Catalog portfolio, select Imported, and confirm that the product is visible.
Cleanup
To avoid incurring future charges, delete all resources that you created via AWS CloudFormation by deleting the stack. Follow the steps below to clean up the deployed resources.
- Un-share the AWS Service Catalog portfolio PrivateMarketplace.
- In the AWS Service Catalog console, navigate to the portfolio and choose the PrivateMarketplace portfolio created as part of the automation stack deployed in Step 3.
- Select the Share tab and un-share each entry.
- Delete automation stack on AWS CloudFormation console, choose stack and select Delete stack.
Conclusion
In this blog post, we showed you how to use event-based automation to distribute AWS Marketplace product entitlements to your multi-account AWS environment via AWS License Manager and AWS Service Catalog. Doing so gives you faster and error-proof entitlement distribution to a large number of user accounts. You can expand this automated workflow to include additional distribution steps or multiple product distribution portfolios for different segments of your enterprise.
About the Authors
Adedayo Aderanti is a Cloud Infrastructure Architect at AWS working closely with customers to accelerate their cloud adoption journey. He loves helping customers build platforms that can adapt as their needs evolve.
Martin Gjoshevski is a Specialist Solutions Architect with a passion to create optimized high scale solutions with minimalist approach. In spear time he enjoys working on DIY projects and playing sports.