# Share portal products in API Gateway Share portal products You can share a portal product across AWS accounts using AWS RAM. When you share a portal product, the other account can use your portal product in their own portal. With shared portal products, you can create a single catalog of your organization's APIs and enforce governance standards across your API ecosystem. At the same time, sharing portal products provides flexibility for API providers to develop, test, and maintain APIs in their own accounts. ## Considerations The following considerations might impact how you share portal resources: + When you share your product with another account, that account cannot modify any properties of your REST API. This includes the integration endpoints, the authorization strategy, or the stage configuration. + When you add another account's portal product into your portal, the portal product owner cannot view or control any other properties of your portal. The portal product owner only knows that the product is being used in your portal. + API Gateway portal products are shared at the AWS Region level. + You can use one resource share with multiple principals, and after you create the resource share, you can add more principals to it. We recommend that when possible, you reuse your resource share. + If both accounts are in the same organization using AWS Organizations, the resource share is automatically accepted. You still need to create the resource share using AWS RAM. + If both accounts are in the same organization using AWS Organizations and resource sharing within your organization is enabled, any principals in the organization that you share with are automatically granted access to the resource shares. There is no need for an invitation and you can skip the resource share. + If the account you shared the product with doesn't accept the resource share within **12 hours**, you must share the resource again. + After you create the resource share, AWS RAM updates the product sharing policy of your product to prevent access to principals without explicit `allow` access. For more information, see [Determining whether a request is allowed or denied within an account](https://docs.aws.amazon.com//IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow) in the IAM User Guide. The updated resource policy will look like the following: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "apigateway:GetProduct", "apigateway:ListEndpoints", "apigateway:ListPages", "apigateway:GetEndpoint", "apigateway:GetPage" ], "Resource": [ "arn:aws:apigateway:us-east-1:111122223333:/portalproducts/product-id", "arn:aws:apigateway:us-east-1:111122223333:/portalproducts/product-id/*" ] } ] } ``` AWS RAM has prevented principals without explicit allow access to add your product to their portal, by adding the following: ``` "StringNotEquals": { "aws:PrincipalAccount": "555555555555" } ``` To learn how to share a product, see [Share your portal product with a portal owner in API Gateway](apigateway-portals-share-products.md). To learn how to add a product shared with you to your portal, see [Add a shared portal product to your portal in API Gateway](apigateway-portals-use-shared-products.md). # Share your portal product with a portal owner in API Gateway Share your portal product with a portal owner As a product owner, you can share your product with a portal owner in another AWS account using AWS RAM. You maintain full control of all product pages and product REST endpoint pages. ## Considerations The following considerations might impact how you share portal products: + You can share or unshare your portal products at any time. If you unshare a portal product while it's being used in a published portal, the portal owner won't be able to view the portal product, view any updates made to it, or republish or preview the portal until they remove the portal product. + You can view the portal products that you've shared with other accounts. + You can't modify any portals that contain your portal product, unless you create the portal yourself. ## Share your portal product The following procedure shows how to create a resource share. ------ #### [ AWS Management Console ] To use the AWS Management Console, see [Creating a resource share in AWS RAM](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-create.html) in the *AWS RAM User Guide*. For **Select resource type**, choose **API Gateway Product**. ------ #### [ AWS CLI ] The following [create-resource-share](https://docs.aws.amazon.com/cli/latest/reference/ram/create-resource-share.html) creates a resource share for your private custom domain name. It can take a few minutes for the resource and principal associations to complete. For principals, provide an account ID or an Organizations ID, such as `arn:aws:organizations::123456789012:organization/o-1234abcd`. You can provide multiple principals for your resource share. ``` aws ram create-resource-share \ --region us-west-2 \ --name portal-product-resource-share \ --permission-arns arn:aws:ram::aws:permission/AWSRAMDefaultPermissionAPIGatewayDeveloperPortalProduct \ --resource-arns arn:aws:apigateway:us-west-2:111122223333:/portalproducts/p000000000 \ --principals 222222222222 ``` ------ To unshare your portal product, use AWS RAM to delete the resource share. At any time, you can modify the product sharing policy to modify which principals can use your portal products in their portals. **To update the product sharing policy** 1. Sign in to the API Gateway console at [https://console.aws.amazon.com/apigateway](https://console.aws.amazon.com/apigateway). 1. In the main navigation pane, choose **Portal products**. 1. Choose a product. 1. In the **Product sharing** tab, for **Product sharing policy**, choose **Manage product sharing policy**. 1. If you haven't shared your product before, your product sharing policy will deny all access to other accounts to your portal products. You need to update the policy to allow access for certain accounts to your portal product. 1. After you have updated your product sharing policy, choose **Save changes**. # Add a shared portal product to your portal in API Gateway Add a shared portal product to your portal As a portal owner, you can use portal products shared with you by other accounts in your portal. You maintain full control of your portal. ## Considerations The following considerations might impact how you share portal resources: + You must accept the product resource share from the product owner to use their product in your portal. If you and the product owner are in the same Organizations, AWS RAM can complete some sharing steps for you. + If the product owner unshares a product while it's in your published portal, the product will still be visible on the portal, but you won't be able to publish the portal again until you remove this product. It's your responsibility as the portal owner to remove the product from your portal, as the product owner can't do that for you. + You can view the portal products, the product pages, and the product REST endpoint pages, but you cannot modify any of these resources. + If a product is shared with you, you can't share it with another account. ## (Optional) Accept the resource share After your product owner creates a resource share, you have **12 hours** to accept it. If you are in the same organization using AWS Organizations as the product owner, the share is automatically accepted. If you are in an organization that has automatic shared resources enabled, the resource is automatically shared with you. ------ #### [ AWS Management Console ] To use the AWS Management Console, see [Accepting and rejecting resource share invitations](https://docs.aws.amazon.com/ram/latest/userguide/working-with-shared-invitations.html) in the *AWS RAM User Guide*. ------ #### [ AWS CLI ] To find all the resources shared with you, use the following [get-resource-share-invitations](https://docs.aws.amazon.com/cli/latest/reference/ram/get-resource-share-invitations.html) command: ``` aws ram get-resource-share-invitations \ --region us-west-2 ``` Use the resulting resource share ARN to accept the resource share invitation. The following [accept-resource-share-invitation](https://docs.aws.amazon.com/cli/latest/reference/ram/accept-resource-share-invitation.html) command accepts the resource share. ``` aws ram accept-resource-share-invitation \ --resource-share-invitation-arn arn:aws:ram:us-west-2:123456789012:resource-share-invitation/1e3477be-4a95-46b4-bbe0-c4001EXAMPLE \ --region us-west-2 ``` ------ ## Add a shared product to your portal After you accept the resource share, you add the product to your portal. ------ #### [ AWS Management Console ] **To add a shared product to your portal** 1. Sign in to the API Gateway console at [https://console.aws.amazon.com/apigateway](https://console.aws.amazon.com/apigateway). 1. In the main navigation pane, choose **Portals**. 1. Choose a portal. 1. In the **Products** tab, for **Portal products**, choose **Add products**. 1. Add a product to your portal. Shared products are shown as `shared` in the products list. 1. Choose **Save changes**. ------ #### [ AWS CLI ] To find all the portal products shared with you, use the following `get-portal-products` command: ``` aws apigatewayv2 get-portal-products \ --resource-owner OTHER_ACCOUNTS \ --region us-west-2 ``` To add a shared portal product to your portal, use the following `update-portal` command: ``` aws apigateway update-portal \ --included-portal-product-arns arn:aws:apigateway:us-west-2:111122223333:/portalproducts/p000000000 \ --region us-west-2 ``` ------