Seller issued licenses in License Manager - Amazon License Manager
EntitlementsLicense usageRequirementsCreating seller issued licensesGranting licenses to customersGetting temporary credentials for customers without an Amazon accountConsuming licensesDeleting seller issued licenses
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Seller issued licenses in License Manager

Independent software vendors (ISVs) can use Amazon License Manager to manage and distribute software licenses to end-users. As an issuer, you can track the usage of your seller issued licenses centrally using the License Manager dashboard.

License Manager uses open, secure, industry standards for representing licenses and allows customers to cryptographically verify their authenticity. License Manager associates each license with an asymmetric key. As the ISV, you own the asymmetric Amazon KMS keys and store them in your account.

Seller issued licenses require cross-Region replication of license metadata. License Manager automatically replicates each seller issued license and its associated information to other Regions.

License Manager supports a variety of different licensing models including the following:

  • Perpetual – Lifetime licenses with no expiration date that authorize users to use the software indefinitely.

  • Floating – Shareable licenses with multiple instances of the application. Licenses can be prepaid and a fixed set of entitlements added to them.

  • Subscription – Licenses with expiration dates that can be automatically renewed unless specifically deactivated.

  • Usage-based – Licenses with specific terms based on usage, such as the number of API requests, transactions, or storage capabilities.

You can create licenses in License Manager and distribute them to customers using an Amazon IAM identity or through bearer tokens generated by License Manager. Customers with an Amazon account can re-distribute the license entitlements to Amazon identities in their respective organizations. Customers with distributed entitlements can check out and check in the required entitlements from that license through your software integration with License Manager.

Entitlements

License Manager captures license capabilities as entitlements in the license. Entitlements can be characterized with a limited or unlimited quantity. An example of a limited entitlement is ‘40 GB of data transfer’. An example of an unlimited quantity entitlement is ‘Platinum Tier’.

A license captures all the granted entitlements, the activation and expiration dates, and the issuer details. A license is a versioned entity and each version is immutable. License versions are updated whenever the license is changed.

To check out or check in limited entitlements, ISV applications must specify the amount of each limited capacity. For unlimited entitlements, ISV applications can simply specify the relevant entitlement to check out or check in again. Finally, limited capabilities also support an “overage” flag, which indicates if end-users can exceed their usage of the initial entitlements. License Manager tracks and reports usage, along with any overages, to the ISV.

License usage

License Manager allows you to centrally track licenses across multiple Regions, by maintaining a count of all the checked out entitlements. License Manager also tracks the identity of the user and the underlying resource identifier, if available, associated with each check out, along with when it was checked out. You can track this time-series data through CloudWatch Events.

Licenses may be in one of the following states:

  • Created – The license is created.

  • Updated – The license is updated.

  • Deactivated – The license is deactivated.

  • Deleted – The license is deleted.

Requirements

To get started with this feature, you need permission to call the following License Manager API actions.

{ 
    "Version": "2012-10-17",     
    "Statement": [ 
      { 
        "Effect": "Allow",
        "Action": [
            "license-manager:CreateLicense",
            "license-manager:CreateLicenseVersion",
            "license-manager:ListLicenses",
            "license-manager:ListLicenseVersions",
            "license-manager:GetLicense",
            "license-manager:DeleteLicense",
            "license-manager:CheckoutLicense",
            "license-manager:CheckInLicense",
            "license-manager:ExtendLicenseConsumption",
            "license-manager:GetLicenseUsage",
            "license-manager:CreateGrant",
            "license-manager:CreateGrantVersion",
            "license-manager:DeleteGrant",
            "license-manager:GetGrant",
            "license-manager:ListDistributedGrants"
        ], 
        "Resource": "*"
      } 
    ] 
}

If you will integrate with License Manager so customers without an Amazon account can consume licenses sold outside of Amazon Web Services Marketplace, you must create a role that enables your software application to call the License Manager API. For example, you can use the Amazon CLI. First, use the create-role command to create a role named AWSLicenseManagerConsumptionRole.

aws iam create-role 
    --role-name AWSLicenseManagerConsumptionRole 
    --description "Role used to consume licenses using Amazon License Manager" 
    --max-session-duration 3600 
    --assume-role-policy-document file://trust-policy-document.json

The following is trust-policy-document.json.

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Principal": {
            "Federated": "openid-license-manager.amazonaws.com"
        },
        "Action": "sts:AssumeRoleWithWebIdentity",
        "Condition": {
            "StringLike": {
                "openid-license-manager.amazonaws.com:sub": "66a9bbf5-0896-460f-a1a9-de535dcc175b" 
            }
        }
    }
}

Next, use the attach-role-policy command to add the AWSLicenseManagerConsumptionPolicy Amazon managed policy to the AWSLicenseManagerConsumptionRole role.

aws iam attach-role-policy 
    --policy-arn arn:aws-cn:iam::aws:policy/service-role/AWSLicenseManagerConsumptionPolicy
    --role-name AWSLicenseManagerConsumptionRole

Creating seller issued licenses

Use the following procedure to create a block of licenses to grant to customers using the Amazon Web Services Management Console. Alternatively, you can create the license using the CreateLicense API action.

To create a license using the console

  1. Open the License Manager console at https://console.amazonaws.cn/license-manager/.

  2. Choose Seller Issued Licenses from the left menu.

  3. Choose Create license.

  4. For License metadata, provide the following information:

    • License name – The name, up to 150 characters, to display to buyers.

    • License description – An optional description, up to 400 characters, that differentiates this license from other licenses.

    • Product SKU – The product SKU.

    • Recipient – The recipient's name (company or individual).

    • Home Region – The Amazon Region for the license. Although licenses can be consumed globally, you can only change the license in the home region. You cannot change the home region for a license after you create it.

    • License start date – The date of activation.

    • License end date – The end date of the license, if applicable.

  5. For Consumption configuration, provide the following information:

    • Renewal frequency – Whether to renew weekly, monthly, or not at all.

    • Consumption configuration – Choose Provisional Consumption Configuration Options if the license is to be used for continuous connectivity or Borrow if the license is to be used offline. Enter Max time to live (minutes) to set the length of availability of the license.

  6. For Issuer, provide the following information:

    • Enter an Amazon KMS key – License Manager uses this key to sign and verify the issuer. For more information, see Cryptographic Signing of Licenses.

    • Issuer name – The business name for the seller.

    • Seller of record – An optional business name.

    • Agreement URL – The URL to the license agreement.

  7. For Entitlement, provide the following information about the capabilities that the license grants to recipients:

    • Name – The name of the recipient.

    • Unit type – Select the unit type, then provide the maximum count.

    • Check Allow check in if recipients must check in licenses before renewal.

    • Check Overages allowed if recipients can use the resource beyond the maximum count. This option might incur additional charges for the recipient.

  8. Choose Create license.

Granting licenses to customers

After you add the new license, you can grant the license to a customer with an Amazon account using the Amazon Web Services Management Console. The recipient must accept the grant before using the license. For more information, see Granted licenses in License Manager.

Alternatively, if the customer does not have an Amazon account, you can use the License Manager API to enable customers to consume licenses.

To grant a license to a customer using the console

  1. Open the License Manager console at https://console.amazonaws.cn/license-manager/.

  2. Choose Seller Issued Licenses from the left menu.

  3. Choose the ID of the license to open its details page.

  4. For Grants, choose Create grant.

  5. For Grant details, provide the following information:

    • Grant name – The grant name. This is used to enable search capabilities.

    • Amazon account ID – The Amazon account number of the license recipient.

    • License rights

      • Select Consumption if the recipient can consume granted entitlements.

      • Select Distribution if the recipient can distribute granted entitlements to other Amazon accounts.

      • Select Allow on-premise token generation to authenticate shared licenses without using Amazon identities or credentials.

      • Select Allow submission of usage records to permit license recipients to emit usage records for usage types.

    • Home Region – The Amazon Web Services Region for the license.

  6. Choose Create grant.

Getting temporary credentials for customers without an Amazon account

For customers without an Amazon account, you can use entitlements in the same manner that you do for your customers with an Amazon account. Use the following procedure to get temporary Amazon credentials for your customers without an Amazon account. The API calls must be made in the home Region.

To get temporary credentials to use in calling the License Manager API

  1. Call the CreateToken API action to get a refresh token encoded as a JWT token.

  2. Call the GetAccessToken API action, specifying the refresh token that you received from CreateToken in the previous step, to receive a temporary access token.

  3. Call the AssumeRoleWithWebIdentity API action, specifying the access token that you received from GetAccessToken in the previous step, and the AWSLicenseManagerConsumptionRole role that you created, to get temporary Amazon credentials.

To create a token from the Amazon License Manager console

  1. From the License Manager console, navigate to the License details page for the specific license entitlement you want to use without an Amazon account.

  2. Choose Create token to generate a temporary access token.

    Note

    The first time you generate a temporary access token, you will be asked to create a service role so that License Manager can access services on your behalf. The following service role is created: AWSLicenseManagerConsumptionRole.

  3. Download the token.csv file, or copy the token string when it is generated.

    Important

    This is the only time you can view or download this token. We recommend that you download the token and store the file in a secure location. You can create new tokens at any time, up to the service limit.

Consuming licenses

License Manager allows multiple users to concurrently consume entitlements, with limited capabilities, from a single license. Call the CheckoutLicense API action. The following is a description of the parameters.

  • Key fingerprint – Trusted license issuer.

    Example: aws:123456789012:issuer:issuer-fingerprint

  • Product SKU – Product identifier for this license, as defined by the license issuer when creating the license. The same product SKU might exist across multiple ISVs. Therefore, trusted key fingerprints play an important role.

    Example: 1a2b3c4d2f5e69f440bae30eaec9570bb1fb7358824f9ddfa1aa5a0daEXAMPLE

  • Entitlements – Capabilities to check out. If you specify an unlimited capability, the quantity is zero. Example:

    "Entitlements": [
    {
        "Name": "DataTransfer",
        "Unit": "Gigabytes",
        "Value": 10
    },
    {
        "Name": "DataStorage",
        "Unit": "Gigabytes",
        "Value": 5
    }
]

  • Beneficiary – Software as a Service (SaaS) ISVs can check out licenses on behalf of a customer by including the customer identifier. License Manager limits the call to the repository of licenses created in the SaaS ISV account.

    Example: user@domain.com

  • Node ID – An identifier used to node-lock the license to a single instance of the application.

    Example: 10.0.21.57

Deleting seller issued licenses

After you delete a license, you can recreate it. The license and its data are retained and available to the license issuer and license grantees in read-only mode for six months.

Use the following procedure to delete a license that you have created using the Amazon Web Services Management Console. Alternatively, you can delete the license using the DeleteLicense API action.

To delete a license using the console

  1. Open the License Manager console at https://console.amazonaws.cn/license-manager/.

  2. Choose Seller issued licenses from the left menu.

  3. Choose the radio button next to the license to select it for deletion.

  4. Choose Delete. When prompted for confirmation, enter delete and choose Delete.