This documentation supports the 20.02 version of BMC Digital Workplace Advanced.

To view an earlier version, select the version from the Product Version menu.

AWS Service Catalog connector

AWS Service Catalog allows IT administrators to create and manage product portfolios, and distribute products from these portfolios to end users. The end users use a personalized portal to access the products. Typical products include servers, databases, websites, or applications that are deployed by using the Amazon Web Services resources (for example, an Amazon EC2 instance or an Amazon RDS database).

The AWS Service Catalog connector enables catalog administrators and internal service suppliers to import services from AWS Service Catalog available in the Amazon Cloud, and provision these services to end users via the BMC Digital Workplace end user console.

AWS Service Catalog connector is connected to BMC Digital Workplace Catalog via integration with the BMC Integration Service. For more details about this integration type, see Service connector overview.

Related topics

AWS Service Catalog documentation

Service connector overview

Service connector capabilities

Workflows for service fulfillment

Setting up the My Stuff page

Before you begin

  • Register an account in the AWS Cloud. For information about the AWS Service Catalog account creation, see  Create and activate the AWS Service Catalog account  in the Amazon documentation.
  • Configure a connection to BMC Integration Service in the Application Settings of BMC Digital Workplace Catalog. For details about how to configure the connection, see Integrating BMC Digital Workplace Catalog with BMC Helix Integration Service.

To configure AWS Service Catalog connector

You must configure AWS Service Catalog connector before you can use its capabilities. 

  1. In the AWS Management Console, an AWS administrator must create an AWS authentication user role and IAM user for BMC Digital Workplace Catalog. 
  2. In the BMC Integration Studio, a tenant administrator must configure the AWS Service Catalog connector.
  3. In BMC Digital Workplace Catalog, a catalog administrator must configure a connection with AWS Service Catalog.
  4. In the AWS Management Console, the AWS administrator must add permissions for end users to use services imported from AWS Service Catalog.  

Step 1: Create an AWS authentication user role and IAM user for BMC Digital Workplace Catalog

As an administrator of AWS Service Catalog, perform the following steps:

  1. Create an IAM user. See  IAM users  for details
  2. Generate an Access Key ID and a Secret Access Key for the added user. See Access keys in the AWS console  for details.
  3. Create an authentication role for the AWS service. See  Creating a role to delegate permissions to an IAM user  for details. 
    Use the following values to create this role:
    • Policy—AWSServiceCatalogEndUserFullAccess
    • Type of trusted entity—AWS service
  4. After you have the role created, update the trust policy by adding the following rows to the JSON:
    "Service":"servicecatalog.amazonaws.com",
    "AWS": "arn:aws:iam::<Your AWS account Id>:user/<your AIM user name>"


    From the Summary page of your role, select Trust Relationships > Edit Trust Relationship, and modify the JSON as shown in the following image:

The following image shows the Summary page of the added role. Review the value of the Role ARN field, and copy it to the clipboard or save it to a local file.

Step 2: Configure a connection between BMC Integration Service and AWS Service Catalog

As a tenant administrator of the BMC Integration Service, perform the following steps to configure a connection between BMC Integration Service and AWS Service Catalog:

To create a configuration for the AWS Service Catalog connector

Follow the Adding or updating a configuration instructions in the BMC Integration Service documentation to create the configuration for the AWS Service Catalog connector.

Additionally, configure the following fields: 

  • Region—The value of the AWS region.
  • DWP Role—The value corresponds to the value of the Role ARN field.

The following example shows added configuration:

To add an account for the AWS Service Catalog connector

Follow the Adding accounts instructions in the BMC Integration Service documentation to create an account.

Complete the Access Key ID and the Secret Access Key fields with the values of your IAM user.


The following example shows an added account:

Step 3: Add and configure the AWS Service Catalog connector in BMC Digital Workplace Catalog

Follow the instructions in Configuring service connectors to create a connection with AWS Service Catalog connector.

The following table describes the parameters required to create a connection:

Parameter

Examples

Description

Reference topics
Configuration

Configuration for us-east

Configuration of the connector added in the BMC Integration Service.

Adding or updating a configuration

ProfileIT admin

Account name created in the BMC Integration Service. It corresponds to the access key ID for the AWS Service Catalog.

Adding accounts

Step 4: Add permissions for end users to use services imported from the AWS Service Catalog

Complete the following procedures to grant access for services to BMC Digital Workplace end users: 

  1. Create a product portfolio in the AWS Service Catalog. See   Create an AWS Service Catalog portfolio .
  2. Add AWS Service Catalog products to your portfolio. See   Adding AWS Marketplace products to your portfolio .

  3. Add your IAM role to the product portfolio. See  Grant end users access to the portfolio .

  4. Add constraints to the products in your portfolio. See  Using AWS Service Catalog Constraints Using AWS Service Catalog Constraints .

    Note

    You must add the Launch constraint for each product that you add to your portfolio. Without this constraint, end users will be able to find a service in the BMC Digital Workplace end user console, but the service request will fail.

The following image shows an example of a portfolio created for BMC Digital Workplace Catalog.

When an end user uses the BMC Digital Workplace end user console to request a product specified in the Constraints section, the product is launched in the AWS console. A tag record about a user who requested a product is recorded in the AWS Console for all created resources and provisioned products. 

The following screenshot shows the aws:servicecatalog:provisioningPrincipalArn tag with the value that contains the login ID of the user who requested the service:


Catalog import capabilities

After you configure the AWS Service Catalog connector, you can import services from AWS Service Catalog to BMC Digital Workplace Catalog. For information about how to import services, see Importing service catalog items from external systems.

Import only those services that are specified in the product portfolio created for BMC Digital Workplace Catalog. After you import a service, you can modify the service as required; for example, you can add an SLA or a service price. When the service is ready, make it available to end users, and publish it. For more details about these tasks, see Adding and updating services.

You can import the following details from the AWS Service Catalog:

Note

Products in the AWS Service Catalog can have multiple versions. Each AWS Product version for BMC Digital Workplace Catalog is imported as a separate service.

For example, a Dynamo product with three versions in AWS Service Catalog is imported to BMC Digital Workplace Catalog as three services:

  • DynamoDB - 1
  • DynamoDB - 2
  • DynamoDB - 3

Profile details

The following details are imported from a product in AWS Service Catalog:

  • Product - Version Description—Is mapped to the service excerpt
  • Product Description—Is mapped to the service description

Note

When a service is imported from AWS Service Catalog, it has the AWS default logo. This logo is the same for all services imported from AWS Service Catalog.

Workflow

A service workflow imported from AWS Service Catalog can be viewed in the UI and JSON.

An imported workflow includes specific workflow actions available through AWS Service Catalog connector, and the common workflow actions such as Send Email, Track External Activity, Build Input Set, and Receive Task. For more information about these workflow elements, see Workflow designer elements overview.

Imported workflow can contain one or more Build Input Set elements that contain Parameters and TagOptions, and each element can have a maximum 10 of them. 

If an imported service includes the Send Email workflow element, an email is sent to end users to request this service from the AWS Service Catalog. End users receive emails when services are successfully provisioned, and when services were not provisioned (failed in the AWS Console).

Note

Emails are sent to service requesters only if the SMTP settings are configured on the BMC Digital Workplace Catalog server. For more information, see Configuring SMTP for BMC Digital Workplace Catalog.

Questionnaire

All questions and data sets associated with the questions are imported from the AWS Service Catalog connector.

Best Practice

For the imported questionnaire, we recommend that you set all questions to Required.
A questionnaire attached to an imported service can include process questions built on the following information from the AWS Console:

AWS template

Process questions available in a questionnaire are built on a default AWS Dynamo DB template . The questionnaire can have process questions with default values (such as ReadCapacityUnits, WriteCapacityUnits, HashKeyElementType) and without default values (requiring user input).

The following table describes some questions without default answers:

Imported questionsDescription
ProvisionedProductName

Name of a product provisioned in AWS.

Note: This value must be unique in the AWS Service Catalog console, and must not contain spaces.

Public key of the key pair to enable SSH access

A value of the public key required to connect to an AWS instance.

End users who request an AWS service need to generate a key pair (private and public key) by using any third-party tool. The end users must keep the private key safe, and enter the public key value into a text area (as it is shown in an example of a questionnaire with a public key question).

HashKeyElementName

Name of a key pair saved in the AWS Service Catalog console. This value is required to launch an AWS instance.

During the launch of a product, a unique key pair name is created inside the EC2 Console, in the Parameters > KeyPairName section. Each time an end user requests a product by using the public key, the same pubic key name is reused.

AWS specific parameters

An imported questionnaire can include AWS specific parameters. For details about these parameters, see AWS specific parameters .

Note

A questionnaire in BMC Digital Workplace with a selection question that should retrieve the Security Group IDs data set from the AWS Console, displays the Group Names data set. When an end user selects any security group name value from the list, the value of the group ID is displayed.

A questionnaire in BMC Digital Workplace with a selection question that should retrieve the Route 53 Hosted IDs data set from the AWS Console, displays the Route 53 Hosted Names data set. When an end user selects any hosted name value from the list, the value of the hosted ID is displayed.

TagOptions

TagOptions are imported from from a portfolio and a product. TagOptions are imported as questions. The TagOptions questions can have default values or a few values to select.

Workflow actions available through AWS Service Catalog connector 

The AWS Service Catalog connector provides the Launch Service Catalog Product action available from the Connector workflow element. This action launches a service in the AWS Service Catalog.

This action cannot be edited, and the parameters of this action are not displayed in the UI view, but they can be viewed in the JSON view. 

Default service actions 

The AWS Service Catalog connector provides a predefined service action: Terminate. It is available for end users who have requested AWS services. By using this action, end users can terminate the provisioned service. When the provisioned service is terminated, it is not available to them on their My Stuff page. For more details about predefined service actions, see Setting up the My Stuff page.

Example of an imported service from the AWS Service Catalog

When a service is imported, both workflows and questionnaires are successfully imported from the AWS Service Catalog. 

The following example shows an imported workflow:

The following example shows an imported questionnaire:

The following example shows a service request questionnaire displayed to an end user:

Was this page helpful? Yes No Submitting... Thank you

Comments