Step 6: Add a launch constraint to assign an IAM role - Amazon Service Catalog
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Step 6: Add a launch constraint to assign an IAM role

A launch constraint designates an IAM role that Amazon Service Catalog assumes when an end user launches a product.

For this step, you add a launch constraint to the Linux Desktop product, so Amazon Service Catalog can use the IAM resources that make up the product's Amazon CloudFormation template.

The IAM role that you assign to a product as a launch constraint must have the following permissions

  1. Amazon CloudFormation

  2. Services in the Amazon CloudFormation template for the product

  3. Read access to the Amazon CloudFormation template in a service-owned Amazon S3 bucket.

This launch constraint enables the end user to launch the product and, after launch, manage it as a provisioned product. For more information, see Amazon Service Catalog Launch Constraints.

Without a launch constraint, you need to grant additional IAM permissions to your end users before they can use the Linux Desktop product. For example, the ServiceCatalogEndUserAccess policy grants the minimum IAM permissions required to access the Amazon Service Catalog end user console view.

Using a launch constraint allows you follow the IAM best practice of keeping end user IAM permissions to a minimum. For more information, see Grant least privilege in the IAM User Guide.

To add a launch constraint
  1. Follow the instructions to Create new policies on the JSON tab in the IAM User guide.

  2. Paste the following JSON policy document:

    • cloudformation– Allows Amazon Service Catalog full permissions to create, read, update, delete, list, and tag Amazon CloudFormation stacks.

    • ec2— Allows Amazon Service Catalog full permissions to list, read, write, provision, and tag Amazon Elastic Compute Cloud (Amazon EC2) resources that are part of the Amazon Service Catalog product. Depending on the Amazon resource that you want to deploy, this permission might change.

    • ec2– Creates a new managed policy for you Amazon account and attaches the specified managed policy to the specified IAM role.

    • s3— Allows access to Amazon S3 buckets owned by Amazon Service Catalog. To deploy the product, Amazon Service Catalog requires access to provisioning artifacts.

    • servicecatalog— Allows Amazon Service Catalog permissions to list, read, write, tag, and launch resources on behalf of the end-user.

    • sns— Allows Amazon Service Catalog permissions to list, read, write, and tag Amazon SNS topics for the launch constraint.


    Depending on the underlying resources that you want to deploy, you might need to modify the example JSON policy.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:GetTemplateSummary", "cloudformation:SetStackPolicy", "cloudformation:ValidateTemplate", "cloudformation:UpdateStack", "ec2:*", "servicecatalog:*", "sns:*" ], "Resource": "*" }, { "Effect":"Allow", "Action":[ "s3:GetObject" ], "Resource":"*", "Condition":{ "StringEquals":{ "s3:ExistingObjectTag/servicecatalog:provisioning":"true" } } } ] }
  3. Choose Next, Tags.

  4. Choose Next, Review.

  5. In the Review policy page, for the Name, enter linuxDesktopPolicy.

  6. Choose Create policy.

  7. In the navigation pane, choose Roles. Then choose Create role and do the following:

    1. For Select trusted entity, choose Amazon service and then under Use case for other Amazon services choose Service Catalog. Select the Service Catalog use case and then choose Next.

    2. Search for the linuxDesktopPolicy policy and then select the checkbox.

    3. Choose Next.

    4. For Role name, type linuxDesktopLaunchRole.

    5. Choose Create role.

  8. Open the Amazon Service Catalog console at

  9. Choose the Engineering Tools portfolio.

  10. On the Portfolio details page, choose the Constraints tab, and then choose Create constraint.

  11. For Product, choose Linux Desktop, and for Constraint type, choose Launch.

  12. Choose Select IAM role. Next choose linuxDesktopLaunchRole, and then choose Create.