Step 6: Add a launch constraint to assign an IAM role
A launch constraint designates an IAM role that AWS Service Catalog assumes when an end user launches a product.
For this step, you add a launch constraint to the Linux Desktop product, so AWS Service Catalog can use the IAM resources that make up the product's AWS CloudFormation template.
The IAM role that you assign to a product as a launch constraint must have the following permissions
-
AWS CloudFormation
-
Services in the AWS CloudFormation template for the product
-
Read access to the AWS CloudFormation template in a service-owned Amazon S3 bucket.
This launch constraint enables the end user to launch the product and, after launch, manage it as a provisioned product. For more information, see AWS Service Catalog Launch Constraints.
Without a launch constraint, you need to grant additional IAM permissions to
your end users before they can use the Linux Desktop product. For example, the
ServiceCatalogEndUserAccess
policy grants the minimum IAM
permissions required to access the AWS Service Catalog end user console view.
Using a launch constraint allows you follow the IAM best practice of keeping end user IAM permissions to a minimum. For more information, see Grant least privilege in the IAM User Guide.
To add a launch constraint
-
Follow the instructions to Create new policies on the JSON tab in the IAM User guide.
-
Paste the following JSON policy document:
-
cloudformation
– Allows AWS Service Catalog full permissions to create, read, update, delete, list, and tag AWS CloudFormation stacks. -
ec2
— Allows AWS Service Catalog full permissions to list, read, write, provision, and tag Amazon Elastic Compute Cloud (Amazon EC2) resources that are part of the AWS Service Catalog product. Depending on the AWS resource that you want to deploy, this permission might change. -
ec2
– Creates a new managed policy for you AWS account and attaches the specified managed policy to the specified IAM role. -
s3
— Allows access to Amazon S3 buckets owned by AWS Service Catalog. To deploy the product, AWS Service Catalog requires access to provisioning artifacts. -
servicecatalog
— Allows AWS Service Catalog permissions to list, read, write, tag, and launch resources on behalf of the end-user. -
sns
— Allows AWS Service Catalog permissions to list, read, write, and tag Amazon SNS topics for the launch constraint.
Note
Depending on the underlying resources that you want to deploy, you might need to modify the example JSON policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:GetTemplateSummary", "cloudformation:SetStackPolicy", "cloudformation:ValidateTemplate", "cloudformation:UpdateStack", "ec2:*", "servicecatalog:*", "sns:*" ], "Resource": "*" }, { "Effect":"Allow", "Action":[ "s3:GetObject" ], "Resource":"*", "Condition":{ "StringEquals":{ "s3:ExistingObjectTag/servicecatalog:provisioning":"true" } } } ] }
-
-
Choose Next, Tags.
-
Choose Next, Review.
-
In the Review policy page, for the Name, enter
linuxDesktopPolicy
. -
Choose Create policy.
-
In the navigation pane, choose Roles. Then choose Create role and do the following:
-
For Select trusted entity, choose AWS service and then under Use case for other AWS services choose Service Catalog. Select the Service Catalog use case and then choose Next.
-
Search for the linuxDesktopPolicy policy and then select the checkbox.
-
Choose Next.
-
For Role name, type
linuxDesktopLaunchRole
. -
Choose Create role.
-
-
Open the AWS Service Catalog console at https://console.aws.amazon.com/servicecatalog
. -
Choose the Engineering Tools portfolio.
-
On the Portfolio details page, choose the Constraints tab, and then choose Create constraint.
-
For Product, choose Linux Desktop, and for Constraint type, choose Launch.
-
Choose Select IAM role. Next choose linuxDesktopLaunchRole, and then choose Create.