ServiceCatalogClient

Service Catalog

Service Catalog  enables organizations to create and manage catalogs of IT services that are approved for Amazon Web Services. To get the most out of this documentation, you should be familiar with the terminology discussed in Service Catalog Concepts .

Installation

NPM
npm install @aws-sdk/client-service-catalog
Yarn
yarn add @aws-sdk/client-service-catalog
pnpm
pnpm add @aws-sdk/client-service-catalog

ServiceCatalogClient Operations

Command
Summary
AcceptPortfolioShareCommand

Accepts an offer to share the specified portfolio.

AssociateBudgetWithResourceCommand

Associates the specified budget with the specified resource.

AssociatePrincipalWithPortfolioCommand

Associates the specified principal ARN with the specified portfolio.

If you share the portfolio with principal name sharing enabled, the PrincipalARN association is included in the share.

The PortfolioID, PrincipalARN, and PrincipalType parameters are required.

You can associate a maximum of 10 Principals with a portfolio using PrincipalType as IAM_PATTERN.

When you associate a principal with portfolio, a potential privilege escalation path may occur when that portfolio is then shared with other accounts. For a user in a recipient account who is not an Service Catalog Admin, but still has the ability to create Principals (Users/Groups/Roles), that user could create a role that matches a principal name association for the portfolio. Although this user may not know which principal names are associated through Service Catalog, they may be able to guess the user. If this potential escalation path is a concern, then Service Catalog recommends using PrincipalType as IAM. With this configuration, the PrincipalARN must already exist in the recipient account before it can be associated.

AssociateProductWithPortfolioCommand

Associates the specified product with the specified portfolio.

A delegated admin is authorized to invoke this command.

AssociateServiceActionWithProvisioningArtifactCommand

Associates a self-service action with a provisioning artifact.

AssociateTagOptionWithResourceCommand

Associate the specified TagOption with the specified portfolio or product.

BatchAssociateServiceActionWithProvisioningArtifactCommand

Associates multiple self-service actions with provisioning artifacts.

BatchDisassociateServiceActionFromProvisioningArtifactCommand

Disassociates a batch of self-service actions from the specified provisioning artifact.

CopyProductCommand

Copies the specified source product to the specified target product or a new product.

You can copy a product to the same account or another account. You can copy a product to the same Region or another Region. If you copy a product to another account, you must first share the product in a portfolio using CreatePortfolioShare.

This operation is performed asynchronously. To track the progress of the operation, use DescribeCopyProductStatus.

CreateConstraintCommand

Creates a constraint.

A delegated admin is authorized to invoke this command.

CreatePortfolioCommand

Creates a portfolio.

A delegated admin is authorized to invoke this command.

CreatePortfolioShareCommand

Shares the specified portfolio with the specified account or organization node. Shares to an organization node can only be created by the management account of an organization or by a delegated administrator. You can share portfolios to an organization, an organizational unit, or a specific account.

Note that if a delegated admin is de-registered, they can no longer create portfolio shares.

AWSOrganizationsAccess must be enabled in order to create a portfolio share to an organization node.

You can't share a shared resource, including portfolios that contain a shared product.

If the portfolio share with the specified account or organization node already exists, this action will have no effect and will not return an error. To update an existing share, you must use the UpdatePortfolioShare API instead.

When you associate a principal with portfolio, a potential privilege escalation path may occur when that portfolio is then shared with other accounts. For a user in a recipient account who is not an Service Catalog Admin, but still has the ability to create Principals (Users/Groups/Roles), that user could create a role that matches a principal name association for the portfolio. Although this user may not know which principal names are associated through Service Catalog, they may be able to guess the user. If this potential escalation path is a concern, then Service Catalog recommends using PrincipalType as IAM. With this configuration, the PrincipalARN must already exist in the recipient account before it can be associated.

CreateProductCommand

Creates a product.

A delegated admin is authorized to invoke this command.

The user or role that performs this operation must have the cloudformation:GetTemplate IAM policy permission. This policy permission is required when using the ImportFromPhysicalId template source in the information data section.

CreateProvisionedProductPlanCommand

Creates a plan.

A plan includes the list of resources to be created (when provisioning a new product) or modified (when updating a provisioned product) when the plan is executed.

You can create one plan for each provisioned product. To create a plan for an existing provisioned product, the product status must be AVAILABLE or TAINTED.

To view the resource changes in the change set, use DescribeProvisionedProductPlan. To create or modify the provisioned product, use ExecuteProvisionedProductPlan.

CreateProvisioningArtifactCommand

Creates a provisioning artifact (also known as a version) for the specified product.

You cannot create a provisioning artifact for a product that was shared with you.

The user or role that performs this operation must have the cloudformation:GetTemplate IAM policy permission. This policy permission is required when using the ImportFromPhysicalId template source in the information data section.

CreateServiceActionCommand

Creates a self-service action.

CreateTagOptionCommand

Creates a TagOption.

DeleteConstraintCommand

Deletes the specified constraint.

A delegated admin is authorized to invoke this command.

DeletePortfolioCommand

Deletes the specified portfolio.

You cannot delete a portfolio if it was shared with you or if it has associated products, users, constraints, or shared accounts.

A delegated admin is authorized to invoke this command.

DeletePortfolioShareCommand

Stops sharing the specified portfolio with the specified account or organization node. Shares to an organization node can only be deleted by the management account of an organization or by a delegated administrator.

Note that if a delegated admin is de-registered, portfolio shares created from that account are removed.

DeleteProductCommand

Deletes the specified product.

You cannot delete a product if it was shared with you or is associated with a portfolio.

A delegated admin is authorized to invoke this command.

DeleteProvisionedProductPlanCommand

Deletes the specified plan.

DeleteProvisioningArtifactCommand

Deletes the specified provisioning artifact (also known as a version) for the specified product.

You cannot delete a provisioning artifact associated with a product that was shared with you. You cannot delete the last provisioning artifact for a product, because a product must have at least one provisioning artifact.

DeleteServiceActionCommand

Deletes a self-service action.

DeleteTagOptionCommand

Deletes the specified TagOption.

You cannot delete a TagOption if it is associated with a product or portfolio.

DescribeConstraintCommand

Gets information about the specified constraint.

DescribeCopyProductStatusCommand

Gets the status of the specified copy product operation.

DescribePortfolioCommand

Gets information about the specified portfolio.

A delegated admin is authorized to invoke this command.

DescribePortfolioShareStatusCommand

Gets the status of the specified portfolio share operation. This API can only be called by the management account in the organization or by a delegated admin.

DescribePortfolioSharesCommand

Returns a summary of each of the portfolio shares that were created for the specified portfolio.

You can use this API to determine which accounts or organizational nodes this portfolio have been shared, whether the recipient entity has imported the share, and whether TagOptions are included with the share.

The PortfolioId and Type parameters are both required.

DescribeProductAsAdminCommand

Gets information about the specified product. This operation is run with administrator access.

DescribeProductCommand

Gets information about the specified product.

Running this operation with administrator access results in a failure. DescribeProductAsAdmin should be used instead.

DescribeProductViewCommand

Gets information about the specified product.

DescribeProvisionedProductCommand

Gets information about the specified provisioned product.

DescribeProvisionedProductPlanCommand

Gets information about the resource changes for the specified plan.

DescribeProvisioningArtifactCommand

Gets information about the specified provisioning artifact (also known as a version) for the specified product.

DescribeProvisioningParametersCommand

Gets information about the configuration required to provision the specified product using the specified provisioning artifact.

If the output contains a TagOption key with an empty list of values, there is a TagOption conflict for that key. The end user cannot take action to fix the conflict, and launch is not blocked. In subsequent calls to ProvisionProduct, do not include conflicted TagOption keys as tags, or this causes the error "Parameter validation failed: Missing required parameter in Tags[N]:Value". Tag the provisioned product with the value sc-tagoption-conflict-portfolioId-productId.

DescribeRecordCommand

Gets information about the specified request operation.

Use this operation after calling a request operation (for example, ProvisionProduct, TerminateProvisionedProduct, or UpdateProvisionedProduct).

If a provisioned product was transferred to a new owner using UpdateProvisionedProductProperties, the new owner will be able to describe all past records for that product. The previous owner will no longer be able to describe the records, but will be able to use ListRecordHistory to see the product's history from when he was the owner.

DescribeServiceActionCommand

Describes a self-service action.

DescribeServiceActionExecutionParametersCommand

Finds the default parameters for a specific self-service action on a specific provisioned product and returns a map of the results to the user.

DescribeTagOptionCommand

Gets information about the specified TagOption.

DisableAWSOrganizationsAccessCommand

Disable portfolio sharing through the Organizations service. This command will not delete your current shares, but prevents you from creating new shares throughout your organization. Current shares are not kept in sync with your organization structure if the structure changes after calling this API. Only the management account in the organization can call this API.

You cannot call this API if there are active delegated administrators in the organization.

Note that a delegated administrator is not authorized to invoke DisableAWSOrganizationsAccess.

If you share an Service Catalog portfolio in an organization within Organizations, and then disable Organizations access for Service Catalog, the portfolio access permissions will not sync with the latest changes to the organization structure. Specifically, accounts that you removed from the organization after disabling Service Catalog access will retain access to the previously shared portfolio.

DisassociateBudgetFromResourceCommand

Disassociates the specified budget from the specified resource.

DisassociatePrincipalFromPortfolioCommand

Disassociates a previously associated principal ARN from a specified portfolio.

The PrincipalType and PrincipalARN must match the AssociatePrincipalWithPortfolio call request details. For example, to disassociate an association created with a PrincipalARN of PrincipalType IAM you must use the PrincipalType IAM when calling DisassociatePrincipalFromPortfolio.

For portfolios that have been shared with principal name sharing enabled: after disassociating a principal, share recipient accounts will no longer be able to provision products in this portfolio using a role matching the name of the associated principal.

For more information, review associate-principal-with-portfolio  in the Amazon Web Services CLI Command Reference.

If you disassociate a principal from a portfolio, with PrincipalType as IAM, the same principal will still have access to the portfolio if it matches one of the associated principals of type IAM_PATTERN. To fully remove access for a principal, verify all the associated Principals of type IAM_PATTERN, and then ensure you disassociate any IAM_PATTERN principals that match the principal whose access you are removing.

DisassociateProductFromPortfolioCommand

Disassociates the specified product from the specified portfolio.

A delegated admin is authorized to invoke this command.

DisassociateServiceActionFromProvisioningArtifactCommand

Disassociates the specified self-service action association from the specified provisioning artifact.

DisassociateTagOptionFromResourceCommand

Disassociates the specified TagOption from the specified resource.

EnableAWSOrganizationsAccessCommand

Enable portfolio sharing feature through Organizations. This API will allow Service Catalog to receive updates on your organization in order to sync your shares with the current structure. This API can only be called by the management account in the organization.

When you call this API, Service Catalog calls organizations:EnableAWSServiceAccess on your behalf so that your shares stay in sync with any changes in your Organizations structure.

Note that a delegated administrator is not authorized to invoke EnableAWSOrganizationsAccess.

If you have previously disabled Organizations access for Service Catalog, and then enable access again, the portfolio access permissions might not sync with the latest changes to the organization structure. Specifically, accounts that you removed from the organization after disabling Service Catalog access, and before you enabled access again, can retain access to the previously shared portfolio. As a result, an account that has been removed from the organization might still be able to create or manage Amazon Web Services resources when it is no longer authorized to do so. Amazon Web Services is working to resolve this issue.

ExecuteProvisionedProductPlanCommand

Provisions or modifies a product based on the resource changes for the specified plan.

ExecuteProvisionedProductServiceActionCommand

Executes a self-service action against a provisioned product.

GetAWSOrganizationsAccessStatusCommand

Get the Access Status for Organizations portfolio share feature. This API can only be called by the management account in the organization or by a delegated admin.

GetProvisionedProductOutputsCommand

This API takes either a ProvisonedProductId or a ProvisionedProductName, along with a list of one or more output keys, and responds with the key/value pairs of those outputs.

ImportAsProvisionedProductCommand

Requests the import of a resource as an Service Catalog provisioned product that is associated to an Service Catalog product and provisioning artifact. Once imported, all supported governance actions are supported on the provisioned product.

Resource import only supports CloudFormation stack ARNs. CloudFormation StackSets, and non-root nested stacks, are not supported.

The CloudFormation stack must have one of the following statuses to be imported: CREATE_COMPLETE, UPDATE_COMPLETE, UPDATE_ROLLBACK_COMPLETE, IMPORT_COMPLETE, and IMPORT_ROLLBACK_COMPLETE.

Import of the resource requires that the CloudFormation stack template matches the associated Service Catalog product provisioning artifact.

When you import an existing CloudFormation stack into a portfolio, Service Catalog does not apply the product's associated constraints during the import process. Service Catalog applies the constraints after you call UpdateProvisionedProduct for the provisioned product.

The user or role that performs this operation must have the cloudformation:GetTemplate and cloudformation:DescribeStacks IAM policy permissions.

You can only import one provisioned product at a time. The product's CloudFormation stack must have the IMPORT_COMPLETE status before you import another.

ListAcceptedPortfolioSharesCommand

Lists all imported portfolios for which account-to-account shares were accepted by this account. By specifying the PortfolioShareType, you can list portfolios for which organizational shares were accepted by this account.

ListBudgetsForResourceCommand

Lists all the budgets associated to the specified resource.

ListConstraintsForPortfolioCommand

Lists the constraints for the specified portfolio and product.

ListLaunchPathsCommand

Lists the paths to the specified product. A path describes how the user gets access to a specified product and is necessary when provisioning a product. A path also determines the constraints that are put on a product. A path is dependent on a specific product, porfolio, and principal.

When provisioning a product that's been added to a portfolio, you must grant your user, group, or role access to the portfolio. For more information, see Granting users access  in the Service Catalog User Guide.

ListOrganizationPortfolioAccessCommand

Lists the organization nodes that have access to the specified portfolio. This API can only be called by the management account in the organization or by a delegated admin.

If a delegated admin is de-registered, they can no longer perform this operation.

ListPortfolioAccessCommand

Lists the account IDs that have access to the specified portfolio.

A delegated admin can list the accounts that have access to the shared portfolio. Note that if a delegated admin is de-registered, they can no longer perform this operation.

ListPortfoliosCommand

Lists all portfolios in the catalog.

ListPortfoliosForProductCommand

Lists all portfolios that the specified product is associated with.

ListPrincipalsForPortfolioCommand

Lists all PrincipalARNs and corresponding PrincipalTypes associated with the specified portfolio.

ListProvisionedProductPlansCommand

Lists the plans for the specified provisioned product or all plans to which the user has access.

ListProvisioningArtifactsCommand

Lists all provisioning artifacts (also known as versions) for the specified product.

ListProvisioningArtifactsForServiceActionCommand

Lists all provisioning artifacts (also known as versions) for the specified self-service action.

ListRecordHistoryCommand

Lists the specified requests or all performed requests.

ListResourcesForTagOptionCommand

Lists the resources associated with the specified TagOption.

ListServiceActionsCommand

Lists all self-service actions.

ListServiceActionsForProvisioningArtifactCommand

Returns a paginated list of self-service actions associated with the specified Product ID and Provisioning Artifact ID.

ListStackInstancesForProvisionedProductCommand

Returns summary information about stack instances that are associated with the specified CFN_STACKSET type provisioned product. You can filter for stack instances that are associated with a specific Amazon Web Services account name or Region.

ListTagOptionsCommand

Lists the specified TagOptions or all TagOptions.

NotifyProvisionProductEngineWorkflowResultCommand

Notifies the result of the provisioning engine execution.

NotifyTerminateProvisionedProductEngineWorkflowResultCommand

Notifies the result of the terminate engine execution.

NotifyUpdateProvisionedProductEngineWorkflowResultCommand

Notifies the result of the update engine execution.

ProvisionProductCommand

Provisions the specified product.

A provisioned product is a resourced instance of a product. For example, provisioning a product that's based on an CloudFormation template launches an CloudFormation stack and its underlying resources. You can check the status of this request using DescribeRecord.

If the request contains a tag key with an empty list of values, there's a tag conflict for that key. Don't include conflicted keys as tags, or this will cause the error "Parameter validation failed: Missing required parameter in Tags[N]:Value".

When provisioning a product that's been added to a portfolio, you must grant your user, group, or role access to the portfolio. For more information, see Granting users access  in the Service Catalog User Guide.

RejectPortfolioShareCommand

Rejects an offer to share the specified portfolio.

ScanProvisionedProductsCommand

Lists the provisioned products that are available (not terminated).

To use additional filtering, see SearchProvisionedProducts.

SearchProductsAsAdminCommand

Gets information about the products for the specified portfolio or all products.

SearchProductsCommand

Gets information about the products to which the caller has access.

SearchProvisionedProductsCommand

Gets information about the provisioned products that meet the specified criteria.

TerminateProvisionedProductCommand

Terminates the specified provisioned product.

This operation does not delete any records associated with the provisioned product.

You can check the status of this request using DescribeRecord.

UpdateConstraintCommand

Updates the specified constraint.

UpdatePortfolioCommand

Updates the specified portfolio.

You cannot update a product that was shared with you.

UpdatePortfolioShareCommand

Updates the specified portfolio share. You can use this API to enable or disable TagOptions sharing or Principal sharing for an existing portfolio share.

The portfolio share cannot be updated if the CreatePortfolioShare operation is IN_PROGRESS, as the share is not available to recipient entities. In this case, you must wait for the portfolio share to be completed.

You must provide the accountId or organization node in the input, but not both.

If the portfolio is shared to both an external account and an organization node, and both shares need to be updated, you must invoke UpdatePortfolioShare separately for each share type.

This API cannot be used for removing the portfolio share. You must use DeletePortfolioShare API for that action.

When you associate a principal with portfolio, a potential privilege escalation path may occur when that portfolio is then shared with other accounts. For a user in a recipient account who is not an Service Catalog Admin, but still has the ability to create Principals (Users/Groups/Roles), that user could create a role that matches a principal name association for the portfolio. Although this user may not know which principal names are associated through Service Catalog, they may be able to guess the user. If this potential escalation path is a concern, then Service Catalog recommends using PrincipalType as IAM. With this configuration, the PrincipalARN must already exist in the recipient account before it can be associated.

UpdateProductCommand

Updates the specified product.

UpdateProvisionedProductCommand

Requests updates to the configuration of the specified provisioned product.

If there are tags associated with the object, they cannot be updated or added. Depending on the specific updates requested, this operation can update with no interruption, with some interruption, or replace the provisioned product entirely.

You can check the status of this request using DescribeRecord.

UpdateProvisionedProductPropertiesCommand

Requests updates to the properties of the specified provisioned product.

UpdateProvisioningArtifactCommand

Updates the specified provisioning artifact (also known as a version) for the specified product.

You cannot update a provisioning artifact for a product that was shared with you.

UpdateServiceActionCommand

Updates a self-service action.

UpdateTagOptionCommand

Updates the specified TagOption.

ServiceCatalogClient Configuration

Parameter
Type
Description
defaultsMode
Optional
DefaultsMode | Provider<DefaultsMode>
The @smithy/smithy-client#DefaultsMode that will be used to determine how certain default configuration options are resolved in the SDK.
disableHostPrefix
Optional
boolean
Disable dynamically changing the endpoint of the client based on the hostPrefix trait of an operation.
extensions
Optional
RuntimeExtension[]
Optional extensions
logger
Optional
Logger
Optional logger for logging debug/info/warn/error.
maxAttempts
Optional
number | Provider<number>
Value for how many times a request will be made at most in case of retry.
profile
Optional
string
Setting a client profile is similar to setting a value for the AWS_PROFILE environment variable. Setting a profile on a client in code only affects the single client instance, unlike AWS_PROFILE.When set, and only for environments where an AWS configuration file exists, fields configurable by this file will be retrieved from the specified profile within that file. Conflicting code configuration and environment variables will still have higher priority.For client credential resolution that involves checking the AWS configuration file, the client's profile (this value) will be used unless a different profile is set in the credential provider options.
region
Optional
string | Provider<string>
The AWS region to which this client will send requests
requestHandler
Optional
__HttpHandlerUserInput
The HTTP handler to use or its constructor options. Fetch in browser and Https in Nodejs.
retryMode
Optional
string | Provider<string>
Specifies which retry algorithm to use.
useDualstackEndpoint
Optional
boolean | Provider<boolean>
Enables IPv6/IPv4 dualstack endpoint.
useFipsEndpoint
Optional
boolean | Provider<boolean>
Enables FIPS compatible endpoints.
Additional config fields are described in the full configuration type: ServiceCatalogClientConfig