[ aws . ram ]

create-resource-share

Description

Creates a resource share. You can provide a list of the Amazon Resource Names (ARNs) for the resources that you want to share, a list of principals you want to share the resources with, and the permissions to grant those principals.

Note

Sharing a resource makes it available for use by principals outside of the Amazon Web Services account that created the resource. Sharing doesn’t change any permissions or quotas that apply to the resource in the account that created it.

See also: AWS API Documentation

See ‘aws help’ for descriptions of global parameters.

Synopsis

  create-resource-share
--name <value>
[--resource-arns <value>]
[--principals <value>]
[--tags <value>]
[--allow-external-principals | --no-allow-external-principals]
[--client-token <value>]
[--permission-arns <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]

Options

--name (string)

Specifies the name of the resource share.

--resource-arns (list)

Specifies a list of one or more ARNs of the resources to associate with the resource share.

(string)

Syntax:

"string" "string" ...

--principals (list)

Specifies a list of one or more principals to associate with the resource share.

You can include the following values:

  • An Amazon Web Services account ID, for example: 123456789012

  • An Amazon Resoure Name (ARN) of an organization in Organizations, for example: organizations::123456789012:organization/o-exampleorgid

  • An ARN of an organizational unit (OU) in Organizations, for example: organizations::123456789012:ou/o-exampleorgid/ou-examplerootid-exampleouid123

  • An ARN of an IAM role, for example: iam::123456789012:role/rolename

  • An ARN of an IAM user, for example: iam::123456789012user/username

Note

Not all resource types can be shared with IAM roles and users. For more information, see Sharing with IAM roles and users in the Resource Access Manager User Guide .

(string)

Syntax:

"string" "string" ...

--tags (list)

Specifies one or more tags to attach to the resource share itself. It doesn’t attach the tags to the resources associated with the resource share.

(structure)

A structure containing a tag. A tag is metadata that you can attach to your resources to help organize and categorize them. You can also use them to help you secure your resources. For more information, see Controlling access to Amazon Web Services resources using tags .

For more information about tags, see Tagging Amazon Web Services resources in the Amazon Web Services General Reference Guide .

key -> (string)

The key, or name, attached to the tag. Every tag must have a key. Key names are case sensitive.

value -> (string)

The string value attached to the tag. The value can be an empty string. Key values are case sensitive.

Shorthand Syntax:

key=string,value=string ...

JSON Syntax:

[
  {
    "key": "string",
    "value": "string"
  }
  ...
]

--allow-external-principals | --no-allow-external-principals (boolean)

Specifies whether principals outside your organization in Organizations can be associated with a resource share. A value of true lets you share with individual Amazon Web Services accounts that are not in your organization. A value of false only has meaning if your account is a member of an Amazon Web Services Organization. The default value is true .

--client-token (string)

Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value. .

If you don’t provide this value, then Amazon Web Services generates a random one for you.

--permission-arns (list)

Specifies the Amazon Resource Names (ARNs) of the RAM permission to associate with the resource share. If you do not specify an ARN for the permission, RAM automatically attaches the default version of the permission for each resource type. You can associate only one permission with each resource type included in the resource share.

(string)

Syntax:

"string" "string" ...

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See ‘aws help’ for descriptions of global parameters.

Examples

Example 1: To create a resource share

The following create-resource-share example creates an empty resource share with the specified name. You must separately add resources, principals, and permissions to the share.

aws ram create-resource-share \
    --name MyNewResourceShare

Output:

{
    "resourceShare": {
        "resourceShareArn": "arn:aws:ram:us-west-2:123456789012:resource-share/4476c27d-8feb-4b21-afe9-7de23EXAMPLE",
        "name": "MyNewResourceShare",
        "owningAccountId": "123456789012",
        "allowExternalPrincipals": true,
        "status": "ACTIVE",
        "creationTime": 1634586271.302,
        "lastUpdatedTime": 1634586271.302
    }
}

Example 2: To create a resource share with AWS accounts as principals

The following create-resource-share example creates a resource share and grants access to the specified AWS account (222222222222). If the specified principals are not part of the same AWS Organization, then invitations are sent and must be accepted before access is granted.

aws ram create-resource-share \
    --name MyNewResourceShare \
    --principals 222222222222

Example 3: To create a resource share restricted to your AWS Organization

The following create-resource-share example creates a resource share that is restricted to accounts in the AWS Organization that your account is a member of, and adds the specified OU as a principal. All accounts in that OU can use the resources in the resource share.

aws ram create-resource-share \
    --name MyNewResourceShare \
    --no-allow-external-principals \
    --principals arn:aws:organizations::123456789012:ou/o-63bEXAMPLE/ou-46xi-rEXAMPLE

Output:

{
    "resourceShare": {
        "resourceShareArn": "arn:aws:ram:us-west-2:123456789012:resource-share/7be8694e-095c-41ca-9ce8-7be4aEXAMPLE",
        "name": "MyNewResourceShare",
        "owningAccountId": "123456789012",
        "allowExternalPrincipals": false,
        "status": "ACTIVE",
        "creationTime": 1634587042.49,
        "lastUpdatedTime": 1634587042.49
    }
}

Output

resourceShare -> (structure)

An object with information about the new resource share.

resourceShareArn -> (string)

The Amazon Resoure Name (ARN) of the resource share

name -> (string)

The name of the resource share.

owningAccountId -> (string)

The ID of the Amazon Web Services account that owns the resource share.

allowExternalPrincipals -> (boolean)

Indicates whether principals outside your organization in Organizations can be associated with a resource share.

status -> (string)

The current status of the resource share.

statusMessage -> (string)

A message about the status of the resource share.

tags -> (list)

The tag key and value pairs attached to the resource share.

(structure)

A structure containing a tag. A tag is metadata that you can attach to your resources to help organize and categorize them. You can also use them to help you secure your resources. For more information, see Controlling access to Amazon Web Services resources using tags .

For more information about tags, see Tagging Amazon Web Services resources in the Amazon Web Services General Reference Guide .

key -> (string)

The key, or name, attached to the tag. Every tag must have a key. Key names are case sensitive.

value -> (string)

The string value attached to the tag. The value can be an empty string. Key values are case sensitive.

creationTime -> (timestamp)

The date and time when the resource share was created.

lastUpdatedTime -> (timestamp)

The date and time when the resource share was last updated.

featureSet -> (string)

Indicates how the resource share was created. Possible values include:

  • CREATED_FROM_POLICY - Indicates that the resource share was created from an Identity and Access Management (IAM) resource-based permission policy attached to the resource. This type of resource share is visible only to the Amazon Web Services account that created it. You can’t modify it in RAM unless you promote it. For more information, see PromoteResourceShareCreatedFromPolicy .

  • PROMOTING_TO_STANDARD - The resource share is in the process of being promoted. For more information, see PromoteResourceShareCreatedFromPolicy .

  • STANDARD - Indicates that the resource share was created in RAM using the console or APIs. These resource shares are visible to all principals you share the resource share with. You can modify these resource shares in RAM using the console or APIs.

clientToken -> (string)

The idempotency identifier associated with this request. If you want to repeat the same operation in an idempotent manner then you must include this value in the clientToken request parameter of that later call. All other parameters must also have the same values that you used in the first call.