Step 5: Create launch roles - Amazon Service Catalog
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Step 5: Create launch roles

In this step, you will create an IAM role (launch role) specifying the permissions that the Terraform provisioning engine and Amazon Service Catalog can assume when an end user launches a HashiCorp Terraform product.

The IAM role (launch role) that you later assign to your simple Amazon S3 bucket Terraform product as a launch constraint must have the following permissions:

  • Access to the underlying Amazon resources for your Terraform product. In this tutorial, this includes access to the s3:CreateBucket*, s3:DeleteBucket*, s3:Get*, s3:List*, and s3:PutBucketTagging Amazon S3 operations.

  • Read access to the Amazon S3 template in a Amazon Service Catalog-owned Amazon S3 bucket

  • Access to the CreateGroup, ListGroupResources, DeleteGroup, and Tag resource group operations. These operations enable Amazon Service Catalog to manage resource groups and tags

To create a launch role in the Amazon Service Catalog administrator account

  1. While logged in to the Amazon Service Catalog administrator account, follow the instructions to Create new policies on the JSON tab in the IAM User guide.

  2. Create a policy for your simple Amazon S3 bucket Terraform product. This policy must be created before you create the launch role, and consists of the following permissions:

    • s3— Allows Amazon Service Catalog full permissions to list, read, write, provision, and tag the Amazon S3 product.

    • s3— Allows access to Amazon S3 buckets owned by Amazon Service Catalog. To deploy the product, Amazon Service Catalog requires access to provisioning artifacts.

    • resourcegroups— Allows Amazon Service Catalog to create, list, delete, and tag Amazon Resource Groups.

    • tag— Allows Amazon Service Catalog tagging permissions.

    Note

    Depending on the underlying resources that you want to deploy, you may need to modify the example JSON policy.

    Paste the following JSON policy document: 

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "s3:ExistingObjectTag/servicecatalog:provisioning": "true"
                }
            }
        },
        {
            "Action": [
                "s3:CreateBucket*",
                "s3:DeleteBucket*",
                "s3:Get*",
                "s3:List*",
                "s3:PutBucketTagging"
            ],
            "Resource": "arn:aws:s3:::*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "resource-groups:CreateGroup",
                "resource-groups:ListGroupResources",
                "resource-groups:DeleteGroup",
                "resource-groups:Tag"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "tag:GetResources",
                "tag:GetTagKeys",
                "tag:GetTagValues",
                "tag:TagResources",
                "tag:UntagResources"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

    1. Choose Next, Tags.

    2. Choose Next, Review.

    3. In the Review policy page, for the Name, enter S3ResourceCreationAndArtifactAccessPolicy.

    4. Choose Create policy.

  4. In the navigation pane, choose Roles, and then choose Create role.

  5. For Select trusted entity, choose Custom trust policy and then enter the following JSON policy:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GivePermissionsToServiceCatalog",
            "Effect": "Allow",
            "Principal": {
                "Service": "servicecatalog.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::account_id:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::accounti_id:role/TerraformEngine/TerraformExecutionRole*",
                        "arn:aws:iam::accounti_id:role/TerraformEngine/ServiceCatalogExternalParameterParserRole*",
                        "arn:aws:iam::accounti_id:role/TerraformEngine/ServiceCatalogTerraformOSParameterParserRole*"
                    ]
                }
            }
        }
    ]
}

  6. Choose Next.

  7. In the Policies list, select the S3ResourceCreationAndArtifactAccessPolicy you just created.

  8. Choose Next.

  9. For Role name, enter SCLaunch-S3product.

    Important

    Launch role names must begin with "SCLaunch" followed by the desired role name.

  10. Choose Create role.

    Important

    After creating the launch role in your Amazon Service Catalog administrator account, you must also create an identical launch role in the Amazon Service Catalog end user account. The role in the end user account must have the same name and include the same policy as the role in the administrator account.

To create a launch role in the Amazon Service Catalog end user account

  1. Log in as the administrator to the end user account, and then follow the instructions to Create new policies on the JSON tab in the IAM User guide.

  2. Repeat steps 2-10 from To create a launch role in the Amazon Service Catalog administrator account above.

Note

When creating a launch role in the Amazon Service Catalog end user account, ensure you use the same administrator AccountId in the custom trust policy.

Now that you have created a launch role in both the administrator and end user accounts, you can add a launch constraint to the product.