top of page
  • Mahesh Rayas

Using AWS Service Catalog with cloudformation-seed

AWS Service Catalog is a managed service by AWS to create and manage products (AWS service) centrally. Many case studies on managing infrastructure can be found in But this blog will introduce how AWS Service Catalog can be used to create, update and terminate AWS Services. How I see AWS Service Catalog is, It’s a nice-looking GUI for AWS Cloudformation. S3 Url of AWS Cloudformation template can be passed as a parameter to AWS Service Catalog Product and when the product is ready, the AWS Cloudformation will be rendered into UI. The parameters in Cloudformation can be rendered as Textbox, Dropdown with proper HTML labels. Once the values are entered on the screen, the product can be created/updated/terminated.

Core Components of AWS Service catalog

  • Products : Each imported cloudformation template can be termed as a product, and the cloudformation template can have as many numbers of valid AWS Resources. Multiple version of the same product is created by importing the updated cloudformation template. The cloudformation template can be stored in AWS S3 and can be imported into AWS Service Catalog by passing the S3 URL. Below is the cloudformation template of the product

    Type: AWS::ServiceCatalog::CloudFormationProduct
        Owner: !Ref ProductOwner
        SupportDescription: !Ref ProductSupportDescription
        SupportEmail: !Ref ProductSupportEmail
        SupportUrl: !Ref ProductSupportUrl
        Description: Product to create IAM Roles for a Account
        Name: Provision IAM Roles
    -   Description: Create Stacket Roles
        LoadTemplateFromURL: !Ref ProductTemplateUrlV1
        Name: Create Roles V1
    -   Description: Create Stacket Roles and Kinesis role
        LoadTemplateFromURL: !Ref ProductTemplateUrlV2
        Name: Create Roles V2
  • Portfolio : Multiple products can be assigned to a Portfolio. Portfolios help manage product configuration, and who can use specific products and how they can use them. Users, Roles, and Groups can be added in Portfolio for granting access to the products added in Portfolio. A portfolio can be shared with member accounts by referencing an existing organizational unit or organization ID without leaving the AWS Service Catalog. In the below cfn template, “AWS::ServiceCatalog::PortfolioPrincipalAssociation” this portfolio is been granted access to arn:aws:iam::${AWS::AccountId}:role/role-name. So any IAM Users associated with the attached roles will have access to the product.

    Type: AWS::ServiceCatalog::Portfolio
        ProviderName: !Ref ProductOwner
        DisplayName: Create Roles
    - ProvisionPortfolio
    Type: AWS::ServiceCatalog::PortfolioProductAssociation
        PortfolioId: !Ref ProvisionPortfolio
        ProductId: !Ref CreateRoles
    - ProvisionPortfolio
    Type: AWS::ServiceCatalog::PortfolioPrincipalAssociation
        PrincipalARN: !Sub arn:aws:iam::${AWS::AccountId}:role/role-name
        PortfolioId: !Ref ProvisionPortfolio
        PrincipalType: IAM

Provisioning the AWS Service Catalog using cloudformation-seed

cloudformation-seed can be used as a submodule in your project or can be installed as a binary using

$ pip3 install cloudformation-seed 

The purpose of using cloudformation-seed is that it can create an AWS Service catalog from the cloudformation template as well as it can create a product and portfolio for you and ready to use recipe. Below is the example repo on how to structure your project for using cloudformation-seed.

Once the project structure is ready, you can run

$ make root 

Launching the product

Login to AWS Console with the IAM role which has access to the AWS Service catalog product. Search for AWS Service Catalog in the search bar. After landing in AWS Service Catalog, Click on the product list in the left panel. In the product list, “Provision IAM Roles” created by cloudformation-seed will be visible. Select the dropdown and click on the product. Select the “Create Roles V1”, enter the mandatory values and Launch product. This would create an IAM role and policy with the policy name entered on the UI.

Updating the product

Similar to AWS Cloudformation update functionality, AWS Service catalog allows updating the provisioned product. As seen in the project structure under servicecatalog, a new folder can be added and create the updated cloudformation template. Accordingly, should be updated so that the product has a new version. Post updating of template, run bash make root cloudformation-seed would update the AWS Service catalog with the new version and lets the users update the previously launched product with the updated one. Users can select the “Provisioned products list” and click ‘Update’. It will allow users to select a version that needs to be updated.

Terminating the product

AWS Service Catalog lets the user terminate the products/services created. Select the “Provisioned products list”, it would display the list of provisioned product. Select the product and Terminate it. Adding your banner AWS Service Catalog also provides a feature to update the banner with the personal logo. Select the preference and select the logo to update the banner.


The blog gives a very basic use case of using AWS Service Catalog with cloudformation-seed. Using this framework, AWS Service Catalog can be used to build complex catalogs in the area of Multi-account setup, its configuration and also creating and updating AWS Services. AWS Service Catalog also gives the flexibility of governing and organizing the multiple accounts from a central (root) account.


bottom of page