# Managing Catalogs
AWS Service Catalog provides an interface for managing portfolios, products, and constraints from an administrator console.
**Note**
To perform any of the tasks in this section, you must have administrator permissions for AWS Service Catalog. For more information, see [Identity and Access Management in AWS Service Catalog](controlling_access.md).
**Topics**
+ [Managing Portfolios](catalogs_portfolios.md)
+ [Managing Products](catalogs_products.md)
+ [Using AWS Service Catalog Constraints](constraints.md)
+ [AWS Service Catalog Service Actions](using-service-actions.md)
+ [Adding AWS Marketplace Products to Your Portfolio](catalogs_marketplace-products.md)
+ [Using CloudFormation StackSets](using-stacksets.md)
+ [Managing Budgets](catalogs_budgets.md)
# Managing Portfolios
You create, view, and update portfolios on the **Portfolios** page in the AWS Service Catalog administrator console.
**Topics**
+ [Creating, Viewing, and Deleting Portfolios](#portfoliomgmt-menu)
+ [Viewing Portfolio Details](#portfoliomgmt-portdetails)
+ [Creating and Deleting Portfolios](portfoliomgmt-create.md)
+ [Adding products](portfoliomgmt-products.md)
+ [Adding Constraints](portfoliomgmt-constraints.md)
+ [Granting Access to Users](catalogs_portfolios_users.md)
+ [Sharing a Portfolio](catalogs_portfolios_sharing_how-to-share.md)
+ [Sharing and Importing Portfolios](catalogs_portfolios_sharing.md)
## Creating, Viewing, and Deleting Portfolios
The **Portfolios** page displays a list of the portfolios that you have created in the current region. Use this page to create new portfolios, view a portfolio's details, or delete portfolios from your account.
**To view the **Portfolios** page**
1. Open the Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/).
1. Select a different region as necessary.
1. If you are new to AWS Service Catalog, you see the AWS Service Catalog start page. Choose **Get started** to create a portfolio. Follow the instructions to create your first portfolio, and then proceed to the **Portfolios** page.
While using AWS Service Catalog, you can return to the **Portfolios** page at any time; choose **Service Catalog** in the navigation bar and then choose **Portfolios**.
## Viewing Portfolio Details
In the AWS Service Catalog administrator console, the **Portfolio details** page lists the settings for a portfolio. Use this page to manage the products in the portfolio, grant users access to products, and apply TagOptions and constraints.
**To view the **Portfolio details** page**
1. Open the Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/).
1. Choose the portfolio that you want to manage.
# Creating and Deleting Portfolios
Use the **Portfolios** page to create and delete portfolios.
**To create a new portfolio**
1. In the left navigation menu, choose **Portfolios**.
1. Choose **Create portfolio**.
1. On the **Create portfolio** page, enter the requested information.
1. Choose **Create**. AWS Service Catalog creates the portfolio and displays the portfolio details.
**To delete a portfolio**
**Note**
You can only delete *local* portfolios. You can remove *imported* (shared) portfolios, but you cannot delete imported portfolios.
Before you can delete a portfolio, you must remove all its products, constraints, groups, roles, users, shares, and TagOptions. To do so, open a portfolio to display **Portfolio details**. Then choose a tab to remove them.
**Note**
To avoid errors, remove the constraints from the portfolio *before* you remove any products.
1. In the left navigation menu, choose **Portfolios**.
1. Select the portfolio you want to delete.
1. Choose **Delete**. You can only delete *local* portfolios. If you are attempting to delete an *imported* (shared) portfolio, the **Actions** menu is not available.
1. In the confirmation window, choose **Delete**.
# Adding products
You can add products to a portfolio by uploading a new product directly to an existing portfolio or by associating an existing product from your catalog to the portfolio.
**Note**
When you create a AWS Service Catalog product, you can upload an CloudFormation template or Terraform configuration file. The CloudFormation template is stored in an Amazon Simple Storage Service (Amazon S3) bucket, and the bucket name begins with "***cf-templates-***." You also must have permission to retrieve objects from additional buckets when provisioning a product. For more information, see [Creating products](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/productmgmt-cloudresource.html#productmgmt-cloudresource-troubleshooting).
## Adding a new product
You add new products directly from the **Portfolio details **page. When you create a product from this page, AWS Service Catalog adds it to the currently selected portfolio.
**To add a new product**
1. Navigate to the **Portfolios** page, and then choose the name of the portfolio to which you want to add the product.
1. On the **Portfolio details** page, expand the **Products** section, and then choose **Upload new product**.
1. For **Enter product details**, enter the following:
+ **Product name** – The name of the product.
+ **Product description **(optional) – The product description. This description is shown in the product listing to help you choose the correct product.
+ **Description** – The full description. This description is shown in the product listing to help you choose the correct product.
+ **Owner or Distributor** – The name or email address of the owner. The contact information for the distributor is optional.
+ **Vendor** (optional) – The name of the application's publisher. This field allows you to sort the products list to make it easier to find products.
1. On the **Version details** page, enter the following:
+ **Choose template** – For CloudFormation products, choose your own template file, an CloudFormation template from a local drive or a URL that points to a template stored in Amazon S3, an existing CloudFormation Stack ARN template, or a template file stored in an external repository.
For Teraform products, choose your own template file, a tar.gz configuration file from a local drive or a URL that points to a template stored in Amazon S3, or a tar.gz configuration file stored in an external repository.
+ **Version name** (optional) – The name of the product version (e.g., "v1", "v2beta"). No spaces are allowed.
+ **Description** (optional) – A description of the product version including how this version differs from the previous version.
1. For **Enter support details**, enter the following:
+ **Email contact** (optional) – The email address for reporting issues with the product.
+ **Support link** (optional) – An URL to a site where users can find support information or file tickets. The URL must begin with `http://` or `https://`. Administrators are responsible for maintaining the accuracy and access of support information.
+ **Support description** (optional) – A description of how you should use the **Email contact** and **Support link**.
1. Choose **Create product.**
## Adding an existing product
You can add existing products to a portfolio from three places: **Portfolios** list, **Portfolio details** page, or the **Product list **page.
**To add an existing product to a portfolio**
1. Navigate to the **Portfolios** page.
1. Choose a portfolio. Then choose **Actions** - **Add product to portfolio**.
1. Choose a product, and then choose **Add product to portfolio**.
## Removing a product from a portfolio
When you no longer want to use a product, remove it from a portfolio. The product is still available in your catalog from the **Products** page, and you can still add it to other portfolios. You can remove multiple products from a portfolio at one time.
**To remove a product from a portfolio**
1. Navigate to the **Portfolios** page, and then choose the portfolio that contains the product. The **Portfolio details** page opens.
1. Expand the **Products** section.
1. Choose one or more products, and then choose **Remove**.
1. Confirm your choice.
# Adding Constraints
You should add constraints to control how users engage with products. For more information about the types of constraints that AWS Service Catalog supports, see [Using AWS Service Catalog Constraints](constraints.md).
You add constraints to products after they have been placed in a portfolio.
**To add a constraint to a product**
1. Open the Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/).
1. Choose **Portfolios** and select a portfolio.
1. In the portfolio details page, expand the **Create constraint** section and choose **Add constraints**.
1. For **Product**, select the product to which to apply the constraint.
1. For **Constraint type**, choose one of the following options:
**Launch** – Allows you to assign an IAM role to the product that is used to provision the AWS resources. For more information, see [AWS Service Catalog Launch Constraints](constraints-launch.md).
**Notification** – Allows you to stream product notifications to an Amazon SNS topic. For more information, see [AWS Service Catalog Notification Constraints](constraints-notification.md).
**Template** – Allows you to limit the options that are available to end users when they launch the product. A Template consists of a JSON–formatted text file that contains one or more rules. Rules are added to the CloudFormation template used by the product. For more information, see [Template Constraint Rules](reference-template_constraint_rules.md).
**Stack Set** – Allows you to configure product deployment across accounts and regions using CloudFormation StackSets. For more information, see [AWS Service Catalog Stack Set Constraints](constraints-stackset.md).
**Tag Update** – Allows you to update tags after the product has been provisioned. For more information, see [AWS Service Catalog Tag Update Constraints.](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/constraints-resourceupdate.html)
1. Choose **Continue** and enter the required information.
**To edit a constraint**
1. Sign in to the AWS Management Console and open the AWS Service Catalog administrator console at [https://console.aws.amazon.com/catalog/](https://console.aws.amazon.com/catalog/).
1. Choose **Portfolios** and select a portfolio.
1. In the **Portfolio details** page, expand the **Create constraint **section and select the constraint to edit.
1. Choose **Edit constraints**.
1. Edit the constraint as needed, and choose **Save**.
# Granting Access to Users
Give users access to portfolios through groups or roles. The best way to provide portfolio access for many users is to put the users in an IAM group and grant access to that group. That way you can simply add and remove users from the group to manage portfolio access. For more information, see [IAM users and groups](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_WorkingWithGroupsAndUsers.html) in the *IAM User Guide*.
In addition to access to a portfolio, users must also have access to the AWS Service Catalog end user console. You grant access to the console by applying permissions in IAM. For more information, see [Identity and Access Management in AWS Service Catalog](controlling_access.md).
If you want to share a portfolio and its Principals with other accounts, you can associate Principal Names (groups, roles or users) with the Portfolio. Principal Names are shared with the Portfolio and used in recipient accounts to grant access to end users.
**To grant portfolio access to users or groups**
1. Open the Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/).
1. From the navigation pane, choose **Administration**, and then choose **Portfolios**.
1. Choose a portfolio that you want to grant groups, roles, or users access to. AWS Service Catalog directs to the **Portfolio details** page.
1. On the **Portfolio details** page, choose the **Access** tab.
1. Under **Portfolio access**, choose **Grant access**.
1. For **Type**, choose **Principal Name**, and then select the **group/**, **role/**, or **user/**, Type. You can add up to 9 principal names.
1. Choose **Grant Access** to associate the principal to the current portfolio.
**To remove access to a portfolio**
1. On the **Portfolio details** page, choose a group, role, or user name.
1. Choose **Remove access**.
# Sharing a Portfolio
To enable a AWS Service Catalog administrator for another AWS account to distribute your products to end users, share your AWS Service Catalog portfolio with them using either account-to-account sharing or AWS Organizations.
When you share a portfolio using account-to-account sharing or Organizations, you are sharing a *reference* of that portfolio. The products and constraints in the imported portfolio stay in sync with changes that you make to the *shared portfolio*, the original portfolio that you shared.
The recipient cannot change the products or constraints, but can add AWS Identity and Access Management access for end users.
**Note**
You cannot share a shared resource. This includes portfolios that contain a shared product.
## Account-to-account sharing
To complete these steps, you must obtain the account ID of the target AWS account. You can find the ID on the **My Account** page in the AWS Management Console of the target account.
**To share a portfolio with an AWS account**
1. Open the Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/).
1. In the left navigation menu, choose **Portfolios** and then select the portfolio you want to share. In the **Actions** menu, select **Share**.
1. In **Enter account ID** enter the account ID of the AWS account that you are sharing with. (Optional) Select [TagOption Sharing](#tagoptions-share). Then, choose **Share**.
1. Send the URL to the AWS Service Catalog administrator of the target account. The URL opens the **Import Portfolio** page with the ARN of the shared portfolio automatically provided.
### Importing a Portfolio
If a AWS Service Catalog administrator for another AWS account shares a portfolio with you, import that portfolio into your account so that you can distribute its products to your end users.
You do not need to import a portfolio if the portfolio was shared through AWS Organizations.
To import the portfolio, you must get the portfolio ID from the administrator.
To view all imported portfolios, open the AWS Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/). On the **Portfolios** page, select the **Imported** tab. Review the **Imported Portfolios** table.
## Sharing with AWS Organizations
You can share AWS Service Catalog portfolios using AWS Organizations.
First, you must decide if you're sharing from the management account or a delegated administrator account. If you don't want to share from your management account, register a delegated admin account that you can use for sharing. For more information, see [Register a delegated administrator](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-delegated-admin.html) in the *CloudFormation User Guide*.
Next, you must decide who to share to. You can share to the following entities:
+ An organization account.
+ An organizational unit (OU).
+ The organization itself. (This shares with every account in the organization.)
### Sharing from a management account
You can share a portfolio with an organization when you use your organizational structure or input the ID of an organizational node.
****To share a portfolio with an organization by using the organizational structure****
1. Open the AWS Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/).
1. On the **Portfolios** page, select the portfolio that you want to share. In the **Actions** menu, select **Share**.
1. Select **AWS Organizations** and filter into your organizational structure.
You can select the Root node to share the portfolio with your entire organization, a parent Organizational Unit (OU), a child OU, or an AWS account within your organization.
Sharing to a parent OU shares the portfolio to all accounts and child OU's within that parent OU.
You can select **View AWS accounts only** to see a list of all of the AWS accounts in your organization.
****To share a portfolio with an organization by entering the ID of the organizational node****
1. Open the AWS Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/).
1. On the **Portfolios** page, select the portfolio that you want to share. In the **Actions** menu, select **Share**.
1. Select **Organization Node**.
Select whether you want to share with your entire organization, an AWS account within your organization, or an OU.
Input the ID of the organizational node you selected, which you can find within the AWS Organizations console at[ https://console.aws.amazon.com/organizations/](https://console.aws.amazon.com/organizations/).
### Sharing from a delegated administrator account
The management account of an organization can register and de-register other accounts as delegated administrators for the organization.
A delegated administrator can share AWS Service Catalog resources in their organization the same way a management account can. They are authorized to create, delete, and share portfolios.
To register or de-register a delegated administrator, you must use the API or CLI from the management account. For more information, see [RegisterDelegatedAdministrator](https://docs.aws.amazon.com/organizations/latest/APIReference/API_RegisterDelegatedAdministrator.html) and [DeregisterDelegatedAdministrator](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeregisterDelegatedAdministrator.html) in the *AWS Organizations API Reference*.
**Note**
Before you can designate a delegate , the administrator must call [https://docs.aws.amazon.com/servicecatalog/latest/dg/API_EnableAWSOrganizationsAccess.html](https://docs.aws.amazon.com/servicecatalog/latest/dg/API_EnableAWSOrganizationsAccess.html).
The procedure for sharing a portfolio from a delegated administrator account is the same as sharing from a management account, as seen above in [Sharing from a management account](#sharing-from-master).
If a member is de-registered as a delegated administrator, the following occurs:
+ Portfolio shares that were created from that account are removed.
+ They can no longer create new portfolio shares.
**Note**
If the portfolio and shares created by a delegated administrator do not get removed after the delegated administrator is de-registered, register and de-register the delegated administrator again. This action removes the portfolio and shares created by that account.
### Moving accounts within your organization
If you move an account within your organization, the AWS Service Catalog portfolios shared with the account might change.
Accounts only have access to portfolios shared with their destination organization or organizational unit.
## Sharing TagOptions when sharing portfolios
As an administrator, you can create a share to include TagOptions. TagOptions are key-value pairs that enables administrators to:
+ Define and enforce the taxonomy for tags.
+ Define tag options and associate them to products and portfolios.
+ Share tag options associated with portfolios and products with other accounts.
When you add or remove tag options in the main account, the change automatically appears in recipient accounts. In recipient accounts, when an end user provisions a product with TagOptions, they must choose values for tags that become tags on the provisioned product.
In recipient accounts administrators can associate additional local TagOptions to their imported portfolio to enforce tagging rules that are specific to that account.
**Note**
To share a portfolio, you need the the consumer's AWS account ID. Find the AWS account ID in **My Account** in the console.
**Note**
If a TagOption has a single value, AWS automatically enforces that value during the provisioning process.
**To share TagOptions when sharing portfolios**
1. In the left navigation menu, choose **Portfolios**.
1. In **Local portfolios**, choose and open a portfolio.
1. Choose **Share** from the list above and then choose the **Share** button.
1. Choose to share with another AWS account or organization.
1. Enter the 12 digit account ID number, select **Enable**, and then choose **Share**.
The account you shared displays in the **Accounts shared with** section. It indicates whether TagOptions were enabled.
You can also update a portfolio share to include TagOptions. All TagOptions that belong to the portfolio and product now share to this account.
**To update a portfolio share to include TagOptions**
1. In the left navigation menu, choose **Portfolios**.
1. In **Local portfolio**, choose and open a portfolio.
1. Choose **Share** from the list above.
1. In **Accounts shared with**, choose an account ID and then choose **Actions**.
1. Select **Update unshare** or **Unshare**.
When you select **Update unshare**, choose **Enable** to initiate sharing TagOptions. The account you shared displays in the **Accounts shared with** section.
When you select **Unshare**, confirm you no longer want to share the account.
## Sharing Principal Names when sharing portfolios
As an administrator, you can create a Portfolio share that includes Principal Names. Principal Names are names for groups, roles and users that administrators can specify in a Portfolio, and then share with the portfolio. When you share the portfolio, AWS Service Catalog verifies if those Principal Names already exist. If they do exist, AWS Service Catalog automatically associates the matching IAM Principals with the shared Portfolio to grant access to users.
**Note**
When you associate a principal with portfolio, a potential privilege escalation path may occur when that portfolio is then shared with other accounts. For a user in a recipient account who is *not* a AWS Service Catalog Admin, but still has the ability to create Principals (Users/Roles), that user could create an IAM Principal that matches a principal name association for the portfolio. Although this user may not know which principal names are associated through AWS Service Catalog, they may be able to guess the user. If this potential escalation path is a concern, then AWS Service Catalog recommends using `PrincipalType` as `IAM`. With this configuration, the `PrincipalARN` must already exist in the recipient account before it can be associated.
When you add or remove Principal Names in the main account, AWS Service Catalog automatically applies those changes in the recipient account. Users in recipient account can then perform tasks based on their role:
+ **End users** can provision, update, and terminate the portfolio's product.
+ **Administrators** can associate additional IAM Principals to their imported portfolio to grant access to end users specific to that account.
**Note**
Principal Name Sharing is only available for AWS Organizations.
**To share Principal Names when sharing portfolios**
1. In the left navigation menu, choose **Portfolios**.
1. In **Local portfolios**, choose the portfolio you want to share.
1. In the **Actions** menu, choose **Share**.
1. Select an organization in AWS Organizations.
1. Select the entire **organization root**, an **organization unit (OU)**, or an **organization member**.
1. In **Share** settings, enable the **Principal sharing** option.
You can also update a portfolio share to include Principal Name sharing. This shares all Principal Names that belong to that portfolio with the recipient account.
**To update a portfolio share to enable or disable Principal Names**
1. In the left navigation menu, choose **Portfolios**.
1. In **Local portfolio**, choose the portfolio you want to update.
1. Choose the **Share** tab.
1. Select the share you want to update, and then chose **Share**.
1. Choose **Update share**, and then choose **Enable** to initiate Principal sharing. AWS Service Catalog then shares Principal Names in recipient accounts.
**Disable** Principal sharing if you want to stop sharing the Principal Names with recipient accounts.
### Using wildcards when sharing Principal Names
AWS Service Catalog supports granting portfolio access to IAM principals (user, group or role) names with wildcards, such as ‘\$1’ or ‘?’. Using wildcard patterns enables you to cover multiple IAM principal names at one time. The ARN path and principal name allow unlimited wildcard characters.
Examples of an **acceptable** wildcard ARN:
+ **arn:aws:iam:::role/ResourceName\$1\$1**
+ **arn:aws:iam:::role/\$1/ResourceName\$1?**
Examples of an **unacceptable** wildcard ARN:
+ **arn:aws:iam:::\$1/ResourceName**
In the IAM Principal ARN format (**arn:partition:iam:::resource-type/resource-path/resource-name**), valid values include **user/**, **group/**, or **role/**. The "?" and "\$1" are allowed only after the resource-type in the resource-id segment. You can use special characters anywhere within the resource-id.
The "\$1" character also matches the "/" character, allowing paths to be formed *within* the resource-id. For example:
**arn:aws:iam:::role/**\$1**/ResourceName\$1?** matches both **arn:aws:iam:::role/pathA/pathB/ResourceName\$11** and **arn:aws:iam:::role/pathA/ResourceName\$11**.
# Sharing and Importing Portfolios
To make your AWS Service Catalog products available to users who are not in your AWS accounts, such as users who belong to other organizations or to other AWS accounts in your organization, you share your portfolios with them. You can share in several ways, including account-to-account sharing, organizational sharing, and deploying catalogs using stack sets.
Before you share your products and portfolios to other accounts, you must decide whether you want to share a reference of the catalog or to deploy a copy of the catalog into each recipient account. Note that if you deploy a copy, you must redeploy if there are updates you want to propagate to the recipient accounts.
You can use stack sets to deploy your catalog to many accounts at the same time. If you want to share a reference (an imported version of your portfolio that stays in sync with the original), you can use account-to-account sharing or you can share using AWS Organizations.
To use stack sets to deploy a copy of your catalog, see [How to set up a multi-region, multi-account catalog of company standard AWS Service Catalog products](https://aws.amazon.com/blogs/mt/how-to-set-up-a-multi-region-multi-account-catalog-of-company-standard-aws-service-catalog-products/).
When you share a portfolio using account-to-account sharing or AWS Organizations, you allow a AWS Service Catalog administrator of another AWS account to import your portfolio into their account and distribute the products to end users in that account.
This *imported portfolio* isn't an independent copy. The products and constraints in the imported portfolio stay in sync with changes that you make to the *shared portfolio*, the original portfolio that you shared. The *recipient administrator*, the administrator with whom you share a portfolio, cannot change the products or constraints, but can add AWS Identity and Access Management (IAM) access for end users. For more information, see [Granting Access to Users](catalogs_portfolios_users.md).
The recipient administrator can distribute the products to end users who belong to their AWS account in the following ways:
+ By adding users, groups, and roles to the imported portfolio.
+ By adding products from the imported portfolio to a **local portfolio**, a separate portfolio that the recipient administrator creates and that belongs to their AWS account. The recipient administrator then adds users, groups, and roles to that local portfolio. Any constraints originally applied to products in the shared portfolio are also present in the local portfolio. The local portfolio recipient administrator can add additional constraints, but cannot remove the constraints that were originally imported from the shared portfolio.
When you add products or constraints to the shared portfolio or remove products or constraints from it, the change propagates to all imported instances of the portfolio. For example, if you remove a product from the shared portfolio, that product is also removed from the imported portfolio. It is also removed from all local portfolios that the imported product was added to. If an end user launched a product before you removed it, the end user's provisioned product continues to run, but the product becomes unavailable for future launches.
If you apply a launch constraint to a product in a shared portfolio, it propagates to all imported instances of the product. To override this launch constraint, the recipient administrator adds the product to a local portfolio and then applies a different launch constraint to it. The launch constraint that is in effect sets a launch role for the product.
A *launch role* is an IAM role that AWS Service Catalog uses to provision AWS resources (such as Amazon EC2 instances or Amazon RDS databases) when an end user launches the product. As an administrator, you can choose to designate a specific launch role ARN or a local role name. If you use the role ARN, the role will be used even if the end user belongs to a different AWS account than the one that owns the launch role. If you use a local role name, the IAM role with that name in the end user's account is used.
For more information about launch constraints and launch roles, see [AWS Service Catalog Launch Constraints](constraints-launch.md). The AWS account that owns the launch role provisions the AWS resources, and this account incurs the usage charges for those resources. For more information, see [AWS Service Catalog Pricing](https://aws.amazon.com/servicecatalog/pricing/).
This video shows you how to share portfolios across accounts in AWS Service Catalog.
[](http://www.youtube.com/watch?v=https://www.youtube.com/embed/BVSohYOppjk)
**Note**
You cannot re-share products from a portfolio that has been imported or shared.
**Note**
Portfolio imports must occur in the same region between the management and dependent accounts.
## Relationship Between Shared and Imported Portfolios
This table summarizes the relationship between an imported portfolio and a shared portfolio, and the actions that an administrator who imports a portfolio can and can't take with that portfolio and the products in it.
| Element of Shared Portfolio | Relationship to Imported Portfolio | Recipient Administrator Can | Recipient Administrator Cannot |
| --- | --- | --- | --- |
| Products and product versions | Inherited. If the portfolio creator adds products to or removes products from the shared portfolio, the change propagates to the imported portfolio. | Add imported products to local portfolios. Products stay in sync with shared portfolio. | Upload or add products to the imported portfolio or remove products from the imported portfolio. |
| Launch constraints | Inherited. If the portfolio creator adds launch constraints to or removes launch constraints from a *shared product*, the change propagates to all imported instances of the product. If the recipient administrator adds an imported product to their *local* portfolio, that imported launch constraint is not carried over to the shared portfolio. | In a local portfolio, the administrator can apply launch constraints that affect the local launch of the product. | Add launch constraints to or remove launch constraints from the imported portfolio. |
| Template constraints | Inherited. If the portfolio creator adds a template constraint to or removes a template constraints from a shared product, the change propagates to all imported instances of the product. If the recipient administrator adds an imported product to a local portfolio, the imported template constraints are not carried over to the local portfolio. | In a local portfolio, the administrator can add template constraints that constrain the local product. | Remove the imported template constraints. |
| Users, groups, and roles | Not inherited. | Add users, groups, and roles that are in administrator's AWS account. | Not applicable. |
# Managing Products
You can create products, update products by creating a new version based on an updated template, and group products together into portfolios to distribute them to users.
New versions of products are propagated to all users who have access to the product through a portfolio. When you distribute an update, end users can update existing provisioned products.
**Topics**
+ [Viewing the Products Page](#productmgmt-menu)
+ [Creating Products](productmgmt-cloudresource.md)
+ [Adding products to portfolios](catalogs_portfolios_adding-products.md)
+ [Updating products](productmgmt-update.md)
+ [Syncing products to template files from GitHub, GitHub Enterprise, or Bitbucket](git-synced-sc-products.md)
+ [Deleting products](productmgmt-delete.md)
+ [Managing Versions](managing-versions.md)
## Viewing the Products Page
You manage products from the **Products list** page in the AWS Service Catalog administrator console.
**To view the **Products list** page**
1. Open the Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/).
1. Choose **Product list**.
# Creating Products
You create products from the **Products** page in the AWS Service Catalog administrator console.
**Note**
Creating Terraform products require additional configuration, including a Terraform provisioning engine and launch role. For more information, review [Getting started with a Terraform product](getstarted-Terraform.md).
**To create a new AWS Service Catalog product**
1. Navigate to the **Products list** page.
1. Choose **Create product**, and the choose **Create product**.
1. **Product details** – Enables you to choose the type of product you want to create. AWS Service Catalog supports CloudFormation, Terraform Cloud, and External (supports Terraform Community Edition) product types. Product details also contains the metadata that appears when you search for and view products in a list or detail page. Enter the following:
+ **Product name** – The name of the product.
+ **Product description **– The description shows in the product listing to help you choose the correct product.
+ **Owner** – The person or organization that publishes this product. The owner could be the name of your IT organization, or administrator.
+ **Distributor **(optional) – The name of the application's publisher. This field allows you to sort the products list to make it easier to find products.
1. **Version details ** enables you to add your template file and build your product. Enter the following:
+ **Choose method** – There are four ways to add a template file.
+ **Use a local template file** - Upload an CloudFormation template or a Terraform tar.gz configuration file from a local drive.
+ **Use an Amazon S3 URL** - Specify a URL that points to an CloudFormation template or a Terraform tar.gz configuration file stored in Amazon S3. If you specify an Amazon S3 URL, it must begin with `https://`.
+ **Use an external repository** - Specify your GitHub, GitHub Enterprise, or Bitbucket code repository. AWS Service Catalog allows you to sync products to template files. For Terraform products, the template file format is required to be a single file archived in Tar and compressed in Gzip.
+ **Use an existing CloudFormation stack** - Enter the ARN for an existing CloudFormation stack. This method does not support Terraform Cloud or External products.
+ **Version name** (optional) – The name of the product version (e.g., "v1", "v2beta"). No spaces are allowed.
+ **Description** (optional) – A description of the product version, including how this version differs from the other versions.
+ **Guidance** – Managed in the versions tab on a **Product details** page. When a product version is created—during the create product workflow—guidance for that version is set to default. To learn more about guidance, see [Managing Versions](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/managing-versions.html).
1. **Support details **identifies the organization within your company, and provides a point of contact for support. Enter the following:
+ **Email contact** (optional) – The email address for reporting issues with the product.
+ **Support link** (optional) – An URL to a site where users can find support information or file tickets. The URL must begin with `http://` or `https://`. Administrators are responsible for maintaining the accuracy and access of support information.
+ **Support description** (optional) – A description of how you should use the **Email contact** and **Support** link.
1. **Manage tags** (optional) – In addition to using tags to categorize your resources, you can also use them to authenticate your permissions to create this resource.
1. **Create product** – When you have completed the form, select **Create product**. After a few seconds, the product appears on the **Products list** page. You might need to refresh your browser to see the product.
You can also use CodePipeline to create and configure a pipeline to deploy your product template to AWS Service Catalog and deliver changes you have made in your source repository. For more information, see[ Tutorial: Create a Pipeline That Deploys to AWS Service Catalog](https://docs.aws.amazon.com/codepipeline/latest/userguide/tutorials-S3-servicecatalog.html).
You can define parameter properties in your CloudFormation or Terraform template and enforce those rules during provisioning. These properties can define the minimum and maximum length, minimum and maximum values, allowed values, and a regular expression for the value. AWS Service Catalog issues a warning during provisioning if the value provided does not adhere to the parameter property. To learn more about parameter properties, see [Parameters ](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html) in the *CloudFormation User Guide*.
## Troubleshooting
You must have permission to retrieve objects from Amazon S3 buckets. Otherwise, you might encounter the following error when launching or updating a product.
```
Error: failed to process product version s3 access denied exception
```
If you encounter this message, ensure have permission to retrieve objects from the following buckets:
+ The bucket where the provisioning artifact template is stored.
+ The bucket that begins with "***cf-templates-\$1***" and where AWS Service Catalog stores the provisioning artifact template.
+ The internal bucket that begins with "***sc-\$1***" and where AWS Service Catalog stores metadata. You won't be able to see this bucket from your account.
The following example policy shows the minimum permissions that are required to retrieve objects from the previously mentioned buckets.
```
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:GetObject*",
"Resource": [
"arn:aws:s3:::YOUR_TEMPLATE_BUCKET",
"arn:aws:s3:::YOUR_TEMPLATE_BUCKET/*",
"arn:aws:s3:::cf-templates-*",
"arn:aws:s3:::cf-templates-*/*",
"arn:aws:s3:::sc-*",
"arn:aws:s3:::sc-*/*"
]
}
```
# Adding products to portfolios
You can add products to any number of portfolios. When a product is updated, all of the portfolios (including shared portfolios) that contain the product automatically receive the new version.
**To add a product from your catalog to a portfolio**
1. Navigate to the **Products list** page.
1. Select a product, and then choose **Actions**. From the dropdown menu, choose **Add product to portfolio**. You're directed to the **Add *name-of-product* to portfolio** page.
1. Choose a portfolio, and then choose **Add product to portfolio**.
When adding a Terraform product to a portfolio, the product requires a launch constraint. You must select an IAM role from your account, enter an IAM role ARN, or enter a role name. If you specify a role name and if an account uses the launch constraint, the account uses that name for the IAM role. This allows launch-role constraints to be account-agnostic, ensuring you can create fewer resources per shared account. For details and instructions, review [Step 6: Add a Launch constraint to your Terraform product](getstarted-launchconstraint-Terraform.md)
A portfolio can contain numerous products that are mix of CloudFormation and Terraform product types.
# Updating products
When you update a product's template, you create a new version of the product. New product versions are automatically available to all users who have access to a portfolio containing the product.
**Note**
When updating an existing product, you cannot change the product type (CloudFormation or Teraform). For example, if you update a CloudFormation product, you cannot replace the existing CloudFormation template with a Terraform tar.gz configuration file. You must update the existing CloudFormation template file with a new CloudFormation template file.
End users who are currently running a provisioned product of the previous product version can update their provisioned product to the new version. When a new version of a product is available, users can use the **Update provisioned product** command on the **Provisioned product list** or **Provisioned product details** pages.
Before you create a new version of a product, AWS Service Catalog recommends that you test your product updates in CloudFormation or in the Terraform engine to ensure that they function properly.
**To create a new product version**
1. Navigate to the **Product list** page.
1. Choose the product product that you would like to update. You're directed to the *Product details * page.
1. On the *Product details * page, expand the **Versions** tab, and then choose **Create new version**.
1. Under **Version details**, perform the following:
+ **Choose template** – There are four ways to add a template file.
*Use a local template file* - Upload an CloudFormation template or a Terraform tar.gz configuration file from a local drive.
*Use an Amazon S3 URL* - Specify a URL that points to an CloudFormation template or a Terraform tar.gz configuration file stored in Amazon S3. If you specify an Amazon S3 URL, it must begin with https://.
*Use an external repository* - Specify your GitHub, GitHub Enterprise, or Bitbucket code repository. AWS Service Catalog allows you to sync products to template files. For Terraform products, the template file format is required to be a single file archived in Tar and compressed in Gzip.
*Use an existing CloudFormation stack* - Enter the ARN for an existing CloudFormation stack. This method does not support Terraform Cloud or External products.
+ **Version title** – The name of the product version (e.g., "v1", "v2beta"). No spaces are allowed.
+ **Description** (optional) – A description of the product version, including how this version differs from the previous version.
1. Choose **Create product version**.
You can also use CodePipeline to create and configure a pipeline to deploy your product template to AWS Service Catalog, and deliver your changes in your source repository. For more information, see [Tutorial: Create a Pipeline That Deploys to AWS Service Catalog](https://docs.aws.amazon.com/codepipeline/latest/userguide/tutorials-S3-servicecatalog.html).
# Syncing products to template files from GitHub, GitHub Enterprise, or Bitbucket
AWS Service Catalog allows you to sync products to template files that are managed through external repository provider. AWS Service Catalog refers to products with this type of template connection as *Git-synced* products. Repository options include GitHub, GitHub Enterprise, or Bitbucket. After you authorize your AWS account with an external repository account, you can create new AWS Service Catalog products or update existing products to sync to a template file in the repository. When changes are made to the template file and committed in the repository (for example, using git-push), AWS Service Catalog automatically detects the changes and creates a new product version (artifact).
**Topics**
+ [Required permissions to sync products to external template files](#required-perms-synced-repo)
+ [Create an account connection](#create-synced-product)
+ [Viewing Git-synced product connections](#view-repo-sync)
+ [Updating Git-synced product connections](#update-repo-sync)
+ [Deleting Git-synced product connections](#delete-repo-sync)
+ [Syncing Terraform products to template files from GitHub, GitHub Enterprise, or Bitbucket](#git-synced-Terraform)
+ [AWS Region support for Git-synced products](git-sync-supported-regions.md)
## Required permissions to sync products to external template files
You can use the following AWS Identity and Access Management (IAM) policy as a template to enable AWS Service Catalog administrators to sync products to template files from an external repository. This policy includes required permissions from both CodeConnections and AWS Service Catalog. AWS Service Catalog recommends that you copy the template policy below, and also use the AWS Service Catalog `AWSServiceCatalogAdminFullAccess` [managed policy](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/security-iam-awsmanpol) when enabling repository-synced products.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CodeStarAccess",
"Effect": "Allow",
"Action": [
"codestar-connections:UseConnection",
"codestar-connections:PassConnection",
"codestar-connections:CreateConnection",
"codestar-connections:DeleteConnection",
"codestar-connections:GetConnection",
"codestar-connections:ListConnections",
"codestar-connections:ListInstallationTargets",
"codestar-connections:GetInstallationUrl",
"codestar-connections:StartOAuthHandshake",
"codestar-connections:UpdateConnectionInstallation",
"codestar-connections:GetIndividualAccessToken"
],
"Resource": "arn:aws:codestar-connections:*:*:connection/*"
},
{
"Sid": "CreateSLR",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/sync.servicecatalog.amazonaws.com/AWSServiceRoleForServiceCatalogArtifactSync",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "sync.servicecatalog.amazonaws.com"
}
}
}
]
}
```
------
## Create an account connection
Before syncing a template file to a AWS Service Catalog product, you must create and authorize a one-time, account-to-account connection. You use this connection to specify the details of the repository containing the desired template file. You can create a connection using the AWS Service Catalog console, CodeConnections console, AWS Command Line Interface (CLI), or CodeConnections APIs.
After establishing a connection, you can use the AWS Service Catalog console, AWS Service Catalog API, or CLI to create a synced AWS Service Catalog product. AWS Service Catalog administrators can create new or update existing AWS Service Catalog products based on a template file in a repository and branch. If a change is committed in the repository, AWS Service Catalog automatically detects the change and creates a new product version. Previous product versions are maintained up to the prescribed version limit and assigned a **deprecated** status.
Additionally, AWS Service Catalog automatically creates a service-linked role (SLR) after the connection is created. This SLR allows AWS Service Catalog to detect any template file changes that are committed to the repository. The SLR also allows AWS Service Catalog to automatically create new product versions for synced products. For more information about SLR permissions and functionality, refer to [Service-linked roles for AWS Service Catalog](#required-perms-synced-repo).
**To create a new Git-synced product**
1. In the left navigation panel, choose **Product list**, and then choose **Create product**.
1. Enter the **Product details**.
1. In Version details, choose **Specify your code repository using an AWS CodeStar provider**, and then choose the **Create a new AWS CodeStar connection** link.
1. After you create the connection, refresh the connections list, and then select the new connection. Specify the repository details, including the **repository**, **branch**, and **template file path**.
For infomration about using a Terraform configuration file, see [Syncing Terraform products to template files from GitHub, GitHub Enterprise, or Bitbucket](#git-synced-Terraform).
1. (Optional when creating a new AWS Service Catalog product resource) In the **Support Details** section, add metadata for the product.
1. (Optional when creating a new AWS Service Catalog product resource) In the **Tags** section, choose **Add new tag** and enter the **Key** and **Value** pairs.
1. Choose **Create new product**.
**To create multiple Git-synced products**
1. In the AWS Service Catalog console left navigation panel, choose **Product list**, and then choose **Create multiple git-managed products**.
1. Enter the **Common product details**.
1. In External repository details, select an **AWS CodeStar connection**, and then specify the **repository** and **branch**.
1. In the Add products pane, enter the **Template file path** and **Product name**. Choose **Add new item** and continue adding products as desired.
1. After adding all desired products, choose **Bulk create products**.
**To connect an existing AWS Service Catalog product to an external repository**
1. In the AWS Service Catalog console left navigation panel, choose **Product list**, and then choose **Connect products to an external repository**.
1. On the Select products page, select the products you want to connect to an external repository, and then choose **Next**.
1. On the Specify source details page, select an existing AWS CodeStar connection, and then specify the **repository**,the **branch**, and the **template file path**.
1. Choose **Next**.
1. On the Review and submit page, verify the connection details, and then choose **Connect products to an external repository**.
## Viewing Git-synced product connections
You can use the AWS Service Catalog console, API, or AWS CLI to view repository connection details. For AWS Service Catalog products that are linked to a template file, you can retrieve information about the repository connection and the last time the template was synced with the product from the **Last Sync Status**.
**Note**
You can view repository information and the **Last Sync Status** at the product level. Users must have IAM permissions in the CodeConnections APIs to view repository details. Refer to [Required permissions to sync AWS Service Catalog products to template files](#required-perms-synced-repo) for more information about the required policy for these IAM permissions.
**To view connection and repository details using AWS Management Console**
1. In the left navigation panel, choose **Product list**.
1. Select the product from the list.
1. On the **Product** page, navigate to the **Product source details** section.
1. To view the source revision ID for a product version, choose the **Last version created** link. The **Version details** section display the source revision ID.
**To view connection and repository details using AWS CLI**
From the AWS CLI, run the following commands:
`$ aws servicecatalog describe-product-as-admin`
`$ aws servicecatalog describe-provisioning-artifact`
`$ aws servicecatalog search-product-as-admin`
`$ aws servicecatalog list-provisioning-artifacts`
## Updating Git-synced product connections
You can update existing account connections and Git-synced products using the AWS Service Catalog console, AWS Service Catalog API, or AWS CLI.
To learn how to connect an existing AWS Service Catalog product to a template file, refer to [ Creating new Git-synced product connections](#create-synced-product).
**To update existing products to Git-synced products**
1. In the left navigation panel, choose **Product list**, and then choose one of the following options:
+ To update a **single product**, select the product, navigate to the **Product source details** section, and then choose **Edit details**.
+ To update **multiple products**, choose **Connect products to an external repository**, select up to ten products, and then choose **Next**.
1. In the **Product source details** section, perform the following updates:
+ Specify the connection.
+ Specify the repository.
+ Specify the branch.
+ Name the template file.
1. Choose **Save changes**.
**Note**
For products not yet connected to an external repository, you can use the **Connect to an external repository** option displayed in the alert at the top of the product info page after selecting the product.
You can also use the AWS Service Catalog console or the AWS CLI to
+ Connect an existing AWS Service Catalog product to a template file in an external repository
+ Update product metadata, including the product name, description, and tags.
+ Reconfigure (update the sync to use a different repository source) a connection for a previously connected AWS Service Catalog product.
**To update connection and repository details using AWS Service Catalog console**
1. In the AWS Service Catalog console left navigation panel, choose **Product list**, and then select a product that is currently connected to an external repository.
1. In the **Product source details** section, choose **Edit product source**.
1. In the **Product source details** section, specify the new desired repository.
1. Choose **Save changes**.
**To update connection and repository details using AWS CLI**
From the AWS CLI run the `$ aws servicecatalog update-product` and `$ aws servicecatalog update-provisioning-artifact` commands.
## Deleting Git-synced product connections
You can delete a connection between a AWS Service Catalog product and a template file using the AWS Service Catalog console, CodeConnections API, or AWS CLI. When you disconnect a product from a template file, the synced AWS Service Catalog product switches to a regularly managed product. After disconnecting the product, if the template file is changed and committed in the previously connected repository, the changes are *not* reflected. To re-connect a AWS Service Catalog product to a template file in an external repository, refer to [Updating connections and synced AWS Service Catalog products]().
**To disconnect a Git-synced product using the AWS Service Catalog console**
1. In the AWS Management Console, choose **Product list** from the left navigation panel.
1. Select a product from the list.
1. On the **Product** page, navigate to the **Product source details** section.
1. Choose **Disconnect**.
1. Confirm the action, and then choose **Disconnect**.
**To disconnect a Git-synced product using AWS CLI**
From the AWS CLI, run the `$ aws servicecatalog update-product` command. In the `ConnectionParameters` input, remove the specified connection.
**To delete a connection using the CodeConnections API or AWS CLI**
In the CodeConnections API or AWS CLI, run the `$ aws codestar-connections delete-connection` command.
## Syncing Terraform products to template files from GitHub, GitHub Enterprise, or Bitbucket
When creating a Git-synced product using a Terraform configuration file, the file path only accepts the tar.gz format. Terraform folder formats are not accepted in the file path.
# AWS Region support for Git-synced products
AWS Service Catalog supports Git-synced produtcs in AWS Regions as indicated in the table below.
****
| AWS Region name | AWS Region identity | Support for Git-synced products |
| --- | --- | --- |
| US East (N. Virginia) | us-east-1 | Yes |
| US East (Ohio) | us-east-2 | Yes |
| US West (N. California) | us-west-1 | Yes |
| US West (Oregon) | us-west-2 | Yes |
| Africa (Cape Town) | af-south-1 | No |
| Asia Pacific (Hong Kong) | ap-east-1 | No |
| Asia Pacific (Jakarta) | ap-southeast-3 | No |
| Asia Pacific (Mumbai) | ap-south-1 | Yes |
| Asia Pacific (Osaka) | ap-northeast-3 | No |
| Asia Pacific (Seoul) | ap-northeast-2 | Yes |
| Asia Pacific (Singapore) | ap-southeast-1 | Yes |
| Asia Pacific (Sydney) | ap-southeast-2 | Yes |
| Asia Pacific (Tokyo) | ap-northeast-1 | Yes |
| Canada (Central) | ca-central-1 | Yes |
| Europe (Frankfurt) | eu-central-1 | Yes |
| Europe (Ireland) | eu-west-1 | Yes |
| Europe (London) | eu-west-2 | Yes |
| Europe (Milan) | eu-south-1 | No |
| Europe (Paris) | eu-west-3 | Yes |
| Europe (Stockholm) | eu-north-1 | Yes |
| Middle East (Bahrain) | me-south-1 | No |
| South America (São Paulo) | sa-east-1 | Yes |
| AWS GovCloud (US-East) | us-gov-east-1 | No |
| AWS GovCloud (US-West) | us-gov-west-1 | No |
# Deleting products
When you delete a product, AWS Service Catalog removes all product versions from every portfolio containing the product.
AWS Service Catalog allows you to delete a product using the AWS Service Catalog console or AWS CLI. To successfully delete a product, you must disassociate all resources associated with the product first. Examples of product resource associations include portfolio associations, budgets, TagOptions, and Service Actions.
**Important**
You cannot recover a product after it is deleted.
**To delete a product using the AWS Service Catalog console**
1. Navigate to the **Portfolios** page and select the portfolio containing the product you want to delete.
1. Select the product that you want to delete, and then choose **Delete** on the upper right of the product pane.
1. For products *without associated resources*, confirm the product you want to delete by entering **delete** in the text box, and then choose **Delete**.
For products *with associated resources*, continue to step 4.
1. In the **Delete product** window, review the **Associations** table, which displays all of the product's associated resources. AWS Service Catalog attempts to disassociate these resources when you delete the product.
1. Confirm you want to delete the product and remove all of its associated resources by entering **delete** in the text box.
1. Choose **Disassociate and delete**.
If AWS Service Catalog is unable to disassociate all of the product's resources, the product is not deleted. The **Delete product** window displays the number of failed disassociations and a description for each failure. For more information about resolving failed resource disassociations when deleting a product, see * Resolving failed resource disassociations when deleting a product* below.
**Topics**
+ [Deleting products using the AWS CLI](product-delete-cli.md)
+ [Resolving failed resource disassociations when deleting a product](product-delete-exception.md)
# Deleting products using the AWS CLI
AWS Service Catalog allows you to use the [AWS Command Line Interface](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html) (AWS CLI) to delete products from your portfolio. The AWS CLI is an open source tool that enables you to interact with AWS services using commands in your command-line shell. The AWS Service Catalog force-delete function requires an [AWS CLI alias](https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-alias.html), which is a shortcut you can create in the AWS CLI to shorten commands or scripts that you frequently use.
## Prerequisites
+ Install and configure the AWS CLI. For more information, see [ Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) and [ Configuration basics](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html). Use a minimum AWS CLI version of 1.11.24 or 2.0.0.
+ The delete product CLI alias requires a bash-compatible terminal and the JQ command-line JSON processor. For more information about installing the Command-line JSON processor, see [Download jq](https://stedolan.github.io/jq/download/).
+ Create a AWS CLI Alias to batch `Disassociation` API calls, enabling you to delete a product in a single command.
To successfully delete a product, you must disassociate all resources associated with the product first. Examples of product resource associations include portfolio associations, budgets, Tag Options, and Service Actions. When using the CLI to delete a product, the CLI `force-delete-product` alias enables you to call the `Disassociate` API to disassociate any resources that would prevent the `DeleteProduct` API. This avoids a seperate call for individual disassociations.
**Note**
The file paths shown in the procedures below may vary depending on which operating system you use to perform these actions.
## Creating an AWS CLI alias to delete AWS Service Catalog products
When using the AWS CLI to delete a AWS Service Catalog product, the CLI `force-delete-product` alias enables you to call the `Disassociate` API to disassociate any resources that would prevent the `DeleteProduct` call.
**Create an `alias` file in your AWS CLI configuration folder**
1. In the AWS CLI console, navigate to the configuraiton folder. By default, the configuration folder path is `~/.aws/` on Linux and macOS, or `%USERPROFILE%\.aws\` on Windows.
1. Create a sub-folder named `cli` using file navigation or by entering the following command in your preferred terminal:
```
$ mkdir -p ~/.aws/cli
```
The resulting `cli` folder default path is `~/.aws/cli/` on Linux and MacOS, or `%USERPROFILE%\.aws\cli` on Windows.
1. In the new `cli` folder, create a text file named `alias` with no file extension. You can create the `alias` file using file navigation or by entering the following command in your preferred terminal:
```
$ touch ~/.aws/cli/alias
```
1. Enter `[toplevel]` on the first line.
1. Save the file.
Next, you can add the force-delete-product alias to your `alias` file by manually pasting the alias script into the file, or by using a command in the terminal window.
**Manually add the force-delete-product alias to your `alias` file**
1. In the AWS CLI console, navigate to your AWS CLI configuration folder and open the `alias` file.
1. Enter the following code alias into the file, below the `[toplevel]` line:
```
[command servicecatalog]
force-delete-product =
!f() {
if [ "$#" -ne 1 ]; then
echo "Illegal number of parameters"
exit 1
fi
if [[ "$1" != prod-* ]]; then
echo "Please provide a valid product id."
exit 1
fi
productId=$1
describeProductAsAdminResponse=$(aws servicecatalog describe-product-as-admin --id $productId)
listPortfoliosForProductResponse=$(aws servicecatalog list-portfolios-for-product --product-id $productId)
tagOptions=$(echo "$describeProductAsAdminResponse" | jq -r '.TagOptions[].Id')
budgetName=$(echo "$describeProductAsAdminResponse" | jq -r '.Budgets[].BudgetName')
portfolios=$(echo "$listPortfoliosForProductResponse" | jq -r '.PortfolioDetails[].Id')
provisioningArtifacts=$(echo "$describeProductAsAdminResponse" | jq -r '.ProvisioningArtifactSummaries[].Id')
provisioningArtifactServiceActionAssociations=()
for provisioningArtifactId in $provisioningArtifacts; do
listServiceActionsForProvisioningArtifactResponse=$(aws servicecatalog list-service-actions-for-provisioning-artifact --product-id $productId --provisioning-artifact-id $provisioningArtifactId)
serviceActions=$(echo "$listServiceActionsForProvisioningArtifactResponse" | jq -r '[.ServiceActionSummaries[].Id] | join(",")')
if [[ -n "$serviceActions" ]]; then
provisioningArtifactServiceActionAssociations+=("${provisioningArtifactId}:${serviceActions}")
fi
done
echo "Before deleting a product, the following associated resources must be disassociated. These resources will not be deleted. This action may take some time, depending on the number of resources being disassociated."
echo "Portfolios:"
for portfolioId in $portfolios; do
echo "\t${portfolioId}"
done
echo "Budgets:"
if [[ -n "$budgetName" ]]; then
echo "\t${budgetName}"
fi
echo "Tag Options:"
for tagOptionId in $tagOptions; do
echo "\t${tagOptionId}"
done
echo "Service Actions on Provisioning Artifact:"
for association in "${provisioningArtifactServiceActionAssociations[@]}"; do
echo "\t${association}"
done
read -p "Are you sure you want to delete ${productId}? y,n "
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
exit
fi
for portfolioId in $portfolios; do
echo "Disassociating ${portfolioId}"
aws servicecatalog disassociate-product-from-portfolio --product-id $productId --portfolio-id $portfolioId
done
if [[ -n "$budgetName" ]]; then
echo "Disassociating ${budgetName}"
aws servicecatalog disassociate-budget-from-resource --budget-name "$budgetName" --resource-id $productId
fi
for tagOptionId in $tagOptions; do
echo "Disassociating ${tagOptionId}"
aws servicecatalog disassociate-tag-option-from-resource --tag-option-id $tagOptionId --resource-id $productId
done
for association in "${provisioningArtifactServiceActionAssociations[@]}"; do
associationPair=(${association//:/ })
provisioningArtifactId=${associationPair[0]}
serviceActionsList=${associationPair[1]}
serviceActionIds=${serviceActionsList//,/ }
for serviceActionId in $serviceActionIds; do
echo "Disassociating ${serviceActionId} from ${provisioningArtifactId}"
aws servicecatalog disassociate-service-action-from-provisioning-artifact --product-id $productId --provisioning-artifact-id $provisioningArtifactId --service-action-id $serviceActionId
done
done
echo "Deleting product ${productId}"
aws servicecatalog delete-product --id $productId
}; f
```
1. Save the file.
**Use the terminal window to add the force-delete-product alias to your `alias` file**
1. Open your terminal window and run the following command
`$ cat >> ~/.aws/cli/alias`
1. Paste the alias script to the terminal window, and then press *CTRL\$1D* to exit the `cat` command.
**Call the force-delete-product alias**
1. In your terminal window, run the following command to call the delete product alias
`$ aws servicecatalog force-delete-product {product-id} `
The example below shows the `force-delete-product` alias command and its resulting response
```
$ aws servicecatalog force-delete-product prod-123
```
```
Before deleting a product, the following associated resources must be disassociated. These resources will not be deleted. This action may take some time, depending on the number of resources being disassociated.
Portfolios:
port-123
Budgets:
budgetName
Tag Options:
tag-123
Service Actions on Provisioning Artifact:
pa-123:act-123
Are you sure you want to delete prod-123? y,n
```
1. Enter `y` to confirm you want to delete the product.
After successfully deleting the product, the terminal window displays the following results
```
Disassociating port-123
Disassociating budgetName
Disassociating tag-123
Disassociating act-123 from pa-123
Deleting product prod-123
```
## Additional resources
For more information about AWS CLI, using aliases, and deleting AWS Service Catalog products, review the following resources:
+ [ Creating and using AWS CLI aliases](https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-alias.html) in the *AWS Command Line Interface (CLI)* user guide.
+ [AWS CLI alias repository](https://github.com/awslabs/awscli-aliases) git repository.
+ [Deleting AWS Service Catalog products](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/productmgmt-delete.html).
+ [AWS re:Invent 2016: The Effective AWS CLI User](https://youtu.be/Xc1dHtWa9-Q?t=1593) on *YouTube*.
# Resolving failed resource disassociations when deleting a product
If your prior attempt to [delete a product](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/productmgmt-delete.html) failed due to resource disassociation exceptions, review the list of exceptions and their resolutions below.
**Note**
If you closed the **Deleting products** window prior to receiving the failed resource disassociation message, you can follow steps one through three in the proceeding *Delete a product* section to open the window again.
**To resolve a failed resource disassociation**
In the **Delete product** window, review the Associations table **Status** column. Identify the failed resource disassociation exception and the suggested resolutions:
****
| Status exception type | Cause | Resolution |
| --- | --- | --- |
| Product prod-\$1\$1\$1\$1 | AWS Service Catalog could not delete the product because the product still has associated TagOptions, budgets, at least one ProvisioningArtifact with associated actions, the product is still assigned to a Portfolio, the product has users, or the product has constraints. | Attempt to delete the product again. |
| User: username is not authorized to perform: | The user attempting to delete the product does not have the necessary permissions to disassociate the product's resources. | AWS Service Catalog recommends contacting your account administrator for more information about disassociating product resources you do not currently have permissions to disassociate. |
# Managing Versions
You assign product versions when you create a product, and you can update product versions any time.
Versions have an CloudFormation template, a title, a description, a status, and guidance.
## Version Status
A version can have one of three statuses:
+ **Active** - An active version appears in the version list and allows users to launch it.
+ **Inactive** - An inactive version is hidden from the version list. Existing provisioned products launched from this version will not be affected.
+ **Deleted** - A deleted version is removed from the version list. Deleting a version cannot be undone.
## Version Guidance
You can set version guidance to provide information to end users about the product version. Version guidance only affects active product versions.
There are two options for version guidance:
+ **None** - By default, product versions do not have any guidance. End users can use that version to update and launch provisioned products.
+ **Deprecated** - Users cannot launch new provisioned products using a deprecated product version. If a p provisioned product launched previously uses a now deprecated version, users can only update that provisioned product using the existing version or a new version.
## Updating Versions
You assign product versions when creating a product, and you can also update a version any time. For more information about creating a product, see [Creating Products](productmgmt-cloudresource.md).
**To update a product version**
1. In the AWS Service Catalog console, choose **Products**.
1. From the product list, choose the product you want to update the version of.
1. On the **Product details** page, choose the **Versions** tab, then choose the version you want to update.
1. On the **Version details** page, edit the product version, then choose **Save changes**.
# Using AWS Service Catalog Constraints
You apply constraints to control the rules that are applied to a product in a specific portfolio when the end users launches it. When the end users launches the product, they will see the rules you have applied using constraints. You can apply constraints to a product once it is put into a portfolio. Constraints are active as soon as you create them, and they're applied to all current versions of a product that have not been launched.
**Topics**
+ [Launch Constraints](constraints-launch.md)
+ [Notification Constraints](constraints-notification.md)
+ [Tag Update Constraints](constraints-resourceupdate.md)
+ [Stack Set Constraints](constraints-stackset.md)
+ [Template Constraints](catalogs_constraints_template-constraints.md)
# AWS Service Catalog Launch Constraints
A launch constraint specifies the AWS Identity and Access Management (IAM) role that AWS Service Catalog assumes when an end user launches, updates, or terminates a product. An IAM role is a collection of permissions that a user or AWS service can assume temporarily to use AWS services. For an introductory example, see:
+ CloudFormation product type: [Step 6: Add a launch constraint to assign an IAM role](getstarted-launchconstraint.md)
+ Terraform Open Source or Terraform Cloud product type: [Step 5: Create launch roles](getstarted-launchrole-Terraform.md)
Launch constraints apply to products in the portfolio (product-portfolio association). Launch constraints do not apply at the portfolio level or to a product across all portfolios. To associate a launch constraint with all products in a portfolio, you must apply the launch constraint to each product individually.
Without a launch constraint, end users must launch and manage products using their own IAM credentials. To do so, they must have permissions for CloudFormation, AWS services that the products use, and AWS Service Catalog. By using a launch role, you can instead limit the end users' permissions to the minimum they require for that product. For more information about end user permissions, see [Identity and Access Management in AWS Service Catalog](controlling_access.md).
To create and assign IAM roles, you must have the following IAM administrative permissions:
+ `iam:CreateRole`
+ `iam:PutRolePolicy`
+ `iam:PassRole`
+ `iam:Get*`
+ `iam:List*`
## Configuring a Launch Role
The IAM role that you assign to a product as a launch constraint must have permissions to use the following:
**For Cloudformation products**
+ The `arn:aws:iam::aws:policy/AWSCloudFormationFullAccess` CloudFormation managed policy
+ Services in the AWS CloudFormation template for the product
+ Read access to the AWS CloudFormation template in a service-owned Amazon S3 bucket.
**For Terraform products**
+ Services in the Amazon S3 template for the product
+ Read access to the Amazon S3 template in a service-owned Amazon S3 bucket.
+ `resource-groups:Tag`for tagging in an Amazon EC2 instance (assumed by the Terraform provisioning engine when performing provisioning operations)
+ `resource-groups:CreateGroup` for resource group tagging (assumed by AWS Service Catalog to create resource groups and assign tags)
The IAM role's trust policy must allow AWS Service Catalog to assume the role. In the procedure below, the trust policy will be set automatically when you select AWS Service Catalog as the role type. If you are not using the console, see the section *Creating trust policies for AWS services that assume roles* in [How to use trust policies with IAM roles](https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/).
**Note**
The `servicecatalog:ProvisionProduct`, `servicecatalog:TerminateProvisionedProduct`, and `servicecatalog:UpdateProvisionedProduct` permissions cannot be assigned in a launch role. You must use IAM roles, as shown in the inline policy steps in the section [Grant Permissions to AWS Service Catalog End Users.](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/getstarted-iamenduser.html)
**Note**
To view provisioned Cloudformation products and resources in the AWS Service Catalog console, end users need CloudFormation read access. Viewing provisioned products and resources in the console does **not** use the launch role.
**To create a launch role**
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
Terraform products require additional launch role configurations. For more information, review [Step 5: Create launch roles](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/getstarted-launchrole-Terraform) in *Getting Started with a Terraform Open Source product*.
1. Choose **Roles**.
1. Choose **Create New Role**.
1. Enter a role name and choose **Next Step**.
1. Under **AWS Service Roles** next to **AWS Service Catalog**, choose **Select**.
1. On the **Attach Policy** page, Choose **Next Step**.
1. To create the role, choose **Create Role**.
**To attach a policy to the new role**
1. Choose the role that you created to view the role details page.
1. Choose the **Permissions** tab, and expand the **Inline Policies** section. Then, choose **click here**.
1. Choose **Custom Policy**, and then choose **Select**.
1. Enter a name for the policy, and then paste the following into the **Policy Document** editor:
```
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:GetObject"
],
"Resource":"*",
"Condition":{
"StringEquals":{
"s3:ExistingObjectTag/servicecatalog:provisioning":"true"
}
}
]
}
```
**Note**
When you configure a launch role for a launch constraint, you must use this string: `"s3:ExistingObjectTag/servicecatalog:provisioning":"true"`.
1. Add a line to the policy for each additional service the product uses. For example, to add permission for Amazon Relational Database Service (Amazon RDS), enter a comma at the end of the last line in the `Action` list, and then add the following line:
```
"rds:*"
```
1. Choose **Apply Policy**.
## Applying a Launch Constraint
After you configure the launch role, assign the role to the product as a launch constraint. This action tells AWS Service Catalog to assume the role when an end user launches the product.
**To assign the role to a product**
1. Open the Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/).
1. Choose the portfolio that contains the product.
1. Choose the **Constraints** tab and choose **Create constraint**.
1. Choose the product from **Product** and choose **Launch** under **Constraint type**. Choose **Continue**.
1. In the **Launch constraint** section, you can select an IAM role from your account and enter an IAM role ARN, or enter the role name.
If you specify the role name and if an account uses the launch constraint, the account uses that name for the IAM role. This approach allows launch-role constraints to be account-agnostic so you can create fewer resources per shared account.
**Note**
The given role name must exist in the account that created the launch constraint and the account of the user who launches a product with this launch constraint.
1. After specifying the IAM role, choose **Create**.
## Adding Confused Deputy to Launch Constraint
AWS Service Catalog supports [Confused Deputy](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html) protection for the APIs that run with an Assume Role request. When you add a launch constraint, you can restrict the launch role access by using `sourceAccount` and `sourceArn` conditions in the launch role trust policy. It ensures that the launch role is called by a trusted source.
In the following example, the AWS Service Catalog end-user belongs to account 111111111111. When the AWS Service Catalog administrator creates a `LaunchConstraint` for a product, the end-user can specify the following conditions in the launch role trust policy to restrict the assume role to account 111111111111.
```
"Condition":{
"ArnLike":{
"aws:SourceArn":"arn:aws:servicecatalog:us-east-1:111111111111:*"
},
"StringEquals":{
"aws:SourceAccount":"111111111111"
}
}
```
A user who provisions a product with the `LaunchConstraint` must have the same `AccountId` (111111111111). If not, the operation fails with an `AccessDenied` error, preventing launch role misuse.
The following AWS Service Catalog APIs are secured for Confused Deputy protection:
+ `LaunchConstraint`
+ `ProvisionProduct`
+ `UpdateProvisionedProduct`
+ `TerminateProvisionedProduct`
+ `ExecuteProvisionedProductServiceAction`
+ `CreateProvisionedProductPlan`
+ `ExecuteProvisionedProductPlan`
The `sourceArn `protection for AWS Service Catalog only supports templated ARNs, such as "`arn::servicecatalog:::`" It does not support specific resource ARNs.
## Verifying the Launch Constraint
To verify AWS Service Catalog uses the role to launch the product and successfully provisions the product, launch the product from the AWS Service Catalog console. To test a constraint prior to releasing it to users, create a test portfolio that contains the same products and test the constraints with that portfolio.
**To launch the product**
1. In the menu for the AWS Service Catalog console, choose **Service Catalog**, **End user**.
1. Choose the product to open the **Product details** page. In the **Launch options** table, verify the Amazon Resource Name (ARN) of the role appears.
1. Choose **Launch product**.
1. Proceed through the launch steps, filling in any required information.
1. Verify that the product starts successfully.
# AWS Service Catalog Notification Constraints
**Note**
AWS Service Catalog does not support notification constraints for Terraform Open Source or Terraform Cloud products.
A notification constraint specifies an Amazon SNS topic to receive notifications about stack events.
Use the following procedure to create an SNS topic and subscribe to it.
**To create an SNS topic and a subscription**
1. Open the Amazon SNS console at [https://console.aws.amazon.com/sns/v3/home](https://console.aws.amazon.com/sns/v3/home).
1. Choose **Create topic**.
1. Type a topic name and then choose **Create topic**.
1. Choose **Create subscription**.
1. For **Protocol**, select **Email**. For **Endpoint**, type an email address that you can use to receive notifications. Choose **Create subscription**.
1. You'll receive a confirmation email with the subject line `AWS Notification - Subscription Confirmation`. Open the email and follow the directions to complete your subscription.
Use the following procedure to apply a notification constraint using the SNS topic that you created using the previous procedure.
**To apply a notification constraint to a product**
1. Open the Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/).
1. Choose the portfolio that contains the product.
1. Expand **Constraints** and choose **Add constraints**.
1. Choose the product from **Product** and set **Constraint type** to **Notification**. Choose **Continue**.
1. Choose **Choose a topic from your account** and select the SNS topic that you created from **Topic Name**.
1. Choose **Submit**.
# AWS Service Catalog Tag Update Constraints
**Note**
AWS Service Catalog does not support tag update constraints for Terraform Open Source products.
With tag update constraints, AWS Service Catalog administrators can allow or disallow end users to update tags on resources associated with a provisioned product. If tag updating is allowed, then new tags associated with the product or portfolio will be applied to provisioned resources during a provisioned product update.
**To enable tag updates to a product**
1. Open the Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/).
1. Choose the portfolio that contains the product you want to update.
1. Choose the **Constraints** tab and choose **Add constraints**.
1. Under **Constraint type**, choose **Tag Update**.
1. Choose the product from **Product**, then choose **Continue**.
1. On the **Tag Updates page**, select **Enable Tag Updates**.
1. Choose **Submit**.
# AWS Service Catalog Stack Set Constraints
**Note**
AWS Service Catalog does not support stack set constraints for Terraform Open Source products.
AutoTags are not currently supported with CloudFormation StackSets.
A stack set constraint allows you to configure product deployment options using CloudFormation StackSets. You can specify multiple accounts and regions for the product launch. End users can manage those accounts and determine where products deploy and the order of deployment.
**To apply a stack set constraint to a product**
1. Open the Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/).
1. Choose the portfolio with the product you want.
1. Choose the **Constraints** tab and then choose **Create constraints**.
1. In **Product**, choose the product. In **Constraint type**, choose **Stack Set**.
1. Configure the accounts, regions, and permissions for your stack set constraints.
+ In **Account settings**, identify the accounts where you want to create products.
+ In **Region settings**, choose the geographic regions to deploy products and the order you want those products to be deployed in those regions.
+ In **Permissions**, choose an IAM StackSet Administrator Role to manage your target accounts. If you don't choose a role, StackSets uses the default ARN. [Learn more about setting up stack set permissions.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html)
1. Choose **Create**.
# AWS Service Catalog Template Constraints
**Note**
AWS Service Catalog does not support template constraints for Terraform Open Source or Terraform Cloud products.
To limit the options that are available to end users when they launch a product, you apply template constraints. Apply template constraints to ensure that the end users can use products without breaching the compliance requirements of your organization. You apply template constraints to a product in a AWS Service Catalog portfolio. A portfolio must contain one or more products before you can define template constraints.
A template constraint consists of one or more rules that narrow the allowable values for parameters that are defined in the product's underlying CloudFormation template. The parameters in an CloudFormation template define the set of values that users can specify when creating a stack. For example, a parameter might define the various instance types that users can choose from when launching a stack that includes EC2 instances.
If the set of parameter values in a template is too broad for the target audience of your portfolio, you can define template constraints to limit the values that users can choose when launching a product. For example, if the template parameters include EC2 instance types that are too large for users who should use only small instance types (such as `t2.micro` or `t2.small`), then you can add a template constraint to limit the instance types that end users can choose. For more information about CloudFormation template parameters, see [Parameters](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html) in the *CloudFormation User Guide*.
Template constraints are bound within a portfolio. If you apply template constraints to a product in one portfolio, and if you then include the product in another portfolio, the constraints will not apply to the product in the second portfolio.
If you apply a template constraint to a product that has already been shared with users, the constraint is active immediately for all subsequent product launches and for all versions of the product in the portfolio.
You define template constraint rules by using a rule editor or by writing the rules as JSON text in the AWS Service Catalog administrator console. For more information about rules, including syntax and examples, see [Template Constraint Rules](reference-template_constraint_rules.md).
To test a constraint prior to releasing it to users, create a test portfolio that contains the same products and test the constraints with that portfolio.
**To apply template constraints to a product**
1. Open the Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/).
1. On the **Portfolios** page, choose the portfolio that contains the product to which you want to apply a template constraint.
1. Expand the **Constraints** section and choose **Add constraints**.
1. In the **Select product and type** window, for **Product** choose the product for which you want to define the template constraints. Then, for **Constraint type**, choose **Template**. Choose **Continue**.
1. On the **Template constraint builder** page, edit the constraint rules by using the JSON editor or the rule builder interface.
+ To edit the JSON code for the rule, choose the **Constraint Text Editor** tab. Several samples are provided on this tab to help you get started.
To build the rules by using a rule builder interface, choose the **Rule Builder** tab. On this tab, you can choose any parameter that is specified in the template for the product, and you can specify the allowable values for that parameter. Depending on the type of parameter, you specify the allowable values by choosing items in a checklist, by specifying a number, or by specifying a set of values in a comma-separated list.
When you have finished building a rule, choose **Add rule**. The rule appears in the table on the **Rule Builder** tab. To review and edit the JSON output, choose the **Constraint Text Editor** tab.
1. When you are done editing the rules for your constraint, choose **Submit**. To see the constraint, go to the portfolio details page and expand **Constraints**.
# Template Constraint Rules
The rules that define template constraints in a AWS Service Catalog portfolio describe when end users can use the template and which values they can specify for parameters that are declared in the CloudFormation template used to create the product they are attempting to use. Rules are useful for preventing end users from inadvertently specifying an incorrect value. For example, you can add a rule to verify whether end users specified a valid subnet in a given VPC or used `m1.small` instance types for test environments. CloudFormation uses rules to validate parameter values before it creates the resources for the product.
Each rule consists of two properties: a rule condition (optional) and assertions (required). The rule condition determines when a rule takes effect. The assertions describe what values users can specify for a particular parameter. If you don't define a rule condition, the rule's assertions always take effect. To define a rule condition and assertions, you use *rule-specific intrinsic functions*, which are functions that can only be used in the `Rules` section of a template. You can nest functions, but the final result of a rule condition or assertion must be either true or false.
As an example, assume that you declared a VPC and a subnet parameter in the `Parameters` section. You can create a rule that validates that a given subnet is in a particular VPC. So when a user specifies a VPC, CloudFormation evaluates the assertion to check whether the subnet parameter value is in that VPC before creating or updating the stack. If the parameter value is invalid, CloudFormation immediately fail to create or update the stack. If users don't specify a VPC, CloudFormation doesn't check the subnet parameter value.
## Syntax
The `Rules` section of a template consists of the key name `Rules`, followed by a single colon. Braces enclose all rule declarations. If you declare multiple rules, they are delimited by commas. For each rule, you declare a logical name in quotation marks followed by a colon and braces that enclose the rule condition and assertions.
A rule can include a `RuleCondition` property and must include an `Assertions` property. For each rule, you can define only one rule condition; you can define one or more asserts within the `Assertions` property. You define a rule condition and assertions by using rule-specific intrinsic functions, as shown in the following pseudo template:
```
"Rules":{
"Rule01":{
"RuleCondition":{
"Rule-specific intrinsic function"
},
"Assertions":[
{
"Assert":{
"Rule-specific intrinsic function"
},
"AssertDescription":"Information about this assert"
},
{
"Assert":{
"Rule-specific intrinsic function"
},
"AssertDescription":"Information about this assert"
}
]
},
"Rule02":{
"Assertions":[
{
"Assert":{
"Rule-specific intrinsic function"
},
"AssertDescription":"Information about this assert"
}
]
}
}
```
The pseudo template shows a `Rules` section containing two rules named `Rule01` and `Rule02`. `Rule01` includes a rule condition and two assertions. If the function in the rule condition evaluates to true, both functions in each assert are evaluated and applied. If the rule condition is false, the rule doesn't take effect. `Rule02` always takes effect because it doesn't have a rule condition, which means the one assert is always evaluated and applied.
For information on rule-specific intrinsic functions to define rule conditions and assertions, see [AWS Rule Functions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-rules.html) in the *AWS CloudFormation User Guide*.
## Example: Conditionally Verify a Parameter Value
The following two rules check the value of the `InstanceType` parameter. Depending on the value of the Environment parameter (`test` or `prod`), the user must specify `m1.small` or `m1.large` for the `InstanceType` parameter. The `InstanceType` and `Environment` parameters must be declared in the `Parameters` section of the same template.
```
"Rules" : {
"testInstanceType" : {
"RuleCondition" : {"Fn::Equals":[{"Ref":"Environment"}, "test"]},
"Assertions" : [
{
"Assert" : { "Fn::Contains" : [ ["m1.small"], {"Ref" : "InstanceType"} ] },
"AssertDescription" : "For the test environment, the instance type must be m1.small"
}
]
},
"prodInstanceType" : {
"RuleCondition" : {"Fn::Equals":[{"Ref":"Environment"}, "prod"]},
"Assertions" : [
{
"Assert" : { "Fn::Contains" : [ ["m1.large"], {"Ref" : "InstanceType"} ] },
"AssertDescription" : "For the prod environment, the instance type must be m1.large"
}
]
}
}
```
# AWS Service Catalog Service Actions
**Note**
AWS Service Catalog does not support service actions for Terraform Open Source or Terraform Cloud products.
AWS Service Catalog enables you to reduce administrative maintenance and end user training while adhering to compliance and security measures. With service actions, as the administrator you can enable end users to perform operational tasks, troubleshoot issues, run approved commands, or request permissions in AWS Service Catalog. You use [AWS Systems Manager documents](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-ssm-docs.html) to define service actions. The [AWS Systems Manager documents](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-ssm-docs.html) provide access to pre-defined actions that implement AWS best practices, such as Amazon EC2 stop and reboot, and you can define custom actions too.
In this tutorial, you provide end users with the ability to restart an Amazon EC2 instance. You add the necessary permissions, define the service action, associate the service action with a product, and test the end user experience using the action with a provisioned product.
## Prerequisites
This tutorial assumes that you have full AWS administrator permissions, you are already familiar with AWS Service Catalog, and that you already have a base set of products, portfolios, and users. If you are not familiar with AWS Service Catalog, complete the [Setting Up](setup.md) and [Getting Started](getstarted.md) tasks before using this tutorial.
**Topics**
+ [Prerequisites](#service-actions-prerequisites)
+ [Step 1: Configure end user permissions](#service-actions-configure-end-user-permissions)
+ [Step 2: Create a service action](#service-actions-create-new-service-action)
+ [Step 3: Associate the service action with a product version](#service-actions-associate-with-product-version)
+ [Step 4: Test the end user experience](#service-actions-test-end-user-experience)
+ [Step 5: Managing service actions with AWS CloudFormation](#service-actions-cloudformation)
+ [Step 6: Troubleshooting](#service-actions-troubleshooting)
## Step 1: Configure end user permissions
End users must have the necessary permissions to view and perform specific service actions. In this example, the end user needs permission to access the AWS Service Catalog service actions feature and to perform an Amazon EC2 restart.
**To update permissions**
1. Open the AWS Identity and Access Management (IAM) console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. From the menu, locate user groups.
1. Choose the groups that end users will use to access AWS Service Catalog resources. In this example, we select the end user group. In your own implementation, choose the group that is used by the relevant end users.
1. On the **Permissions** tab of your group’s detail page, you either create a new policy or edit an existing policy. In this example, we add permissions to the existing policy by selecting the custom policy created for the group’s AWS Service Catalog Provision and Terminate permissions.
1. On the **Policy** page, choose **Edit Policy** to add the necessary permissions. You can use either the visual editor or the JSON editor to edit the policy. In this example, we use the JSON editor to add the permissions. For this tutorial, add the following permissions to the policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Stmt1536341175150",
"Action": [
"servicecatalog:ListServiceActionsForProvisioningArtifact",
"servicecatalog:ExecuteprovisionedProductServiceAction",
"ssm:DescribeDocument",
"ssm:GetAutomationExecution",
"ssm:StartAutomationExecution",
"ssm:StopAutomationExecution",
"cloudformation:ListStackResources",
"ec2:DescribeInstanceStatus",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
1. After you edit the policy, review and approve the change to the policy. Users in the end user group now have the necessary permissions to perform the Amazon EC2 restart action in AWS Service Catalog.
## Step 2: Create a service action
Next, you create a service action to restart Amazon EC2 instances.
1. Open the AWS Service Catalog console at [https://console.aws.amazon.com/sc/](https://console.aws.amazon.com/servicecatalog/).
1. From the menu, choose **Service actions**.
1. On the **Service actions** page, choose **Create action**.
1. On the **Create action** page, choose an AWS Systems Manager document to define the service action. The Amazon EC2 Instance Restart action is defined by an AWS Systems Manager document, so we keep the default option on the drop-down menu, **Amazon documents**.
1. Search for and choose the **AWS-RestartEC2Instance** action.
1. Provide a name and description for the action that make sense for your environment and team. The end user will see this description, so choose something that helps them understand what the action does.
1. Under **Parameter and target configuration**, choose the SSM document parameter that will be the target of the action (for example, the **Instance ID**), and choose the target of the parameter. Choose **Add parameter** to add additional parameters.
1. Under **Permissions**, choose a role. We are using default permissions for this example. Other permission configurations are possible and are defined on this page.
1. After you have reviewed the configuration, choose **Create action**.
1. On the next page, a confirmation appears when the action has been created and is ready to use.
## Step 3: Associate the service action with a product version
After you define an action, you must associate a product with that action.
1. On the **Service actions** page, choose **AWS-RestartEC2instance**, and then choose **Associate action**.
1. On the **Associate action** page, choose the product that you want your end users to take the service action on. In this example, we choose **Linux Desktop**.
1. Select a product version. Note that you can use the topmost check box to select all versions.
1. Choose **Associate action**.
1. On the next page, a confirmation message appears.
You have now created the service action in AWS Service Catalog. The next step of this tutorial is to use the service action as an end user.
## Step 4: Test the end user experience
End users can perform service actions on provisioned products. For the purposes of this tutorial, the end user must have at least one provisioned product. The provisioned product should be launched from the product version that you associated with the service action in the previous step.
**To access the service action as an end user**
1. Log in to the AWS Service Catalog console as an end user.
1. On the AWS Service Catalog dashboard, in the navigation pane, choose **Provisioned products list**. The list shows the products that are provisioned for the end user's account.
1. On the **Provisioned products list** page, choose the instance that is provisioned.
1. On the **Provisioned product details** page, choose **Actions** in the upper right side, and then choose the **AWS-RestartEC2instance** action.
1. Confirm that you want to execute the custom action. You receive confirmation that the action has been sent.
## Step 5: Managing service actions with AWS CloudFormation
You can create service actions and their associations with AWS CloudFormation resources. For more information, see the following in the *AWS CloudFormation User Guide*:
+ [AWS::ServiceCatalog::CloudFormationProduct ProvisioningArtifactProperties](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-servicecatalog-cloudformationproduct-provisioningartifactproperties.html)
+ [AWS::ServiceCatalog::ServiceActionAssociation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-servicecatalog-serviceactionassociation.html)
**Note**
If you manage service action associations with CloudFormation resources, don't add or remove service actions through the AWS Command Line Interface or AWS Management Console. When you perform a stack update, any changes to sevice actions that are made outside of CloudFormation are replaced.
## Step 6: Troubleshooting
If your service action execution fails, you can find the error message in the **Outputs** section of the service action execution event on the **Provisioned product** page. Below you can see explanations for common error messages you may find.
**Note**
The exact text of the error message is subject to change, so you should avoid using these in any kind of automated process.
**Internal failure**
AWS Service Catalog experienced an internal error. Try again later. If the issue persists, contact customer support.
**An error occurred (ThrottlingException) when calling the StartAutomationExecution operation**
The service action execution was throttled by the backend service, such as SSM.
**Access denied while assuming the role**
AWS Service Catalog was unable to assume the role specified in the service action definition. Make sure that the *servicecatalog.amazonaws.com* principal, or a regional principal such as *servicecatalog.us-east-1.amazonaws.com*, is allowlisted in the role's trust policy.
**An error occurred (AccessDeniedException) when calling the StartAutomationExecution operation: User is not authorized to perform: ssm:StartAutomationExecution on the resource.**
The role specified in the service action definition does not have permissions to invoke ssm:StartAutomationExecution. Make sure the role has the appropriate SSM permissions.
**Cannot find any resources with type *TargetType* in provisioned product**
The provisioned product does not contain any resources that match the target type specified in the SSM document, such as AWS::EC2::Instance. Check your provisioned product for these resources or confirm the document is correct.
**Document with that name does not exist**
The document specified in the service action definition does not exist.
**Failed to describe SSM Automation document**
AWS Service Catalog encountered an unknown exception from SSM when trying to describe the specified document.
**Failed to retrieve credentials for role**
AWS Service Catalog encountered an unknown error when assuming the specified role.
**Parameter has value "*InvalidValue*" not found in *\$1ValidValue1\$1, \$1ValidValue2\$1***
The parameter value passed to SSM is not in the allowed values list for the document. Confirm the parameters provided are valid, and try again.
**Parameter type error. The value supplied for *ParameterName* is not a valid string.**
The value of the parameter passed to SSM is not valid for the type on the document.
**Parameter is not defined in service action definition**
A parameter was passed to AWS Service Catalog that is not defined in the service action definition. You can only use parameters defined in the service action definition.
**Step fails when it is executing/canceling action. *Error message.* Please refer to Automation Service Troubleshooting Guide for more diagnosis details.**
A step in the SSM automation document failed. See the error in the message to troubleshoot further.
**The following values for the parameter are not allowed because they are not in the provisioned product: *InvalidResourceId***
The user requested action on a resource that is not in the provisioned product.
**TargetType not defined for SSM Automation document**
Service actions require SSM automation documents to have a TargetType defined. Check your SSM automation document.
# Adding AWS Marketplace Products to Your Portfolio
You can add AWS Marketplace products to your portfolios to make those products available to your AWS Service Catalog end users.
AWS Marketplace is an online store in which you can find, subscribe to, and immediately start using a large selection of software and services. The types of products in AWS Marketplace include databases, application servers, testing tools, monitoring tools, content management tools, and business intelligence software. AWS Marketplace is available at [https://aws.amazon.com/marketplace](https://aws.amazon.com/marketplace). Note that you can't add software as a service (SaaS) products from AWS Marketplace to AWS Service Catalog.
You distribute an AWS Marketplace product to AWS Service Catalog end users by copying the product with the CloudFormation template to AWS Service Catalog, and then adding the product to a portfolio.
**Note**
AWS Service Catalog does not support distributing AWS Marketplace products to AWS Service Catalog end users using a Terraform Open Source or Terraform Cloud product template.
AWS Marketplace supports AWS Service Catalog directly or subscribe and add products using the manual option. We recommend adding products using the functionality specifically designed for AWS Service Catalog.
## Managing AWS Marketplace Products Using AWS Service Catalog
You can add your subscribed AWS Marketplace products directly to AWS Service Catalog using a custom interface. In [AWS Marketplace](https://aws.amazon.com/marketplace), choose **Service Catalog**. For more information, see [Copying Products to AWS Service Catalog](https://aws.amazon.com/marketplace/help/buyer-copy-product-to-SC?ref=help_ln_sibling) in the *AWS Marketplace Help and FAQ*.
## Managing and Adding AWS Marketplace Products Manually
Complete the following steps to subscribe to an AWS Marketplace product, define that product in an CloudFormation template, and add the template to a AWS Service Catalog portfolio.
**To subscribe to an AWS Marketplace product**
1. Go to AWS Marketplace at [https://aws.amazon.com/marketplace](https://aws.amazon.com/marketplace).
1. Browse the products or search to find the product that you want to add to your AWS Service Catalog portfolio. Choose the product to view the product details page.
1. Choose **Continue** to view the fulfillment page, and then choose the **Manual Launch** tab.
The information on the fulfillment page includes the supported Amazon Elastic Compute Cloud (Amazon EC2) instance types, the supported AWS Regions, and the Amazon Machine Image (AMI) ID that the product uses for each AWS region. Note that some choices will affect cost. You will use this information to customize the CloudFormation template in later steps.
1. Choose **Accept Terms** to subscribe to the product.
After you subscribe to a product, you can access the information on the product fulfillment page in AWS Marketplace at any time by choosing **Your Software**, and then choosing the product.
**To define your AWS Marketplace product in an CloudFormation template**
To complete the following steps, you will use one of the CloudFormation sample templates as a starting point, and you will customize the template so that it represents your AWS Marketplace product. To access the sample templates, see [Sample Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-sample-templates.html) in the *AWS CloudFormation User Guide*.
1. On the Sample Templates page in the* CloudFormation User Guide*, choose an AWS Region for your product. The AWS Region must be supported by your AWS Marketplace product. You can view the supported regions on the product fulfillment page in AWS Marketplace.
1. To view a list of service sample templates that are appropriate for the Region, choose the **Services** link.
1. You can use any of the samples that are appropriate for your needs as a starting point. The steps in this procedure use the **Amazon EC2 instance in a security group** template. To view the sample template, choose **View** , and then save a copy of the template locally so that you can edit it. Your local file must have the `.template` extension.
1. Open your template file in a text editor.
1. Customize the description at the top of the template. Your description might look like the following example:
`"Description": "Launches a LAMP stack from AWS Marketplace",`
1. Customize the `InstanceType` parameter so that it includes only EC2 instance types that are supported by your product. If your template includes unsupported EC2 instance types, the product will fail to launch for your end users.
1. On the product fulfillment page in AWS Marketplace, view the supported EC2 instance types in the **Pricing Details** section.
![\[The pricing details section on the product fulfillment page in AWS Marketplace shows the supported EC2 instance types.\]](http://docs.aws.amazon.com/servicecatalog/latest/adminguide/images/ec2-ondemand.png)
1. In your template, change the default instance type to a supported EC2 instance type of your choice.
1. Edit the `AllowedValues` list so that it includes only EC2 instance types that are supported by your product.
1. Remove any EC2 instance types that you do not want your end users to use when they launch the product from the `AllowedValues`list .
When you are done editing the `InstanceType` parameter, it might look similar to the following example:
```
"InstanceType" : {
"Description" : "EC2 instance type",
"Type" : "String",
"Default" : "m1.small",
"AllowedValues" : [ "t1.micro", "m1.small", "m1.medium", "m1.large", "m1.xlarge", "m2.xlarge", "m2.2xlarge", "m2.4xlarge", "c1.medium", "c1.xlarge", "c3.large", "c3.large", "c3.xlarge", "c3.xlarge", "c3.4xlarge", "c3.8xlarge" ],
"ConstraintDescription" : "Must be a valid EC2 instance type."
},
```
1. In the `Mappings` section of your template, edit the `AWSInstanceType2Arch` mappings so that only supported EC2 instance types and architectures are included.
1. Edit the list of mappings by removing all EC2 instance types that are not included in the `AllowedValues` list for the `InstanceType` parameter.
1. Edit the `Arch` value for each EC2 instance type to be the architecture type that is supported by your product. Valid values are `PV64`, `HVM64`, and `HVMG2`. To learn which architecture your product supports, refer to the product details page in AWS Marketplace. To learn which architectures are supported by EC2 instance families, see [Amazon Linux AMI Instance Type Matrix](https://aws.amazon.com/amazon-linux-ami/instance-type-matrix/).
When you have finished editing the `AWSInstanceType2Arch` mappings, it might look similar to the following example:
```
"AWSInstanceType2Arch" : {
"t1.micro" : { "Arch" : "PV64" },
"m1.small" : { "Arch" : "PV64" },
"m1.medium" : { "Arch" : "PV64" },
"m1.large" : { "Arch" : "PV64" },
"m1.xlarge" : { "Arch" : "PV64" },
"m2.xlarge" : { "Arch" : "PV64" },
"m2.2xlarge" : { "Arch" : "PV64" },
"m2.4xlarge" : { "Arch" : "PV64" },
"c1.medium" : { "Arch" : "PV64" },
"c1.xlarge" : { "Arch" : "PV64" },
"c3.large" : { "Arch" : "PV64" },
"c3.xlarge" : { "Arch" : "PV64" },
"c3.2xlarge" : { "Arch" : "PV64" },
"c3.4xlarge" : { "Arch" : "PV64" },
"c3.8xlarge" : { "Arch" : "PV64" }
}
,
```
1. In the `Mappings` section of your template, edit the `AWSRegionArch2AMI` mappings to associate each AWS Region with the corresponding architecture and AMI ID for your product.
1. On the product fulfillment page in AWS Marketplace, view the AMI ID that your product uses for each AWS Region, as in the following example:
![\[A table of regions and AMI IDs on the product fulfillment page in AWS Marketplace.\]](http://docs.aws.amazon.com/servicecatalog/latest/adminguide/images/sc-marketplace_ami_ids-console.png)
1. In your template, remove the mappings for any AWS Regions that you do not support.
1. Edit the mapping for each region to remove the unsupported architectures (`PV64`, `HVM64`, or `HVMG2`) and their associated AMI IDs.
1. For each remaining AWS Region and architecture mapping, specify the corresponding AMI ID from the product details page in AWS Marketplace.
When you have finished editing the `AWSRegionArch2AMI` mappings, your code might look similar to the following example:
```
"AWSRegionArch2AMI" : {
"us-east-1" : {"PV64" : "ami-nnnnnnnn"},
"us-west-2" : {"PV64" : "ami-nnnnnnnn"},
"us-west-1" : {"PV64" : "ami-nnnnnnnn"},
"eu-west-1" : {"PV64" : "ami-nnnnnnnn"},
"eu-central-1" : {"PV64" : "ami-nnnnnnnn"},
"ap-northeast-1" : {"PV64" : "ami-nnnnnnnn"},
"ap-southeast-1" : {"PV64" : "ami-nnnnnnnn"},
"ap-southeast-2" : {"PV64" : "ami-nnnnnnnn"},
"sa-east-1" : {"PV64" : "ami-nnnnnnnn"}
}
```
You can now use the template to add the product to a AWS Service Catalog portfolio. If you want to make additional changes, see [Working with CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-guide.html) to learn more about templates.
**To add your AWS Marketplace product to a AWS Service Catalog portfolio**
1. Sign in to the AWS Management Console and navigate to the AWS Service Catalog administrator console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/).
1. On the **Portfolios** page, choose the portfolio to which you want to add your AWS Marketplace product.
1. On the portfolio details page, choose **Upload new product**.
1. Type the requested product and support details.
1. On the **Version details** page, choose **Upload a template file**, choose **Browse**, and then choose your template file.
1. Type a version title and description.
1. Choose **Next**.
1. On the **Review** page, verify that the summary is accurate, and then choose **Confirm and upload**. The product is added your portfolio. It is now available to end users who have access to the portfolio.
# Using CloudFormation StackSets
**Note**
AutoTags are not currently supported with CloudFormation StackSets.
You can use CloudFormation StackSets to launch AWS Service Catalog products across multiple AWS Regions and accounts. You can specify the order in which products deploy sequentially within AWS Regions. Across accounts, products are deployed in parallel. When launching, users can specify failure tolerance and the maximum number of accounts in which to deploy in parallel. For more information, see [Working with CloudFormation StackSets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html).
## Stack sets vs. stack instances
A *stack set* lets you create stacks in AWS accounts across AWS Regions by using a single CloudFormation template.
A *stack instance* refers to a stack in a target account within an AWS Region and is associated with only one stack set.
For more information, see [StackSets Concepts](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html).
## Stack set constraints
In AWS Service Catalog, you can use stack set constraints to configure product deployment options.
AWS Service Catalog supports stack set constraints on products in two AWS GovCloud (US) Regions: AWS GovCloud (US-West) and AWS GovCloud (US-East).
For more information, see [AWS Service Catalog Stack Set Constraints.](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/constraints-stackset.html)
# Managing Budgets
You can use AWS Budgets to track your service costs and usage within AWS Service Catalog. You can associate budgets with AWS Service Catalog products and portfolios.
**Note**
AWS Service Catalog does not support budgets for Terraform Open Source products.
AWS Budgets gives you the ability to set custom budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount. Information about AWS Budgets is available at [https://aws.amazon.com/aws-cost-management/aws-budgets](https://aws.amazon.com/aws-cost-management/aws-budgets).
**Topics**
+ [Prerequisites](#budgets-setup)
+ [Creating a budget](#budgets-create)
+ [Associating a Budget](#budgets-associate)
+ [Viewing a Budget](#budgets-view)
+ [Disassociating a Budget](#budgets-disassociate)
## Prerequisites
Before using AWS Budgets, you need to activate cost allocation tags in the AWS Billing and Cost Management console. For more information, see [Activating User-Defined Cost Allocation Tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/activating-tags.html) in the *AWS Billing and Cost Management User Guide*.
**Note**
Tags take up to 24 hours to activate.
You also need to enable user access to the AWS Billing and Cost Management console for any users or groups who will be using the Budgets feature. You can do this by creating a new policy for your users.
To allow users to create budgets, you must also allow users to view billing information. If you want to use Amazon SNS notifications, you can give users the ability to create Amazon SNS notifications, as shown in the policy example below.
**To create the budgets policy**
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**.
1. In the content pane, choose **Create policy**.
1. Choose the **JSON** tab and copy the text from the following JSON policy document. Paste this text into the **JSON** text box.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Stmt1435216493000",
"Effect": "Allow",
"Action": [
"aws-portal:ViewBilling",
"aws-portal:ModifyBilling",
"budgets:ViewBudget",
"budgets:ModifyBudget"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1435216552000",
"Effect": "Allow",
"Action": [
"sns:*"
],
"Resource": [
"arn:aws:sns:us-east-1:123456789012:*"
]
}
]
}
```
------
1. When you are finished, choose **Review policy**. The Policy Validator reports any syntax errors.
1. On the **Review** page, give your policy a name. Review the policy **Summary** to see the permissions granted by your policy, and then choose **Create policy** to save your work.
The new policy appears in the list of managed policies and is ready to attach to your users and groups. For more information, see [Create and Attach Customer Managed Policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_managed-policies.html#step2-attach-policy) in the *AWS Identity and Access Management User Guide*.
## Creating a budget
In the AWS Service Catalog administrator console, the **Product list** and **Portfolios** pages list information about existing products and portfolios and allow you to take actions on them. To create a budget, first decide which product or portfolio that you want to associate the budget to.
**To create a budget**
1. Open the Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/).
1. Choose **Product list** or **Portfolios**.
1. Select the product or portfolio that you want to add a budget to.
1. Open the **Actions** menu, and then choose **Create budget**.
1. On the **Budget creation** page, associate one tag type to your budget.
There are two types of tags: AutoTags and TagOptions. AutoTags identify the portfolio, product, and user that launched a product. AWS Service Catalog applies these tags automatically to provisioned resources. A TagOption is an administrator-defined key-value pair that's managed in AWS Service Catalog.
In order for spending that occurs on a portfolio or product to reflect on the associated budget, they must have the same tag. Note that a tag key being used for the first time can take 24 hours to activate. For more information, see [Prerequisites](#budgets-setup).
1. Choose **Create in AWS Budgets**. You're directed to the **Set your budget** page. Continue setting up your budget by following the steps in [Creating a Budget](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/budgets-create.html).
**Note**
After you create a budget, you must associate it to the product or portfolio.
## Associating a Budget
Each portfolio or product can have one budget associated to it. Each budget can be associated to multiple portfolios and products.
When you associate a budget to a portfolio or product, you're able to view information about the budget from that portfolio or product's details page. In order for spending that occurs on the portfolio or product to be reflected on the budget, you must associate the same tags on the budget and portfolio or product.
**Note**
If you delete a budget from AWS Budgets, existing associations with AWS Service Catalog products and portfolios still exist. AWS Service Catalog won't be able to display any information about the deleted budget.
**To associate a budget**
1. Open the Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/).
1. Choose **Product list** or **Portfolios**.
1. Select the product or portfolio that you want to associate a budget to.
1. Open the **Actions** menu, and then choose **Associate budget**.
1. On the **Budget association** page, select an existing budget, and then choose **Continue**.
1. The **products** or **portfolios** table now includes data for the budget you just added.
## Viewing a Budget
If a budget is associated to a product, you can view information about the budget on the **Product details** and **Product list** pages. If a budget is associated to a portfolio, you can view information about the budget on the **Portfolios** and **Portfolio details** pages.
The **Portfolios** and **Product list** pages display budget information for existing resources. You can see columns displaying **Current vs. budget** and **Forecast vs. budget**.
When you choose on a product or portfolio, you're directed to a details page. The **Portfolio details** and **Product details** pages have sections with detailed information about the associated budgets. You can see the budgeted amount, current spend, and forecasted spend. You also have the option to view budget details and edit the budget.
## Disassociating a Budget
You can disassociate a budget from a portfolio or product.
**Note**
If you delete a budget from AWS Budgets, existing associations with AWS Service Catalog products and portfolios still exist. AWS Service Catalog won't be able to display any information about the deleted budget.
**To disassociate a budget**
1. Open the Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/).
1. Choose **Product list** or **Portfolios**.
1. Select the product or portfolio that you want to disassociate a budget from.
1. Choose **Actions**. From the dropdown, choose **Disassociate budget**. A confirmation alert appears.
1. After you confirm that you want to dissacciate the budget from the product or portfolio, choose **Confirm**.