AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS Service Catalog

AWS Service Catalog (service prefix: servicecatalog) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS Service Catalog

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AcceptPortfolioShare Accepts a portfolio that has been shared with you Write
AssociateBudgetWithResource Associates a budget with a resource. Write
AssociatePrincipalWithPortfolio Associates an IAM principal with a portfolio, giving the specified principal access to any products associated with the specified portfolio Write
AssociateProductWithPortfolio Associates a product with a portfolio Write
AssociateServiceActionWithProvisioningArtifact Associates an action with a provisioning artifact Write
AssociateTagOptionWithResource Associate the specified TagOption with the specified portfolio or product Write
BatchAssociateServiceActionWithProvisioningArtifact Associates multiple self-service actions with provisioning artifacts. Write
BatchDisassociateServiceActionFromProvisioningArtifact Disassociates a batch of self-service actions from the specified provisioning artifact. Write
CopyProduct Copies the specified source product to the specified target product or a new product. Write
CreateConstraint Creates a constraint on an associated product and portfolio Write
CreatePortfolio Creates a portfolio Write
CreatePortfolioShare Shares a portfolio you own with another AWS account Permissions management
CreateProduct Creates a product and that product's first provisioning artifact Write
CreateProvisionedProductPlan Adds a new provisioned product plan Write
CreateProvisioningArtifact Adds a new provisioning artifact to an existing product Write
CreateServiceAction Creates a self-service action. Write
CreateTagOption Creates a TagOption. Write
DeleteConstraint Removes and deletes an existing constraint from an associated product and portfolio Write
DeletePortfolio Deletes a portfolio if all associations and shares have been removed from the portfolio Write
DeletePortfolioShare Unshares a portfolio you own from an AWS account you previously shared the portfolio with Permissions management
DeleteProduct Deletes a product if all associations have been removed from the product Write
DeleteProvisionedProductPlan Deletes a provisioned product plan Write
DeleteProvisioningArtifact Deletes a provisioning artifact from a product Write
DeleteServiceAction Deletes a self-service action. Write
DeleteTagOption Deletes the specified TagOption. Write
DescribeConstraint Describes a constraint Read
DescribeCopyProductStatus Gets the status of the specified copy product operation. Read
DescribePortfolio Describes a portfolio Read
DescribePortfolioShareStatus Gets the status of the specified portfolio share operation. Read
DescribeProduct Describes a product as an end-user Read
DescribeProductAsAdmin Describes a product as an admin Read
DescribeProductView Describes a product as an end-user Read
DescribeProvisionedProduct Describes a provisioned product Read
DescribeProvisionedProductPlan Describes a provisioned product plan Read
DescribeProvisioningArtifact Describes a provisioning artifact Read
DescribeProvisioningParameters Describes the parameters that you need to specify to successfully provision a specified provisioning artifact Read
DescribeRecord Describes a record and lists any outputs Read

servicecatalog:accountLevel

servicecatalog:roleLevel

servicecatalog:userLevel

DescribeServiceAction Describes a self-service action. Read
DescribeServiceActionExecutionParameters Gets the default parameters if you executed the specified Service Action on the specified Provisioned Product. Read
DescribeTagOption Gets information about the specified TagOption. Read
DisableAWSOrganizationsAccess Disable portfolio sharing through AWS Organizations feature. Write
DisassociateBudgetFromResource Disassociates a budget from a resource. Write
DisassociatePrincipalFromPortfolio Disassociates an IAM principal from a portfolio. Write
DisassociateProductFromPortfolio Disassociates a product from a portfolio Write
DisassociateServiceActionFromProvisioningArtifact Disassociates the specified self-service action association from the specified provisioning artifact. Write
DisassociateTagOptionFromResource Disassociates the specified TagOption from the specified resource. Write
EnableAWSOrganizationsAccess Enable portfolio sharing feature through AWS Organizations. Write
ExecuteProvisionedProductPlan Executes a provisioned product plan Write
ExecuteProvisionedProductServiceAction Executes a provisioned product plan Write
GetAWSOrganizationsAccessStatus Get the Access Status for AWS Organization portfolio share feature. Read
ListAcceptedPortfolioShares Lists the portfolios that have been shared with you and you have accepted List
ListBudgetsForResource Lists all the budgets associated to a resource. List
ListConstraintsForPortfolio Lists constraints associated with a given portfolio List
ListLaunchPaths Lists the different ways to launch a given product as an end-user List
ListOrganizationPortfolioAccess Lists the organization nodes that have access to the specified portfolio. List
ListPortfolioAccess Lists the AWS accounts you have shared a given portfolio with List
ListPortfolios Lists the portfolios in your account List
ListPortfoliosForProduct Lists the portfolios associated with a given product List
ListPrincipalsForPortfolio Lists the IAM principals associated with a given portfolio List
ListProvisionedProductPlans Lists the provisioned product plans List
ListProvisioningArtifacts Lists the provisioning artifacts associated with a given product List
ListProvisioningArtifactsForServiceAction Lists all provisioning artifacts for the specified self-service action. List
ListRecordHistory Lists all the records in your account or all the records related to a given provisioned product List

servicecatalog:accountLevel

servicecatalog:roleLevel

servicecatalog:userLevel

ListResourcesForTagOption Lists the resources associated with the specified TagOption. List
ListServiceActions Lists all self-service actions. List
ListServiceActionsForProvisioningArtifact Lists all the service actions in your account List
ListStackInstancesForProvisionedProduct Lists account, region and status of each stack instances that are associated with a CFN_STACKSET type provisioned product List
ListTagOptions Lists the specified TagOptions or all TagOptions. List
ProvisionProduct Provisions a product with a specified provisioning artifact and launch parameters Write
RejectPortfolioShare Rejects a portfolio that has been shared with you that you previously accepted Write
ScanProvisionedProducts Lists all the provisioned products in your account List

servicecatalog:accountLevel

servicecatalog:roleLevel

servicecatalog:userLevel

SearchProducts Lists the products available to you as an end-user List
SearchProductsAsAdmin Lists all the products in your account or all the products associated with a given portfolio List
SearchProvisionedProducts Lists all the provisioned products in your account List

servicecatalog:accountLevel

servicecatalog:roleLevel

servicecatalog:userLevel

TerminateProvisionedProduct Terminates an existing provisioned product Write

servicecatalog:accountLevel

servicecatalog:roleLevel

servicecatalog:userLevel

UpdateConstraint Updates the metadata fields of an existing constraint Write
UpdatePortfolio Updates the metadata fields and/or tags of an existing portfolio Write
UpdateProduct Updates the metadata fields and/or tags of an existing product Write
UpdateProvisionedProduct Updates an existing provisioned product Write

servicecatalog:accountLevel

servicecatalog:roleLevel

servicecatalog:userLevel

UpdateProvisionedProductProperties Updates the properties of an existing provisioned product Write
UpdateProvisioningArtifact Updates the metadata fields of an existing provisioning artifact Write
UpdateServiceAction Updates a self-service action. Write
UpdateTagOption Updates the specified TagOption. Write

Resources Defined by AWS Service Catalog

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
Portfolio arn:${Partition}:servicecatalog:${Region}:${Account}:portfolio/${PortfolioId}
Product arn:${Partition}:servicecatalog:${Region}:${Account}:product/${ProductId}
ProvisionedProduct arn:${Partition}:servicecatalog:${Region}:${Account}:stack/${ProvisionedProductName}/${ProvisionedProductId}

Condition Keys for AWS Service Catalog

AWS Service Catalog defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

For example policies that show how these condition keys can be used in an IAM policy, see Example Access Policies for Provisioned Product Management in the AWS Service Catalog Administrator Guide.

Condition Keys Description Type
servicecatalog:accountLevel Allows users to see and perform actions on resources created by anyone in the account. String
servicecatalog:roleLevel Allows users to see and perform actions on resources created either by them or by anyone federating into the same role as them. String
servicecatalog:userLevel Allows users to see and perform actions on only resources that they created. String