By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Marketplace: Grant distribution is not supported for this offer at this time.

0

Hello,

We've purchased a container image from the AWS Marketplace and were hoping to utilize it across-the-board for one of our services – i.e. in production, in our staging environment, and for local development.

However, this is proving difficult because we use an AWS Organization containing several AWS accounts – an account per environment, and an account per developer.

I made the Marketplace purchase from our "root" account, but now I'm unable to share it properly with the other accounts. When trying to activate it in one of the other accounts, we are getting: "Grant distribution is not supported for this offer at this time."

Questions:

  • Who should I ask RE: changing that configuration? AWS or the seller?
  • Is there a better way to solve this problem? (The issue is that only a user for the AWS account that purchased the image can pull it from ECR. I'm guessing, worst-case, we could have shared credentials for an IAM user in this account, but that seems hacky)

Thanks for any help provided!

Topics
Security, Identity, & ComplianceManagement & GovernanceContainersAWS Marketplace
Tags
AWS Identity and Access ManagementAWS License ManagerAmazon Elastic Container Registry (ECR)AWS OrganizationsAWS Marketplace - Buyer
Language
English
AWS-User-0186497
asked 2 years ago594 views
1 Answer
0
  1. You seem to have subscribed to and created a grant in the AWS Organizations "management" account, and then trying to activate the license in a member account, and seeing the error. Can you also try to active the grant within the management account?
  2. If this does not work, you might want to reach out to the seller / vendor support regarding granting licenses across AWS organizations accounts through AWS License Manager. This should be the best way you manage licensees.
  3. Even if you need to store some credentials, maybe for some other usecases, you can store them in secret manager and share accordingly (not recommended for license distribution).
  4. Is there a particular reason why each developer need to have one AWS account? Is it possible that you use IAM policies, IAM users or federated identities and share accounts among developers?
Jason_S
answered 2 years ago
  • AWS-User-0186497
    2 years ago

    Thanks for the suggestions, Jason! Responses / results:

    1. Yep, that's exactly what I tried. Just now I tried activating from within the management account, same result :(
    2. Gotcha, yeah, we've reached out to the seller.
    3. Makes sense. Another option: Since this is just a container image we could just regularly pull from the Marketplace ECR repo + push it to one of ours that is accessible from all accounts.
    4. It's still a bit of an experiment at this point. (We only have 6 developers). Might abandon as we grow, heh. But this blog post does a good job outlining some of the reasons it was an attractive idea to us: https://serverlessfirst.com/give-developers-own-aws-account/

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content