Cross-account Amazon Cloud Map namespace sharing
Cross-account Amazon Cloud Map namespace sharing allows namespace owners to share their namespaces with other Amazon Web Services accounts or within an organization in Amazon Organizations for simplified cross-account service discovery and service registry. This allows for easier use of namespaces managed by other Amazon Web Services accounts or teams within an Amazon Organization.
Amazon Cloud Map integrates with Amazon Resource Access Manager (Amazon RAM) to enable resource sharing. Amazon RAM is a service that enables you to share some Amazon Cloud Map resources with other Amazon Web Services accounts or through Amazon Organizations. With Amazon RAM, you share resources that you own by creating a resource share. A resource share specifies the resources to share, and the consumers with whom to share them. Consumers can include:
-
Specific Amazon Web Services accounts inside its organization in Amazon Organizations
-
An organizational unit inside its organization in Amazon Organizations
-
Its entire organization in Amazon Organizations
For more information about Amazon RAM, see the Amazon RAM User Guide.
This topic explains how to share resources that you own, and how to use resources that are shared with you.
Contents
Considerations for sharing namespaces
-
To share a namespace, you must own it in your Amazon Web Services account. This means that the resource must be allocated or provisioned in your account. You can't share a namespace that has been shared with you.
-
To share a namespace with your organization or an organizational unit in Amazon Organizations, you must enable sharing with Amazon Organizations. For more information, see Enable Sharing with Amazon Organizations in the Amazon RAM User Guide.
-
For service discovery using DNS queries in a shared private DNS namespace, the namespace owner will need to call
CreateVPCAssociationAuthorizationwith theIdof the private hosted zone associated with the namespace. The namespace consumers will need to callAssociateVPCWithHostedZonewith theIdof the private hosted zone. For more information, see CreateVPCAssociationAuthorization and AssociateVPCWithHostedZone in the Route 53 API Reference. -
After discovering up-to-date network locations of services associated with a shared DNS namespace, it may be necessary to configure inter-VPC connectivity to communicate with the services if they are in different VPCs. This can be achieved using a VPC Peering connection. For more information, see Create or delete a VPC Peering connection in the Amazon Virtual Private Cloud VPC Peering guide.
-
You can't use
ListOperationsto list operations on shared namespaces that are performed by other accounts. -
Tagging isn't supported for shared namespaces.
Granting permissions to share a namespace
A minimum set of permissions is required for an IAM principal to share a namespace. We
recommend using the AWSCloudMapFullAccess and
AWSResourceAccessManagerFullAccess managed policies to ensure your
IAM principals have the required permissions to share and use shared
namespaces.
If you use a custom IAM policy, the servicediscovery:PutResourcePolicy,
servicediscovery:GetResourcePolicy, and
servicediscovery:DeleteResourcePolicy actions are required for sharing
namespaces. These are permission-only IAM actions. If an IAM principal doesn't have
these permissions granted, an error will occur when attempting to share the namespace
using Amazon RAM.
For more information about how Amazon RAM uses IAM, see How Amazon RAM uses IAM in the Amazon RAM User Guide.
Responsibilities and permissions for shared namespaces
The namespace owner and consumer can perform different actions on a shared namespace.
Permissions for owners
A namespace owner can perform the following actions on a shared namespace:
-
Access services associated with the namespace, including services created by consumer accounts and instances registered to these services.
-
Revoke access to the namespace, including access to services created by consumer accounts and instances registered to these services.
-
Configure permissions for other accounts to register and deregister instances in services created in the shared namespace by consumers or the namespace owner.
-
Delete services and deregister instances, including services created and instances registered by consumer accounts.
-
Update or delete a shared namespace.
Permissions for consumers
A namespace consumer can perform the following actions on a shared namespace:
-
Create and delete services in the namespace.
-
Register and deregister instances in services created in the namespace.
-
Discover instances that are registered to services created in the namespace.
A consumer can't update or delete a shared namespace. After losing access to the shared namespace, the consumer accounts will also lose access to services that they created in the namespace.
Billing and metering
Owners are billed for any instances that they register in the shared namespace and
any Route 53 health checks that are created when they register these instances. Consumers
are billed for any instances that they register in the namespace and any Route 53 health
checks that are created when they register these instances. If the shared namespace is
a DNS namespace, the namespace owner is billed for the Route 53 DNS records that are
created when services are created in the namespace. Owners are billed for any
DiscoverInstances and DiscoverInstancesRevision calls they
make. Consumers are billed for any DiscoverInstances and
DiscoverInstancesRevision calls they make.
Quotas
Shared namespaces count towards only the namespace owner's namespaces per Region quota. Instances registered by a consumer in the shared namespace count towards the owner's instances per namespace quota. If a consumer creates a service in a shared namespace, any instances registered in the service count towards the consumer's instances per service quota. If an owner creates a service in a shared namespace, any instances registered in the service count towards the owner's instances per service quota.