Versions Compared

Old Version 1

changes.mady.by.user Marty J. Sullivan

Saved on

compared with

New Version Current

changes.mady.by.user Daniel P Klinger

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents


Excerpt

Any AWS Account within the Cornell AWS Organization has access to the IT@Cornell Service Catalog Portfolio. Service Catalog is an AWS offering that allows us to give our member AWS Account Administrators templated, self-service "Products" which define a standalone IT service or tool.


Info

Account Administrators have full control over which IAM Groups, Roles and Users are allowed to launch Products from the IT@Cornell Portfolio. By default, shib-admin and sso-admin members can launch our Portfolio products.

Launching Products

  1. Browse to the Service Catalog service → Select Products
    Image Added
  2. Select desired product → Launch Product button
    Image Added

Granting Additional IAM Principal Access

To enable additional IAM Principals to the IT@Cornell Products for your account. (ie. sso-devs, shib-devs, shib-dbas, etc...) our Portfolio is visible within member accounts but no IAM Roles are given permission to launch any Products contained within it. This document describes the steps to enable IT@Cornell Products for your account's shib-admin IAM Role within the AWS Console.It is certainly possible to use this same process to enable the same Products for other IAM Roles in your account. If that is your goal, make sure to follow the AWS Documentation to ensure the Role has the proper permissions to launch Service Catalog Products and their underlying resources.

  1. Log in to your Cornell AWS Account
  2. Make sure you are in the us-east-1 (N. Virginia) Region
  3. Navigate to the Imported Portfolios section of the AWS Service Catalog Console
  4. Click the IT@Cornell Portfolio
  5. Select the "Groups, roles and usersAccess" tab
  6. Click the "Grant access" button
  7. Select the "Add groups, roles, users button"IAM Principal" radio button
    1. Wildcards are now supported for granting access via Principal Names as well, ie. arn:aws:iam:::role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_sso-admin_*
  8. Select the "Roles" tab
  9. Search for shib-admin and select the shib-admin Rolethe desired role to add
  10. Click the "Add Grant Access" button
  11. Confirm that the The IT@Cornell Products are now visible and launchable launch-able in the Products Section

...

  1. for the newly provisioned IAM Principal.
    Image Added