# Sharing resources with accounts in your organization You can share applications and attribute groups to an account, organizational unit, or organization. AppRegistry integrates with AWS Resource Access Manager (AWS RAM), so you can view a list of resource shares associated with applications and attribute groups. For more information, see [What is AWS Resource Access Manager?](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html) in the *AWS Resource Access Manager User Guide*. When you create a resource share for an account, organization, or organizational unit, you can access the application or attribute group with the permission type that you select. For more information, see [Sharing your AWS resources](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-orgs) in the *AWS Resource Access Manager User Guide*. This section describes how to create and manage resource shares for applications and attribute groups. **Note** When you create an application, AppRegistry vends a user tag called *the `awsApplication` tag*. You can add this tag to resources to identify which resources are associated with an application. The `awsApplication` tag is included in all shared applications. For more information, see [The `awsApplication` tag](https://docs.aws.amazon.com/servicecatalog/latest/arguide/overview-appreg.html#ar-user-tags). **Topics** + [ # Creating and managing resource shares in applications ](share-apps.md) + [ # Creating and managing resource shares in attribute groups ](share-attr-groups.md) + [ # Using AWS Resource Access Manager to share resources ](share-ram.md) # Creating and managing resource shares in applications This topic describes how to create and manage resource shares for AppRegistry applications. For information about creating applications, see [Creating applications](https://docs.aws.amazon.com/servicecatalog/latest/arguide/create-apps.html). **Note** Before a member account can enable cross-account sharing, the management account in the organization must enable sharing. For more information, see [Sharing your AWS resources](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-orgs) in the *AWS Resource Access Manager User Guide*. **To create a resource shares for a new application** 1. Open the AWS Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/) 1. From the navigation pane, choose **AppRegistry**, and then choose **Applications**. You're directed to the **Applications** screen. 1. On **Applications**, choose **Create application**. 1. Under **Application name and description**, enter a name for your application. You can optionally enter a description for your application. 1. To enable sharing for a management account, under **Application share configuration**, choose **Enable**. 1. On **Settings**, select **Enable sharing with AWS Organizations**, and then choose **Save settings**. 1. To enable sharing for a member account, under **Application share configuration**, choose **Turn on cross-account sharing**. 1. For **Select Organization entity**, select your preferred organization entity (**AWS Organization Account**, **AWS Organization Unit**, or **AWS Organization**). 1. For **ID**, enter the ID for your preferred organization entity. 1. For **Share permission**, select **Allow associations** or **Read only**. + **Allow associations** when the selected account can associate resource collections and attribute groups to the application. + **Read only** when the selected account can view the application only. **Note** When you select **Turn on cross-account sharing**, you can display the organizational structure in a heirarchy or list view by choosing **Display organizational structure**. You can add an organization entity by choosing **Add new**. You can delete an organization entity by choosing **Remove** next to the organization entity that you're deleting. 1. Complete your application configuration, and then choose **Create application**. **To create a resource share for an existing application** 1. Open the AWS Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/) 1. From the navigation pane, choose **AppRegistry**, and then choose **Applications**. You're directed to the **Applications** screen. 1. On **Applications**, choose the name of the application that you want to create a resource share for. Or select the application that you want to create a resource share for, and then choose **View**. You're directed to the **Application details** screen. 1. On **Application details**, choose **Share**, and then choose **Create new share**. **Tip** The **Share** tab displays resource shares associated to the application. You can manage these resource shares by choosing **Manage in RAM console**. For more information, see [What is AWS Resource Access Manager?](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html) in the *AWS Resource Access Manager User Guide*. 1. To enable sharing for a management account, under **Application share configuration**, choose **Enable**. 1. On **Settings**, select **Enable sharing with AWS Organizations**, and then choose **Save settings**. 1. To enable sharing for a member account, under **Application share configuration**, choose **Turn on cross-account sharing**. 1. For **Select Organization entity**, select your preferred organization entity (**AWS Organization Account**, **AWS Organization Unit**, or **AWS Organization**). 1. For **ID**, enter the ID for your preferred organization entity. 1. For **Share permission**, select **Allow associations** or **Read only**. + **Allow associations** when the selected account can associate resource collections and attribute groups to the application. + **Read only** when the selected account can view the application only. **Note** When you select **Turn on cross-account sharing**, you can display the organizational structure in a heirarchy or list view by choosing **Display organizational structure**. You can add an organization entity by choosing **Add new**. You can delete an organization entity by choosing **Remove** next to the organization entity that you're deleting. 1. Confirm your resource share configuration, and then choose **Create share**. # Creating and managing resource shares in attribute groups This topic describes how to create and manage resource shares for new and existing AppRegistry attribute groups. For information about creating attribute groups, see [Creating attribute groups](https://docs.aws.amazon.com/servicecatalog/latest/arguide/create-attr-groups.html). **Note** Before a member account can enable cross-account sharing, the management account in the organization must enable sharing. For more information, see [Sharing your AWS resources](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-orgs) in the *AWS Resource Access Manager User Guide*. **To create a resource shares in new attribute group** 1. Open the AWS Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/) 1. From the navigation pane, choose **AppRegistry**, and then choose **Attribute groups**. You're directed to the **Attribute groups** screen. 1. On **Attribute groups**, choose **Create attribute groups**. 1. Under **Create attribute group**, enter a name and description for your attribute group, and provide the JSON schema that captures your metadata taxonomy. 1. To enable sharing for a management account, under **Attribute group share configuration**, choose **Enable**. 1. On **Settings**, select **Enable sharing with AWS Organizations**, and then choose **Save settings**. 1. To enable sharing for a member account, under **Attribute group share configuration**, choose **Turn on cross-account sharing**. 1. For **Select Organization entity**, select your preferred organization entity (**AWS Organization Account**, **AWS Organization Unit**, or **AWS Organization**). 1. For **ID**, enter the ID for your preferred organization entity. 1. For **Share permission**, select **Allow associations** or **Read only**. + **Allow associations** when the selected account can associate resource collections and attribute groups to the application. + **Read only** when the selected account can view the application only. **Note** When you select **Turn on cross-account sharing**, you can display the organizational structure in a heirarchy or list view by choosing **Display organizational structure**. You can add an organization entity by choosing **Add new**. You can delete an organization entity by choosing **Remove** next to the organization entity that you're deleting. 1. Complete your attribute group configuration, and then choose **Create attribute group**. **To create a resource share in an existing attribute group** 1. Open the AWS Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/) 1. From the navigation pane, choose **AppRegistry**, and then choose **Attribute groups**. You're directed to the **Attribute groups** screen. 1. On **Attribute groups**, choose the name of the attribute group that you want to create a resource share for. Or select the attribute group that you want to create a resource share for, and then choose **View**. You're directed to the **Attribute group details** screen. 1. On **Attribute group details**, choose **Share**, and then choose **Create new share**. **Tip** The **Share** tab displays resource shares associated to the application. You can manage these resource shares by choosing **Manage in RAM console**. For more information, see [What is AWS Resource Access Manager?](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html) in the *AWS Resource Access Manager User Guide*. 1. To enable sharing for a management account, under **Attribute group share configuration**, choose **Enable**. 1. On **Settings**, select **Enable sharing with AWS Organizations**, and then choose **Save settings**. 1. To enable sharing for a member account, under **Attribute group share configuration**, choose **Turn on cross-account sharing**. 1. For **Select Organization entity**, select your preferred organization entity (**AWS Organization Account**, **AWS Organization Unit**, or **AWS Organization**). 1. For **ID**, enter the ID for your preferred organization entity. 1. For **Share permission**, select **Allow associations** or **Read only**. + **Allow associations** when the selected account can associate resource collections and applications to the application. + **Read only** when the selected account can view the attribute group only. **Note** When you select **Turn on cross-account sharing**, you can display the organizational structure in a heirarchy or list view by choosing **Display organizational structure**. You can add an organization entity by choosing **Add new**. You can delete an organization entity by choosing **Remove** next to the organization entity that you're deleting. 1. Confirm your resource share configuration, and then choose **Create share**. # Using AWS Resource Access Manager to share resources AppRegistry integrates with AWS Resource Access Manager (AWS RAM) to enable resource sharing. AWS RAM is a service that enables you to share AppRegistry applications and attribute groups with other AWS accounts or through AWS Organizations. With AWS RAM you share resources that you own by creating a resource share. A resource share specifies the resources to share, and the consumers with whom to share them. Consumers can include: + Specific AWS accounts inside or outside of its organization in AWS Organizations + An organizational unit inside its organization in AWS Organizations + Its entire organization in AWS Organizations For more information about AWS RAM, see the [AWS RAM User Guide](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html). **Topics** + [ ## Prerequisites for sharing applications and attributes ](#preq-sharing-ram) + [ ## Sharing and unsharing applications or attribute groups ](#share-unshare-ram) ## Prerequisites for sharing applications and attributes These are the prerequisites to share applications and attributes: + You must own the application or attribute group in your AWS account. This means that the resource must be provisioned in your account. You cannot share an application or attribute group that has been shared with you. + You must have access to [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_available-policies.html) and [AWS RAM](https://docs.aws.amazon.com/ram/latest/userguide/security-iam-managed-policies.html). + You must enable sharing with AWS Organizations. For more information, see [Enable Sharing with AWS Organizations](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-orgs) in the *AWS RAM User Guide*. ## Sharing and unsharing applications or attribute groups This section describes how to share or unshare an AppRegistry application or attribute group with AWS RAM. When you share an application or attribute group using the AppRegistry console, you create a resource share. A resource share is an AWS RAM resource that lets you share your resources across AWS accounts. It specifies the resources to share, and the consumers with whom they are shared. You can share an application or attribute group that you own using the AppRegistry console, AWS RAM console, or the AWS CLI. + To share an application or attribute group that you own using the AppRegistry console, you can either share an application or attribute group when you create it in the AppRegistry console, or you can access **Shares** for the specific application or attribute group you want to share. + To share an application or attribute group that you own using the AWS RAM console, see [Creating a Resource Share](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing.html#working-with-sharing-create) in the *AWS RAM User Guide*. + To share an application or attribute group that you own using the AWS CLI, use the [https://docs.aws.amazon.com/cli/latest/reference/ram/create-resource-share.html](https://docs.aws.amazon.com/cli/latest/reference/ram/create-resource-share.html) command. For more information, see [AWS Resource Access Manager API Reference](https://docs.aws.amazon.com/cli/latest/reference/ram/index.html). To unshare a shared application or attribute group that you own, you must remove it from the resource share. You can do unshare using the AppRegistry console, AWS RAM console, or AWS CLI. + To unshare a shared application or attribute group using the AppRegistry console, choose the application or attribute group from **Applications** or **Attribute Groups**. Then select **Shares**, and choose **Delete** for that application or attribute group. + To unshare a shared an application or attribute group that you own using the AWS RAM console, see [Updating a Resource Share](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing.html#working-with-sharing-update) in the *AWS RAM User Guide*. + To unshare a shared an application or attribute group that you own using the AWS CLI, use the [https://docs.aws.amazon.com/cli/latest/reference/ram/disassociate-resource-share.html](https://docs.aws.amazon.com/cli/latest/reference/ram/disassociate-resource-share.html) command. For more information, see [AWS Resource Access Manager API Reference](https://docs.aws.amazon.com/cli/latest/reference/ram/index.html).