Multi-Account Service Catalog



In this lab you will deploy a Service Catalog pipeline for managing and deploying CloudFormation templates using the AWS Service Catalog Reference Architectures repository.


Launch a Cloud9 instance and run everything via Cloud9 IDE.

  • To create a new instance for environment (EC2), go to Cloud9 Console, and select Create environment
  • Type in appropriate Name and Description to choose on Next step
  • Pick following options in Environment settings and choose Next step
    • Create a new instance for environment (EC2)
    • t2.micro (1 Gib RAM + 1 vCPU)
    • Amazon Linux
  • Choose Create environment
  • Once the environment is ready, make sure to intall git and jq packages
  • sudo yum install git jq -y

Solution Overview

This reference architecture creates an AWS CodeCommit Repo, CodePipeline, and CodeBuild. This pipeline will allow infrastructure engineers to use Infrastructure as Code (IaC) to manage the Portfolios and Products across multiple accounts and regions in ServiceCatalog. The pipeline includes sample template validation and cfn_nag stages. Updating a ServiceCatalog becomes as easy as git push

Solution Overview

Modify the install script and execute in your Management account

We use README for the AWS Service Catalog Reference Architectures CodePipeline under multi-account setup. In this case, we will use the Control Tower Management account to be the hub, and an account factory account as a child.

  1. The AWS Service Catalog Reference Architectures CodePipeline assumes that you can run bash and that you have jq, git, AWS credentials, and the AWS CLI installed (Steps to deploy Cloud9 environment is listed in Prerequisites section)

    PS: If you are on Mac, please install a t2.micro instance on the Management account or use cloud9 on Management account [instructions in Prerequisites section] for this lab. Make sure to install git and jq packages on the new instance.

  2. Clone the repository:

    # Clone the Service Catalog Reference Architecture repository to your local desktop
    cd ~
    git clone

  3. Decide which accounts to use as child accounts and regions to deploy. You can use the Management account to host the code and also as a child account. If you have created an Account Factory account, you can also specify it as a child account.
    • If you are using Cloud9 environment in Management account, you could use following command to list all accounts in your organization
    • # To List all the accounts in the organizations - Runs only of Org. Root account
      aws organizations list-accounts  --query 'Accounts[*].{email:Email,ID:Id}' --output table
      # Capture the current region of operation
      aws configure get region
      cd ~/aws-service-catalog-reference-architectures/codepipeline/
    • Change the childAcc="" parameter in to a space delimited list for the spoke accounts (DO NOT include the hub account here) such as: childAcc="1234567890 0987654321"
    • If your account already contains the Cloudformation stackset roles [NOT COMMON], run ./ No. Otherwise run below command.
    • # Install the required IAM Roles, Code Pipeline, and setup Service Catalog

  4. WAIT!! for the above script TO COMPLETE before moving to the next step.

    Using the Automated CodePipeline

    In this part of the lab, we are going to continue with the AWS Service Catalog Reference Architectures CodePipeline under multi-account guide. Again, we are using the Management account to host the local copy of the repository in CodeCommit. We are also going to use temporary credentials from SSO rather than creating IAM users and using SSH.

  5. Use the management console for the Management account, navigate to CodeCommit->Repositories->SCPortfoliosRepo and select the clone URL for HTTPS.
  6. If you haven’t already done so, set up the git credential helper:

    # Setup the git credential helper
    git config --global credential.helper '!aws codecommit credential-helper $@'
    git config --global credential.UseHttpPath true
  7. Clone the empty repository:

    # Clone the empty repo
    git clone
  8. Copy the contents of the repository into your local CodeCommit repository:

    # Add content to the new repo
    cd SCPortfoliosRepo
    cp -r ../aws-service-catalog-reference-architectures/* .
  9. Commit the changes the push them to CodeCommit:

    git add *
    git commit -a -m 'Initial clone of the aws-service-catalog-reference-architectures repository'
    git push
  10. Watch the pipeline ServiceCatalog-ProductPipeline in the Management account and wait for it to complete.
  11. Optional -- make a change to a template

    In this section, we will make a very simple change to one of the templates and push the change to the pipeline. We should be able to see that the change was propagated to all of the accounts.

  12. Navigate to the ec2 folder in your SCPortfoliosRepo and modify the line in sc-ec2-linux-apache-nokey.json that says “Congratulations, you have successfully — “
  13. Modify sc-product-ec2-demowebserver.json to change the name of the product to “Apache v2.0 – alias@” (search for sc-ec2-linux-apache-nokey.json)
  14. Push the change to the repo:

    git commit -a -m 'silly modification to sc-ec2-linux-apache-nokey.json'
    git push
  15. Navigate to the Management account CodePipeline console and watch SCPortfoliosRepo execute to completion
  16. Navigate to the Service Catalog product and verify the changes you have made (extra credit – look in all of the accounts)
  17. Remove the pipeline and IAM roles StackSets and Stack Instances

  18. Execute the script ``
    # ./