# Shared Amazon Cloud Map namespaces
<a name="sharing-namespaces"></a>

Amazon Cloud Map allows namespace owners to share their namespaces with other Amazon Web Services accounts or within an organization in Amazon Organizations for simplified cross-account service discovery and service registry. This allows for easier use of namespaces managed by other Amazon Web Services accounts or teams within an Amazon Organization.

Amazon Cloud Map integrates with Amazon Resource Access Manager (Amazon RAM) to enable resource sharing. Amazon RAM is a service that enables you to share some Amazon Cloud Map resources with other Amazon Web Services accounts or through Amazon Organizations. With Amazon RAM, you share resources that you own by creating a *resource share*. A resource share specifies the resources to share, and the consumers with whom to share them. Consumers can include:
+ Specific Amazon Web Services accounts inside its organization in Amazon Organizations
+ An organizational unit inside its organization in Amazon Organizations
+ Its entire organization in Amazon Organizations

For more information about Amazon RAM, see the *[Amazon RAM User Guide](https://docs.amazonaws.cn/ram/latest/userguide/)*.

This topic explains how to share resources that you own, and how to use resources that are shared with you.

**Topics**
+ [Considerations for sharing namespaces](#sharing-considerations)
+ [Sharing an Amazon Cloud Map namespace](sharing-share.md)
+ [Stop sharing a Amazon Cloud Map namespace](sharing-unshare.md)
+ [Identifying a shared Amazon Cloud Map namespace](sharing-identify.md)
+ [Granting permissions to share a namespace](#granting-perms-to-share)
+ [Responsibilities and permissions for shared namespaces](#sharing-perms)
+ [Billing and metering](#sharing-billing)
+ [Quotas](#sharing-quotas)

## Considerations for sharing namespaces
<a name="sharing-considerations"></a>
+ To share a namespace, you must own it in your Amazon Web Services account. This means that the resource must be allocated or provisioned in your account. You can't share a namespace that has been shared with you.
+ To share a namespace with your organization or an organizational unit in Amazon Organizations, you must enable sharing with Amazon Organizations. For more information, see [ Enable Sharing with Amazon Organizations](https://docs.amazonaws.cn/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-orgs) in the *Amazon RAM User Guide*.
+ For service discovery using DNS queries in a shared private DNS namespace, the namespace owner will need to call `create-vpc-association-authorization` with the ID of the private hosted zone associated with the namespace and the consumer's VPC.

  ```
  aws route53 create-vpc-association-authorization --hosted-zone-id {{Z1234567890ABC}} --vpc VPCRegion={{us-east-1}},VPCId={{vpc-12345678}}
  ```

  The namespace consumer will need to call `associate-vpc-with-hosted-zone` with the ID of the private hosted zone.

  ```
  aws route53 associate-vpc-with-hosted-zone --hosted-zone-id {{Z1234567890ABC}} --vpc VPCRegion={{us-east-1}},VPCId={{vpc-12345678}}
  ```

  For more information, see [Associating an Amazon VPC and a private hosted zone that you created with different Amazon Web Services accounts](https://docs.amazonaws.cn/Route53/latest/DeveloperGuide/hosted-zone-private-associate-vpcs-different-accounts.html) in the *Amazon Route 53 Developer Guide*.
+ After discovering up-to-date network locations of services associated with a shared DNS namespace, it may be necessary to configure inter-VPC connectivity to communicate with the services if they are in different VPCs. This can be achieved using a VPC Peering connection. For more information, see [Create or delete a VPC Peering connection](https://docs.amazonaws.cn/vpc/latest/peering/create-vpc-peering-connection.html) in the *Amazon Virtual Private Cloud VPC Peering guide*.
+ You can't use `ListOperations` to list operations on shared namespaces that are performed by other accounts.
+ Tagging isn't supported for shared namespaces.

## Granting permissions to share a namespace
<a name="granting-perms-to-share"></a>

A minimum set of permissions is required for an IAM principal to share a namespace. We recommend using the `AWSCloudMapFullAccess` and `AWSResourceAccessManagerFullAccess` managed policies to ensure your IAM principals have the required permissions to share and use shared namespaces.

If you use a custom IAM policy, the `servicediscovery:PutResourcePolicy`, `servicediscovery:GetResourcePolicy`, and `servicediscovery:DeleteResourcePolicy` actions are required for sharing namespaces. These are permission-only IAM actions. If an IAM principal doesn't have these permissions granted, an error will occur when attempting to share the namespace using Amazon RAM.

For more information about how Amazon RAM uses IAM, see [How Amazon RAM uses IAM](https://docs.amazonaws.cn/ram/latest/userguide/security-iam-policies.html) in the *Amazon RAM User Guide*.

## Responsibilities and permissions for shared namespaces
<a name="sharing-perms"></a>

The namespace owner and consumer can perform different actions on a shared namespace.

### Permissions for owners
<a name="perms-owner"></a>

A namespace owner can perform the following actions on a shared namespace:
+ Access services associated with the namespace, including services created by consumer accounts and instances registered to these services.
+ Revoke access to the namespace, including access to services created by consumer accounts and instances registered to these services.
+ Configure permissions for other accounts to register and deregister instances in services created in the shared namespace by consumers or the namespace owner.
+ Delete services and deregister instances, including services created and instances registered by consumer accounts.
+ Update or delete a shared namespace.

### Permissions for consumers
<a name="perms-consumer"></a>

A namespace consumer can perform the following actions on a shared namespace:
+ Create and delete services in the namespace.
+ Register and deregister instances in services created in the namespace.
+ Discover instances that are registered to services created in the namespace.

A consumer can't update or delete a shared namespace. After losing access to the shared namespace, the consumer accounts will also lose access to services that they created in the namespace.

## Billing and metering
<a name="sharing-billing"></a>

Owners are billed for any instances that they register in the shared namespace and any Route 53 health checks that are created when they register these instances. Consumers are billed for any instances that they register in the namespace and any Route 53 health checks that are created when they register these instances. If the shared namespace is a DNS namespace, the namespace owner is billed for the Route 53 DNS records that are created when services are created in the namespace. Owners are billed for any `DiscoverInstances` and `DiscoverInstancesRevision` calls they make. Consumers are billed for any `DiscoverInstances` and `DiscoverInstancesRevision` calls they make.

## Quotas
<a name="sharing-quotas"></a>

Shared namespaces count towards only the namespace owner's namespaces per Region quota. Instances registered by a consumer in the shared namespace count towards the owner's instances per namespace quota. If a consumer creates a service in a shared namespace, any instances registered in the service count towards the consumer's instances per service quota. If an owner creates a service in a shared namespace, any instances registered in the service count towards the owner's instances per service quota.