Pilih preferensi cookie Anda

Kami menggunakan cookie penting serta alat serupa yang diperlukan untuk menyediakan situs dan layanan. Kami menggunakan cookie performa untuk mengumpulkan statistik anonim sehingga kami dapat memahami cara pelanggan menggunakan situs dan melakukan perbaikan. Cookie penting tidak dapat dinonaktifkan, tetapi Anda dapat mengklik “Kustom” atau “Tolak” untuk menolak cookie performa.

Jika Anda setuju, AWS dan pihak ketiga yang disetujui juga akan menggunakan cookie untuk menyediakan fitur situs yang berguna, mengingat preferensi Anda, dan menampilkan konten yang relevan, termasuk iklan yang relevan. Untuk menerima atau menolak semua cookie yang tidak penting, klik “Terima” atau “Tolak”. Untuk membuat pilihan yang lebih detail, klik “Kustomisasi”.

Preferensi
Hubungi Kami
Umpan Balik
AWS Documentation
Buat Akun AWS

Creating the SCConnectLaunch role

PDF
RSS
Mode fokus
Creating the SCConnectLaunch role - AWS Service Management Connector
Halaman ini belum diterjemahkan ke dalam bahasa Anda. Minta terjemahan

The SCConnectLaunch role is an IAM role that places baseline AWS service permissions into the AWS Service Catalog launch constraints. Configuring this role enables segregation of duty through provisioning product resources for ServiceNow end users.

The SCConnectLaunch role baseline contains permissions to Amazon EC2 and Amazon S3 services. If your products contain more AWS services, you must either include those services in the SCConnectLaunch role or create new launch roles.

This section describes how to create the SCConnectLaunch role. This role places baseline AWS service permissions in the Service Catalog launch constraints. For more information, see Service Catalog Launch Constraints.

To create SCConnectLaunch role

  1. Create this policy: AWSCloudFormationFullAccess policy. Choose create policy and add this code in the JSON editor:

    
{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "cloudformation:DescribeStackResource",
            "cloudformation:DescribeStackResources",
            "cloudformation:GetTemplate",
            "cloudformation:List*",
            "cloudformation:DescribeStackEvents",
            "cloudformation:DescribeStacks",
            "cloudformation:CreateStack",
            "cloudformation:DeleteStack",
            "cloudformation:DescribeStackEvents",
            "cloudformation:DescribeStacks",
            "cloudformation:GetTemplateSummary",
            "cloudformation:SetStackPolicy",
            "cloudformation:ValidateTemplate",
            "cloudformation:UpdateStack",
            "cloudformation:CreateChangeSet",
            "cloudformation:DescribeChangeSet",
            "cloudformation:ExecuteChangeSet",
            "cloudformation:DeleteChangeSet",
            "s3:GetObject"
         ],
         "Resource":"*"
      }
   ]
}
    Note

    AWSCloudFormationFullAccess includes additional permissions for ChangeSets.

  2. Create this policy: ServicecodeCatalogSSMActionsBaseline. Follow the instructions in Creating IAM policies, and add this code in the JSON editor: 

    {
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"Stmt1536341175150",
         "Action":[
            "servicecatalog:AssociateResource",
            "servicecatalog:DisassociateResource",
            "servicecatalog:ListServiceActionsForProvisioningArtifact",
            "servicecatalog:ExecuteprovisionedProductServiceAction",
            "ssm:DescribeDocument",
            "ssm:GetAutomationExecution",
            "ssm:StartAutomationExecution",
            "ssm:StopAutomationExecution",
            "ssm:StartChangeRequestExecution",
            "cloudformation:ListStackResources",
            "ec2:DescribeInstanceStatus",
            "ec2:StartInstances",
            "ec2:StopInstances"
         ],
         "Effect":"Allow",
         "Resource":"*"
      },
      {
         "Effect":"Allow",
         "Action":"iam:PassRole",
         "Resource":"*",
         "Condition":{
            "StringEquals":{
               "iam:PassedToService":"ssm.amazonaws.com"
            }
         }
      }
   ]
}

  3. Create the SCConnectLaunch role. Then assign the trust relationship to Service Catalog.

    
                            {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Sid": "",
              "Effect": "Allow",
              "Principal": {
                "Service": "servicecatalog.amazonaws.com"
              },
              "Action": "sts:AssumeRole"
            }
          ]
        }

  4. Attach the relevant policies to the SCConnectLaunch role.

    We recommend you customize and scope your launch policies to the specific AWS Services, which are in the associated CloudFormation template for the given Service Catalog product.

    For example, to provision EC2 and S3 products, your role policies are as follows:

    • AmazonEC2FullAccess AWS managed policy)

    • AmazonS3FullAccess AWS managed policy)

    • AWSCloudFormationFullAccess (custom managed policy)

    • ServiceCatalogSSMActionsBaseline (custom managed policy)

PrivasiSyarat situsPreferensi cookie
© 2025, Amazon Web Services, Inc. atau afiliasinya. Semua hak dilindungi undang-undang.