Tutorial: Identifying User Resource Allocation
You can identify the user who provisioned a product and resources associated with the product using the Amazon Service Catalog console. This tutorial helps translate this example to your own specific provisioned products.
To manage all provisioned products for the account, you need AWSServiceCatalogAdminFullAccess
or
equivalent access to the provisioned product write operations. For more information, see
Identity and Access Management in the Amazon Service Catalog Administrator Guide.
To identify the user who provisioned a product and the associated resources
-
In the left navigation menu, choose Provisioned product.
-
In the Access Filter dropdown menu, choose Account.
-
In the Account view, choose and open a provisioned product to display its details.
You can see the details of the provisioned product.
-
Scroll down to expand the Events section. Note the
Provisioned product ID
andCloudformationStackARN
values. -
Use the provisioned product ID to identify the Amazon CloudTrail record that corresponds to this launch and identify the requesting user (typically, you enter an email address during federation). In this example, it is "steve".
{ "eventVersion":"1.03","userIdentity": { "type":"AssumedRole", "principalId":"[id]:steve", "arn":"arn:aws:sts::[account number]:assumed-role/SC-usertest/steve", "accountId":[account number], "accessKeyId":[access key], "sessionContext": { "attributes": { "mfaAuthenticated":[boolean], "creationDate":[timestamp] }, "sessionIssuer": { "type":"Role", "principalId":"AROAJEXAMPLELH3QXY", "arn":"arn:aws:iam::[account number]:role/[name]", "accountId":[account number], "userName":[username] } } }, "eventTime":"2016-08-17T19:20:58Z","eventSource":"servicecatalog.amazonaws.com", "eventName":"ProvisionProduct", "awsRegion":"us-west-2", "sourceIPAddress":[ip address], "userAgent":"Coral/Netty", "requestParameters": { "provisioningArtifactId":[id], "productId":[id], "provisioningParameters":[Shows all the parameters that the end user entered], "provisionToken":[token], "pathId":[id], "provisionedProductName":[name], "tags":[], "notificationArns":[] }, "responseElements": { "recordDetail": { "provisioningArtifactId":[id], "status":"IN_PROGRESS", "recordId":[id], "createdTime":"Aug 17, 2016 7:20:58 PM", "recordTags":[], "recordType":"PROVISION_PRODUCT", "provisionedProductType":"CFN_STACK", "pathId":[id], "productId":[id], "provisionedProductName":"testSCproduct", "recordErrors":[], "provisionedProductId":[id] } }, "requestID":[id], "eventID":[id], "eventType":"AwsApiCall", "recipientAccountId":[account number] }
-
Use the
CloudformationStackARN
value to identify Amazon CloudFormation events to find information about the created resources. You can also use the Amazon CloudFormation API to obtain this information. For more information, see Amazon CloudFormation API Reference.
You can perform steps 1 through 4 using the Amazon Service Catalog API. For more information, see Amazon Service Catalog Developer Guide.