AWS CloudFormation and boto3: The ultimate guide to enrolling in CAS and checking permissions
AWS CloudFormation is a service that enables you to use templates to provision and manage AWS resources. You can use CloudFormation to create a stack that contains all the resources needed to enroll in the CAS.
Here is an example AWS CloudFormation template written in YAML that can be used to enroll in the Commerce Analytics service:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
CommerceAnalytics:
Type: AWS::ServiceCatalog::CloudFormationProvisionedProduct
Properties:
ProductId: <Product ID of Commerce Analytics Service>
ProvisioningArtifactId: <Provisioning Artifact ID of Commerce Analytics Service>
ProvisioningParameters:
- ParameterKey: <Key of the first parameter>
ParameterValue: <Value of the first parameter>
- ParameterKey: <Key of the second parameter>
ParameterValue: <Value of the second parameter>
PathId: <AWS Service Catalog path ID>
To use CAS, you will need to create an S3 bucket, an SNS topic, an IAM role and associate the product with the appropriate path in AWS Organizations. All of these resources can be created using a CloudFormation template written in YAML.
The template should include the AWS::ServiceCatalog::CloudFormationProvisionedProduct resource, which is used to provision a product in Service Catalog.
The template should also include the AWS::S3::Bucket, AWS::SNS::Topic and AWS::IAM::Role resources, which are used to create the S3 bucket, SNS topic and IAM role needed for CAS.
Create an S3 bucket and an SNS topic.
In order to use the Commerce Analytics Service (CAS), you will also need to create an S3 bucket and an SNS topic.
Here’s an example of how you can add those resources to your CloudFormation template:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties:
BucketName: <Name of the S3 bucket>
SNSQueue:
Type: AWS::SNS::Topic
Properties:
TopicName: <Name of the SNS topic>
CommerceAnalytics:
Type: AWS::ServiceCatalog::CloudFormationProvisionedProduct
Properties:
ProductId: <Product ID of Commerce Analytics Service>
ProvisioningArtifactId: <Provisioning Artifact ID of Commerce Analytics Service>
ProvisioningParameters:
- ParameterKey: S3Bucket
ParameterValue: !Ref S3Bucket
- ParameterKey: SNSQueue
ParameterValue: !Ref SNSQueue
PathId: <AWS Service Catalog path ID>
This will create an S3 bucket and an SNS topic in the same CloudFormation Stack, and also creates a reference to those resources to be passed to the Commerce Analytics service.
You will need to replace the placeholders <Name of the S3 bucket> and <Name of the SNS topic> with the desired names for those resources.
Also, it’s important to notice that you can use the outputs section to export the arn of the created resources, so you can use them in other parts of your infrastructure or in other stacks.
What is ProvisioningArtifactId?
The ProvisioningArtifactId is a unique identifier that is associated with a specific version of a product in AWS Service Catalog. This ID is used to specify which version of a product should be provisioned when creating a CloudFormation stack.
Where you can find ProvisioningArtifactId?
You can find the ProvisioningArtifactId for a product in the AWS Service Catalog console.
Here are the steps to find the ProvisioningArtifactId for a product:
- Open the AWS Service Catalog console at https://console.aws.amazon.com/servicecatalog/
- In the navigation pane, under Products, choose the product that you want to provision.
- On the product details page, look for the Provisioning artifact section.
- The Provisioning artifact section lists all available versions of the product and their corresponding ProvisioningArtifactIds.
Alternatively, you can use the AWS Command Line Interface (CLI) or the AWS SDKs to get the ProvisioningArtifactId.
By using aws servicecatalog describe-product-as-admin and filtering by the product id, you can get the ProvisioningArtifactId.
Also, it’s important to notice that, before you can provision a product using the CloudFormationProvisionedProduct resource, you need to have the product associated with the portfolio and the portfolio associated with the account or the organization.
Attach IamRole with Commerce Analytics Service (CAS)
In order to use the Commerce Analytics Service (CAS), an IAM role with the appropriate permissions is also required.
Here’s an example of how you can add an IAM role to your CloudFormation template:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties:
BucketName: <Name of the S3 bucket>
SNSQueue:
Type: AWS::SNS::Topic
Properties:
TopicName: <Name of the SNS topic>
IAMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
StringEquals:
"sts:Service": "ec2.amazonaws.com"
Policies:
- PolicyName: <Name of the policy>
PolicyDocument:
Version: 2012-10-17
Statement:
<Policy conditions>
Statement:
<Policy permissions>
CommerceAnalytics:
Type: AWS::ServiceCatalog::CloudFormationProvisionedProduct
Properties:
ProductId: <Product ID of Commerce Analytics Service>
ProvisioningArtifactId: <Provisioning Artifact ID of Commerce Analytics Service>
ProvisioningParameters:
- ParameterKey: S3Bucket
ParameterValue: !Ref S3Bucket
- ParameterKey: SNSQueue
ParameterValue: !Ref SNSQueue
- ParameterKey: IAMRole
ParameterValue: !Ref IAMRole
PathId: <AWS Service Catalog path ID>
This will create an IAM role in the same CloudFormation Stack, you need to attach the policy that you want to use to the role, and also creates a reference to that role to be passed to the Commerce Analytics service.
You will need to replace the placeholders <Name of the policy>, <Policy conditions> and <Policy permissions> with the appropriate values for your environment.
It’s important to notice that the permissions that the role needs will depend on the exact configuration of your CAS environment and the resources that you want to use with CAS. You can check the CAS documentation for more information on the required permissions.
Also, it’s important to mention that you can use the IAM Role ARN reference in other resources of the stack, such as Lambda functions, or EC2 instances.
What is AWS Service Catalog path ID?
The AWS Service Catalog path ID is a unique identifier that is associated with a specific organizational path in AWS Organizations. This ID is used to specify which path should be associated with a product when it is launched through the Service Catalog.
A path ID is a string that starts with “rp_” followed by characters that uniquely identify the path.
AWS Organizations is a service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. You can create Organizational Units (OUs) within your organization and then move accounts into those OUs. Each account can have multiple OUs, and each OU has a unique path ID.
You can find the Path ID by using the AWS Organizations console, you can navigate to the accounts and then you can see the path id on the right side.
Alternatively, you can use the AWS CLI or SDKs to get the Path ID by using aws organizations list-roots or aws organizations list-organizational-units command.
It’s important to note that Service Catalog products provisioned in an organization must be associated with the same path as the accounts in the organization, so that when you launch a product, it is associated with the same path as the accounts in the organization.
NOTE:
Once the template is ready, you can use the AWS CloudFormation console or the AWS CLI to create a stack and provision the resources needed for CAS.
It’s important to note that the code examples provided in the aboe eamples should be tested before using them in a production environment, and also, you should check the CAS documentation for more information on the required permissions.
By using AWS CloudFormation and the CAS, you can easily create and manage resources needed for the service, and automate the process of provisioning and scaling resources.
Checking Access Permissions for Commerce Analytics Service (CAS) using Boto3
You can use the describe_principal_permissions method of the boto3 AWS Service Catalog client to check whether a user or role has permissions to access the Commerce Analytics Service (CAS) or not.
Here’s an example of how you can use boto3 to check the permissions for a user or role:
import boto3
# Create a service catalog client
sc = boto3.client('servicecatalog')
# Identify the product and provisioning artifact
product_id = '<Product ID of Commerce Analytics Service>'
provisioning_artifact_id = '<Provisioning Artifact ID of Commerce Analytics Service>'
# Identify the principal (user or role) you want to check the permissions for
principal = '<IAM user or role ARN>'
# Use the describe_principal_permissions method to check the permissions
response = sc.describe_principal_permissions(
ProductId=product_id,
ProvisioningArtifactId=provisioning_artifact_id,
Principal=principal
)
# Check the permissions
permissions = response['Permissions']
if len(permissions) > 0:
print(f'{principal} has permissions to access the {product_id}')
else:
print(f'{principal} does not have permissions to access the {product_id}')
You will need to replace the placeholders <Product ID of Commerce Analytics Service>, <Provisioning Artifact ID of Commerce Analytics Service>, and <IAM user or role ARN> with the appropriate values for your environment.
It’s important to notice that, the describe_principal_permissions method returns a list of permissions, so you can check if the length of the list is greater than zero, it means that the user or role has permissions.
Also, it’s important to check the documentation of the describe_principal_permissions method in the AWS Service Catalog documentation and the boto3 documentation for more information on how to use it.