AWS Cloud Operations Blog
License management using Delegated Administrator feature of AWS License Manager
Many enterprises use AWS Organizations to link their AWS accounts and manage them using a single management account. Earlier, customers managed license administration using the management account. However, the management account has a number of administrative privileges for the organization, and it’s a best practice to reduce the amount of users in the management account where possible. Then, AWS License Manager announced support for Delegated Administrator, a feature that allows license administrators to manage and distribute licenses across all of their AWS accounts from a delegated member account in the organization. Refer AWS License Manager now supports Delegated Administrator announcement to learn more. This helped organizations achieve the flexibility of reducing users in the management account, and administering license management activities using the delegated member account.
Once the delegated administrator account is configured, you can perform central license administration tasks, such as managing licenses and Amazon Elastic Compute Cloud (Amazon EC2) Dedicated Hosts, sharing license configuration with other accounts, and setting up cross-account discovery.
In this post, you’ll learn how to create a basic organization set up, with one management and two member accounts. Then, you’ll learn how to register the delegated administrator and perform central license administration tasks in the organization, such as setting up cross-account discovery, sharing a simple license configuration with other member accounts, and managing licenses. Finally, you’ll learn how to set up an AWS Identity and Access Management (IAM) user in the Delegated Administrator account to manage licenses from different license vendors. Creating IAM user(s) under the Delegated Administrator account will help you assign different license management tasks for the specific vendor(s).
Let’s get started.
Prerequisites
You’ll need the following prerequisites to implement the solution discussed in this post:
- An organization with at least three accounts. Refer the following Setting up your organization section for instructions if you’re looking to set up an organization and create or invite member accounts into the organization.
Setting up your organization
-
- Create your organization by selecting an account that doesn’t run existing workloads. This will be the management account for your organization. Refer to the Create an organization documentation to learn about how to create an organization by using the AWS Management Console. Once you’ve created the organization, follow Step b to create or invite two other accounts as member accounts into the organization.
- For this post, invite accounts to join the organization. Refer to the Sending invitations to AWS accounts documentation to learn about how to create or invite an account to be part of your organization.
- The invited account should accept the invitation to join the organization as a member account. Refer to the Accepting or declining an invitation from an organization documentation to learn about how to accept or decline the invitation from an organization.
- If you choose to create a member account to be part of the organization, then AWS automatically creates a role in the account that grants administrator permissions to IAM users in the management account who can assume the role. Refer to the Accessing a member account that has a management account access role documentation to learn about how to grant permissions to user(s) in the management account to access the role.
Note that member accounts that you invite to join your organization do not automatically get an administrator role created. You must do this manually, and this essentially duplicates the role automatically set up for created accounts. Refer to the Creating the OrganizationAccountAccessRole in an invited member account documentation to learn about how to create a role in a member account that grants administrator permissions to IAM users in the management account who can assume the role. - Repeat Steps b – d for the remaining member account.
- A software license bought from a vendor for which vCPU is the counting model. The other supported values are physical core, socket, and instance.
Solution walkthrough
Enabling the Delegated Administrator feature
- From the License Manager console of the organization’s management account, enable the option to distribute managed entitlements or license configurations with your organization. Refer to the Settings in License Manager documentation to learn how to enable the options to distribute managed entitlements or license configurations with your organization.
As an alternate, once you set up the organization, you can choose not to enable the option to distribute managed entitlements or license configurations with your organization in the management account and still enable a delegated administrator. Specifically, service access for the License Manager service must be enabled in the organization settings to enable the delegated administrator. This way of enabling the delegated administrator doesn’t create a resource share in the management account, since the cross-account resource discovery mode is off. - From the License Manager console of the organization’s management account, refer to the Enabling a delegated administrator account for License Manager documentation to learn how to register a delegated administrator account for License Manager. Additionally, you may call the list-delegated-administrator AWS Command Line Interface (AWS CLI) command to verify whether or not the specified member account has been successfully registered as a delegated administrator.
- From the License Manager console of the delegated administrator account, enable the cross-account resource discovery setting in the delegated administrator account. Refer to the Settings in License Manager documentation to learn how to enable cross-account resource discovery in the delegated administrator account. This will create a new AWS Resource Access Manager (AWS RAM) Resource share to share license configurations with the organization and Amazon Simple Storage Service (Amazon S3) creates an S3 bucket in the delegated administrator account to which all other accounts will sync their data. The setting also enables the option to distribute managed entitlements or license configurations with your organization.
Choose your management account to be in single account mode and have the delegated administrator account in the cross-account mode. This means that you’re decoupling license management responsibilities to the delegated administrator account.
Delegate your license management on AWS
- Procure a software license and bake into your Amazon Machine Image (AMI). Make sure that the AMI has permissions enabled to be shared with your organization. Refer to the Share an AMI (console) documentation to learn about how to share an AMI with an organization.
- From the License Manager console of the delegated administrator account, create a license configuration and associate it to the AMI. From the license configuration console, you can see how many licenses were used when you launch instances using the AMI. The license configuration specifies how your licenses are counted (for example, by vCPUs, or the number of instances). See the Create a license configuration and Manually associating license configurations with AMI documentation to learn how to create the license configuration and associate it with the AMI.
The following screenshot shows a license configuration created in the delegated administrator account from the console:
Once the license configuration is associated with an AMI, License Manager reports license usage when you launch instances using the AMI. For existing Amazon EC2 instances or Amazon Relational Database Service (Amazon RDS) or on-premises servers, License Manager uses AWS Systems Manager Agent for discovery. Refer to setting up AWS Systems Manager documentation to get started. Then, you can associate the discovered instances to the license configuration so that License Manager can track and report the license usage. To learn how to set up auto discovery of resources, refer to Automated discovery of resource inventory in the documentation.
- Once you’ve created a license configuration, you can share it from the License Manager console of the delegated administrator account to other accounts in the organization, as shown in figure 2.
The shared license configuration will be available across all accounts in the organization. It will track resources across accounts launched using the AMI associated with the license configuration.
Delegate your seller issued license management on AWS
As an issuer, from the delegated administrator account, create a license representing the entitlements of a seller-issued license, and grant it to the delegated administrator account. Once the delegated administrator accepts the grant, they can distribute the license to specific member accounts or all accounts in the organization. The delegated administrator account can view the license consumption from the License Manager Console. Note that if you’re granting to an organization, then the grants to member accounts will be auto-accepted. Refer to the Ensure license compliance in AWS for ISVs using ISV seller-issued licenses AWS post to learn how to implement license tracking and consumption of Independent Software Vendors (ISVs) issued licenses.
Use IAM and designate sub-administrators to licenses in the delegated administrator account
In the earlier section, you learned how to create a license configuration and share it across your organization from the delegated administrator account. In this section, you’ll learn how to set up IAM-based permissions to restrict a license administrator to view specific licenses. You can either choose to perform central license administration tasks in the organization from the delegated administrator account, or set up an IAM user in the delegated administrator account with sufficient permissions for specific license configuration(s) among other IAM permissions. Likewise, you can choose to offload license tracking (say, for multiple vendors) to multiple users, as well as think of them like sub-administrators.
In this final section of the post, you’ll learn how to do the following:
- From the IAM console of the delegated administrator account, create an IAM user with no assigned permissions. Refer to the Creating IAM users (console) documentation to learn how to create an IAM user from the console.
- From the IAM console of the delegated administrator account, create a custom policy with the visual editor, as shown in the following figure. Note that the actions in the policy allow sufficient permissions only for the respective license and the license configuration. You can customize what actions to be added per your description of the policy for the IAM user.
- After you create the custom policy, you can attach it to the user created in Step 1. For more information, see Adding and removing IAM identity permissions.
You can use https://[AWS-account-ID or alias].
signin.thinkwithwp.com/console URL to sign in to the account sign-in page by substituting the correct AWS account ID number or account alias. This user in the delegated administrator account will now have sufficient permissions only for the specified license and the license configuration and your organization’s delegated administrator can offload license tracking activities to them.
Cleanup
Enabling License Manager cross-account discovery mode a host of resources, such as Amazon S3 buckets, AWS RAM Resource shares, AWS Glue jobs, and Amazon Athena. Refer to Deleting a bucket, Deleting a resource share in AWS RAM, Delete jobs, and Working with Databases on the AWS Glue Console to learn how to clean up the aforementioned respective resources. Additionally, you may call the deregister-delegated-administrator AWS CLI command to deregister a delegated administrator.
Conclusion
In this post, you learned how to set up delegated administrator and perform central license administration tasks in the organization, such as setting up cross-account discovery, sharing license configuration with other member accounts, and managing licenses. Delegated administrator is offered at no additional charge and is available in all AWS Regions where AWS Organizations is supported. License Manager supports one delegated administrator account at any time. I encourage you to use what you have learned here and consider using the delegated administrator feature in your own organization. If you have questions or feedback, then open an AWS Support Case.
Additional references
Tracking software usage across multiple AWS accounts using AWS License Manager
AWS CLI Command Reference for License Manager
AWS CLI Command Reference for Organizations
About the author: