# Step 5: Create launch roles
<a name="getstarted-launchrole-Terraform"></a>

In this step, you will create an IAM role (launch role) specifying the permissions that the Terraform provisioning engine and Amazon Service Catalog can assume when an end user launches a HashiCorp Terraform product. 

 The IAM role (launch role) that you later assign to your simple Amazon S3 bucket Terraform product as a launch constraint must have the following permissions: 
+ Access to the underlying Amazon resources for your Terraform product. In this tutorial, this includes access to the `s3:CreateBucket*`, `s3:DeleteBucket*`, `s3:Get*`, `s3:List*`, and `s3:PutBucketTagging` Amazon S3 operations. 
+ Read access to the Amazon S3 template in a Amazon Service Catalog-owned Amazon S3 bucket 
+ Access to the `CreateGroup`, `ListGroupResources`, `DeleteGroup`, and `Tag` resource group operations. These operations enable Amazon Service Catalog to manage resource groups and tags

**To create a launch role in the Amazon Service Catalog administrator account**

1. While logged in to the Amazon Service Catalog administrator account, follow the instructions to [ Create new policies on the JSON tab](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_create-console.html) in the *IAM User guide*. 

1. Create a **policy** for your simple Amazon S3 bucket Terraform product. This policy must be created before you create the launch role, and consists of the following permissions:
   +  `s3`— Allows Amazon Service Catalog full permissions to list, read, write, provision, and tag the Amazon S3 product. 
   +  `s3`— Allows access to Amazon S3 buckets owned by Amazon Service Catalog. To deploy the product, Amazon Service Catalog requires access to provisioning artifacts. 
   +  `resourcegroups`— Allows Amazon Service Catalog to create, list, delete, and tag Amazon Resource Groups. 
   +  `tag`— Allows Amazon Service Catalog tagging permissions. 
**Note**  
 Depending on the underlying resources that you want to deploy, you may need to modify the example JSON policy. 

   Paste the following JSON policy document: 

------
#### [ JSON ]

****  

   ```
   {
       "Version":"2012-10-17",		 	 	 
       "Statement": [
           {
               "Sid": "VisualEditor0",
               "Effect": "Allow",
               "Action": "s3:GetObject",
               "Resource": "*",
               "Condition": {
                   "StringEquals": {
                       "s3:ExistingObjectTag/servicecatalog:provisioning": "true"
                   }
               }
           },
           {
               "Action": [
                   "s3:CreateBucket*",
                   "s3:DeleteBucket*",
                   "s3:Get*",
                   "s3:List*",
                   "s3:PutBucketTagging"
               ],
               "Resource": "arn:aws-cn:s3:::*",
               "Effect": "Allow"
           },
           {
               "Action": [
                   "resource-groups:CreateGroup",
                   "resource-groups:ListGroupResources",
                   "resource-groups:DeleteGroup",
                   "resource-groups:Tag"
               ],
               "Resource": "*",
               "Effect": "Allow"
           },
           {
               "Action": [
                   "tag:GetResources",
                   "tag:GetTagKeys",
                   "tag:GetTagValues",
                   "tag:TagResources",
                   "tag:UntagResources"
               ],
               "Resource": "*",
               "Effect": "Allow"
           }
       ]
   }
   ```

------

1. 

   1. Choose **Next**, **Tags**.

   1. Choose **Next,** **Review**.

   1. In the **Review policy** page, for the **Name**, enter **S3ResourceCreationAndArtifactAccessPolicy**.

   1. Choose **Create policy**.

1. In the navigation pane, choose **Roles**, and then choose **Create role**. 

1. For **Select trusted entity**, choose **Custom trust policy** and then enter the following JSON policy:

1. Choose **Next**. 

1. In the **Policies** list, select the `S3ResourceCreationAndArtifactAccessPolicy` you just created. 

1. Choose **Next**. 

1. For **Role name**, enter **SCLaunch-S3product**.
**Important**  
Launch role names **must** begin with "SCLaunch" followed by the desired role name. 

1. Choose **Create role**.
**Important**  
After creating the launch role in your Amazon Service Catalog administrator account, you must also create an identical launch role in the Amazon Service Catalog end user account. The role in the end user account must have the same name and include the same policy as the role in the administrator account.

**To create a launch role in the Amazon Service Catalog end user account**

1. Log in as the administrator to the end user account, and then follow the instructions to [ Create new policies on the JSON tab](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_create-console.html) in the *IAM User guide*. 

1. Repeat steps 2-10 from *To create a launch role in the Amazon Service Catalog administrator account* above. 

**Note**  
When creating a launch role in the Amazon Service Catalog end user account, ensure you use the same administrator **AccountId** in the custom trust policy. 

Now that you have created a launch role in both the administrator and end user accounts, you can add a launch constraint to the product.