Copyright | (c) 2013-2023 Brendan Hay |
---|---|
License | Mozilla Public License, v. 2.0. |
Maintainer | Brendan Hay |
Stability | auto-generated |
Portability | non-portable (GHC extensions) |
Safe Haskell | Safe-Inferred |
Language | Haskell2010 |
Shares the specified portfolio with the specified account or organization node. Shares to an organization node can only be created by the management account of an organization or by a delegated administrator. You can share portfolios to an organization, an organizational unit, or a specific account.
Note that if a delegated admin is de-registered, they can no longer create portfolio shares.
AWSOrganizationsAccess
must be enabled in order to create a portfolio
share to an organization node.
You can't share a shared resource, including portfolios that contain a shared product.
If the portfolio share with the specified account or organization node
already exists, this action will have no effect and will not return an
error. To update an existing share, you must use the
UpdatePortfolioShare
API instead.
When you associate a principal with portfolio, a potential privilege
escalation path may occur when that portfolio is then shared with other
accounts. For a user in a recipient account who is not an Service
Catalog Admin, but still has the ability to create Principals
(Users/Groups/Roles), that user could create a role that matches a
principal name association for the portfolio. Although this user may not
know which principal names are associated through Service Catalog, they
may be able to guess the user. If this potential escalation path is a
concern, then Service Catalog recommends using PrincipalType
as IAM
.
With this configuration, the PrincipalARN
must already exist in the
recipient account before it can be associated.
Synopsis
- data CreatePortfolioShare = CreatePortfolioShare' {}
- newCreatePortfolioShare :: Text -> CreatePortfolioShare
- createPortfolioShare_acceptLanguage :: Lens' CreatePortfolioShare (Maybe Text)
- createPortfolioShare_accountId :: Lens' CreatePortfolioShare (Maybe Text)
- createPortfolioShare_organizationNode :: Lens' CreatePortfolioShare (Maybe OrganizationNode)
- createPortfolioShare_sharePrincipals :: Lens' CreatePortfolioShare (Maybe Bool)
- createPortfolioShare_shareTagOptions :: Lens' CreatePortfolioShare (Maybe Bool)
- createPortfolioShare_portfolioId :: Lens' CreatePortfolioShare Text
- data CreatePortfolioShareResponse = CreatePortfolioShareResponse' {}
- newCreatePortfolioShareResponse :: Int -> CreatePortfolioShareResponse
- createPortfolioShareResponse_portfolioShareToken :: Lens' CreatePortfolioShareResponse (Maybe Text)
- createPortfolioShareResponse_httpStatus :: Lens' CreatePortfolioShareResponse Int
Creating a Request
data CreatePortfolioShare Source #
See: newCreatePortfolioShare
smart constructor.
CreatePortfolioShare' | |
|
Instances
newCreatePortfolioShare Source #
Create a value of CreatePortfolioShare
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:acceptLanguage:CreatePortfolioShare'
, createPortfolioShare_acceptLanguage
- The language code.
en
- English (default)jp
- Japanesezh
- Chinese
$sel:accountId:CreatePortfolioShare'
, createPortfolioShare_accountId
- The Amazon Web Services account ID. For example, 123456789012
.
$sel:organizationNode:CreatePortfolioShare'
, createPortfolioShare_organizationNode
- The organization node to whom you are going to share. When you pass
OrganizationNode
, it creates PortfolioShare
for all of the Amazon
Web Services accounts that are associated to the OrganizationNode
. The
output returns a PortfolioShareToken
, which enables the administrator
to monitor the status of the PortfolioShare
creation process.
CreatePortfolioShare
, createPortfolioShare_sharePrincipals
- Enables or disables Principal
sharing when creating the portfolio
share. If this flag is not provided, principal sharing is disabled.
When you enable Principal Name Sharing for a portfolio share, the share
recipient account end users with a principal that matches any of the
associated IAM patterns can provision products from the portfolio. Once
shared, the share recipient can view associations of PrincipalType
:
IAM_PATTERN
on their portfolio. You can create the principals in the
recipient account before or after creating the share.
CreatePortfolioShare
, createPortfolioShare_shareTagOptions
- Enables or disables TagOptions
sharing when creating the portfolio
share. If this flag is not provided, TagOptions sharing is disabled.
CreatePortfolioShare
, createPortfolioShare_portfolioId
- The portfolio identifier.
Request Lenses
createPortfolioShare_acceptLanguage :: Lens' CreatePortfolioShare (Maybe Text) Source #
The language code.
en
- English (default)jp
- Japanesezh
- Chinese
createPortfolioShare_accountId :: Lens' CreatePortfolioShare (Maybe Text) Source #
The Amazon Web Services account ID. For example, 123456789012
.
createPortfolioShare_organizationNode :: Lens' CreatePortfolioShare (Maybe OrganizationNode) Source #
The organization node to whom you are going to share. When you pass
OrganizationNode
, it creates PortfolioShare
for all of the Amazon
Web Services accounts that are associated to the OrganizationNode
. The
output returns a PortfolioShareToken
, which enables the administrator
to monitor the status of the PortfolioShare
creation process.
createPortfolioShare_sharePrincipals :: Lens' CreatePortfolioShare (Maybe Bool) Source #
Enables or disables Principal
sharing when creating the portfolio
share. If this flag is not provided, principal sharing is disabled.
When you enable Principal Name Sharing for a portfolio share, the share
recipient account end users with a principal that matches any of the
associated IAM patterns can provision products from the portfolio. Once
shared, the share recipient can view associations of PrincipalType
:
IAM_PATTERN
on their portfolio. You can create the principals in the
recipient account before or after creating the share.
createPortfolioShare_shareTagOptions :: Lens' CreatePortfolioShare (Maybe Bool) Source #
Enables or disables TagOptions
sharing when creating the portfolio
share. If this flag is not provided, TagOptions sharing is disabled.
createPortfolioShare_portfolioId :: Lens' CreatePortfolioShare Text Source #
The portfolio identifier.
Destructuring the Response
data CreatePortfolioShareResponse Source #
See: newCreatePortfolioShareResponse
smart constructor.
CreatePortfolioShareResponse' | |
|
Instances
newCreatePortfolioShareResponse Source #
Create a value of CreatePortfolioShareResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:portfolioShareToken:CreatePortfolioShareResponse'
, createPortfolioShareResponse_portfolioShareToken
- The portfolio shares a unique identifier that only returns if the
portfolio is shared to an organization node.
$sel:httpStatus:CreatePortfolioShareResponse'
, createPortfolioShareResponse_httpStatus
- The response's http status code.
Response Lenses
createPortfolioShareResponse_portfolioShareToken :: Lens' CreatePortfolioShareResponse (Maybe Text) Source #
The portfolio shares a unique identifier that only returns if the portfolio is shared to an organization node.
createPortfolioShareResponse_httpStatus :: Lens' CreatePortfolioShareResponse Int Source #
The response's http status code.