Amazon managed policies for Amazon Service Catalog AppRegistry
Amazon managed policy: AWSServiceCatalogAdminFullAccess
You can attach AWSServiceCatalogAdminFullAccess
to your IAM entities. AppRegistry also attaches this policy to
a service role that allows AppRegistry to perform actions on your behalf.
This policy grants administrative
permissions that allow full access to the
administrator console view and grants permission to create and manage products and portfolios.
Permissions details
This policy includes the following permissions.
-
servicecatalog
– Allows principals full permissions to the administrator console view and the ability to create and manage portfolios and products, manage constraints, grant access to end users, and perform other administrative tasks within Amazon Service Catalog. -
cloudformation
– Allows Amazon Service Catalog full permissions to list, read, write, and tag Amazon CloudFormation stacks. -
config
– Allows Amazon Service Catalog limited permissions to portfolios, products, and provisioned products via Amazon Config. -
iam
– Allows principals full permissions to view and create service users, gropus, or roles that are required for creating and managing products and portfolios. -
ssm
– Allows Amazon Service Catalog to use Amazon Systems Manager to list and read Systems Manager documents in the current Amazon account and Amazon Region.
View the policy: AWSServiceCatalogAdminFullAccess.
Amazon managed policy: AWSServiceCatalogAdminReadOnlyAccess
You can attach AWSServiceCatalogAdminReadOnlyAccess
to your IAM entities. AppRegistry also attaches this policy to
a service role that allows AppRegistry to perform actions on your behalf.
This policy grants read-only
permissions that allow full access to the administrator
console view. This policy does not grant access to create or manage products and portfolios.
Permissions details
This policy includes the following permissions.
-
servicecatalog
– Allows principals read-only permissions to the administrator console view. -
cloudformation
– Allows Amazon Service Catalog limited permissions to list and read Amazon CloudFormation stacks. -
config
– Allows Amazon Service Catalog limited permissions to portfolios, products, and provisioned products via Amazon Config. -
iam
– Allows principals limited permissions to view service users, groups, or roles that are required for creating and managing products and portfolios. -
ssm
– Allows Amazon Service Catalog to use Amazon Systems Manager to list and read Systems Manager documents in the current Amazon account and Amazon Region.
View the policy: AWSServiceCatalogAdminReadOnlyAccess.
Amazon managed policy: AWSServiceCatalogEndUserFullAccess
You can attach AWSServiceCatalogEndUserFullAccess
to your IAM entities. AppRegistry also attaches this policy to
a service role that allows AppRegistry to perform actions on your behalf.
This policy grants contributor
permissions that allow full access to the end user console view and
grants permission to launch products and manage provisioned products.
Permissions details
This policy includes the following permissions.
-
servicecatalog
– Allows principals full permissions to the end user console view and the ability to launch products and manage provisioned products. -
cloudformation
– Allows Amazon Service Catalog full permissions to list, read, write, and tag Amazon CloudFormation stacks. -
config
– Allows Amazon Service Catalog limited permissions to list and read details about portfolios, products, and provisioned products via Amazon Config. -
ssm
– Allows Amazon Service Catalog to use Amazon Systems Manager to read Systems Manager documents in the current Amazon account and Amazon Region.
View the policy: AWSServiceCatalogEndUserFullAccess.
Amazon managed policy: AWSServiceCatalogEndUserReadOnlyAccess
You can attach AWSServiceCatalogEndUserReadOnlyAccess
to your IAM entities. AppRegistry also attaches this policy to
a service role that allows AppRegistry to perform actions on your behalf.
This policy grants read-only
permissions that allow read-only access to the end user
console view. This policy does not grant permission to launch products or manage provisioned products.
Permissions details
This policy includes the following permissions.
-
servicecatalog
– Allows principals read-only permissions to the end user console view. -
cloudformation
– Allows Amazon Service Catalog limited permissions to list and read Amazon CloudFormation stacks. -
config
– Allows Amazon Service Catalog limited permissions to list and read details about portfolios, products, and provisioned products via Amazon Config. -
ssm
– Allows Amazon Service Catalog to use Amazon Systems Manager to read Systems Manager documents in the current Amazon account and Amazon Region.
View the policy: AWSServiceCatalogEndUserReadOnlyAccess.
Amazon managed policy: AWSServiceCatalogSyncServiceRolePolicy
Amazon Service Catalog attaches this policy to the AWSServiceRoleForServiceCatalogSync
service-linked role (SLR),
allowing Amazon Service Catalog to sync templates in an external repository to Amazon Service Catalog products.
This policy grants permissions that allows limited access to Amazon Service Catalog actions (for example, API calls), and to other Amazon service actions that Amazon Service Catalog depends on.
Permissions details
This policy includes the following permissions.
-
servicecatalog
– Allows the Amazon Service Catalog artifact sync role limited access to Amazon Service Catalog public APIs. -
codeconnections
– Allows the Amazon Service Catalog artifact sync role limited access to CodeConnections public APIs. -
cloudformation
– Allows the Amazon Service Catalog artifact sync role limited access to Amazon CloudFormation public APIs.
View the policy: AWSServiceCatalogSyncServiceRolePolicy.
Service-linked role details
Amazon Service Catalog uses the permission details above for the AWSServiceRoleForServiceCatalogSync
service-linked role
that is created when a user creates or updates a Amazon Service Catalog product that uses CodeConnections. You can modify this policy using the
Amazon CLI, Amazon API, or through the Amazon Service Catalog console. For more information on how to create, edit, and delete service-linked
roles, refer to Using service-linked roles (SLRs) for Amazon Service Catalog.
The permissions included in the AWSServiceRoleForServiceCatalogSync
service-linked role
allow Amazon Service Catalog to perform the following actions on behalf of the customer.
-
servicecatalog:ListProvisioningArtifacts
— Allows the Amazon Service Catalog artifact sync role to list the provisioning artifacts for a given Amazon Service Catalog product that is synced to a template file in a repository. -
servicecatalog:DescribeProductAsAdmin
— Allows the Amazon Service Catalog artifact sync role to use theDescribeProductAsAdmin
API to get details for a Amazon Service Catalog product and its associated provisioned artifacts that are synced to a template file in a repository. The artifact sync role uses the output from this call to verify the product's service quota limit for provisioning artifacts. -
servicecatalog:DeleteProvisioningArtifact
— Allows the Amazon Service Catalog artifact sync role to delete a provisioned artifact. -
servicecatalog:ListServiceActionsForProvisioningArtifact
— Allows the Amazon Service Catalog artifact sync role to determine if Service Actions are associated with a provisioning artifact and ensure that the provisioning artifact is not deleted if a Service Action is associated. -
servicecatalog:DescribeProvisioningArtifact
— Allows the Amazon Service Catalog artifact sync role to retrieve details from theDescribeProvisioningArtifact
API, including the commit ID, which is provided in theSourceRevisionInfo
output. -
servicecatalog:CreateProvisioningArtifact
— Allows the Amazon Service Catalog artifact sync role to create a new provisioned artifact if a change is detected (for example, a git-push is committed) to the source template file in the external repository. -
servicecatalog:UpdateProvisioningArtifact
— Allows the Amazon Service Catalog artifact sync role to update the provisioned artifact for a connected or synced product. -
codeconnections:UseConnection
— Allows the Amazon Service Catalog artifact sync role to use the existing connection to update and sync a product. -
cloudformation:ValidateTemplate
— Allows the Amazon Service Catalog artifact sync role limited access to Amazon CloudFormation to validate the template format for the template that is being used in external repository and verify if Amazon CloudFormation can support the template.
Amazon managed policy: AWSServiceCatalogOrgsDataSyncServiceRolePolicy
Amazon Service Catalog attaches this policy to the AWSServiceRoleForServiceCatalogOrgsDataSync
service-linked role (SLR),
allowing Amazon Service Catalog to sync with Amazon Organizations.
This policy grants permissions that allows limited access to Amazon Service Catalog actions (for example, API calls), and to other Amazon service actions that Amazon Service Catalog depends on.
Permissions details
This policy includes the following permissions.
-
organizations
— Allows the Amazon Service Catalog data sync role limited access to Amazon Organizations public APIs.
View the policy: AWSServiceCatalogOrgsDataSyncServiceRolePolicy.
Service-linked role details
Amazon Service Catalog uses the permission details above for the AWSServiceRoleForServiceCatalogOrgsDataSync
service-linked role
that is created when a user enables Amazon Organizations shared portfolio access or creates a portfolio share. You can modify this policy using the
Amazon CLI, Amazon API, or through the Amazon Service Catalog console. For more information on how to create, edit, and delete service-linked
roles, refer to Using service-linked roles (SLRs) for Amazon Service Catalog.
The permissions included in the AWSServiceRoleForServiceCatalogOrgsDataSync
service-linked role
allow Amazon Service Catalog to perform the following actions on behalf of the customer.
-
organizations:DescribeAccount
— Allows the Amazon Service Catalog Organizations Data Sync role to retrieve Amazon Organizations-related information about the specified account. -
organizations:DescribeOrganization
— Allows the Amazon Service Catalog Organizations Data Sync role to retrieve information about the organization that the user's account belongs to. -
organizations:ListAccounts
— Allows the Amazon Service Catalog Organizations Data Sync role to list the accounts in the user's organization. -
organizations:ListChildren
— Allows the Amazon Service Catalog Organizations Data Sync role to list all of the organizational units (UOs) or accounts that are contained in the specified parent OU or root. -
organizations:ListParents
— Allows the Amazon Service Catalog Organizations Data Sync role to list the root or OUs that serve as the immediate parent of the specified child OU or account. -
organizations:ListAWSServiceAccessForOrganization
— Allows the Amazon Service Catalog Organizations Data Sync role to retrieve a list of the Amazon services that the user enabled to integrate with their organization.
Deprecated policies
The following managed policies are deprecated:
-
ServiceCatalogAdminFullAccess — Use AWSServiceCatalogAdminFullAccess instead.
-
ServiceCatalogAdminReadOnlyAccess — Use AWSServiceCatalogAdminReadOnlyAccess instead.
-
ServiceCatalogEndUserFullAccess — Use AWSServiceCatalogEndUserFullAccess instead.
-
ServiceCatalogEndUserAccess — Use AWSServiceCatalogEndUserReadOnlyAccess instead.
Use the following procedure to ensure that your administrators and end users are granted permissions using the current policies.
To migrate from the deprecated policies to the current policies, see Adding and removing IAM identity permissions
AppRegistry updates to Amazon managed policies
View details about updates to Amazon managed policies for AppRegistry since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the AppRegistry Document history page.
Change | Description | Date |
---|---|---|
AWSServiceCatalogSyncServiceRolePolicy – Update managed policy |
Amazon Service Catalog updated the |
May 7, 2024 |
AWSServiceCatalogAdminFullAccess – Update managed policy |
Amazon Service Catalog updated the |
April 14, 2023 |
AWSServiceCatalogOrgsDataSyncServiceRolePolicy – New managed policy |
Amazon Service Catalog added the |
April 14, 2023 |
AWSServiceCatalogAdminFullAccess – Update managed policy |
Amazon Service Catalog updated the |
January 12, 2023 |
AWSServiceCatalogSyncServiceRolePolicy – New managed policy |
Amazon Service Catalog added the |
November 18, 2022 |
AWSServiceRoleForServiceCatalogSync – New service-linked role |
Amazon Service Catalog added the |
November 18, 2022 |
AWSServiceCatalogAdminFullAccess – Updated managed policy |
Amazon Service Catalog updated the |
September 30, 2022 |
AppRegistry started tracking changes |
AppRegistry started tracking changes for its Amazon managed policies. |
September 15, 2022 |