Menu
AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS Service Catalog

AWS Service Catalog (service prefix: servicecatalog) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS Service Catalog

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AcceptPortfolioShare Accepts a portfolio that has been shared with you

Write

AssociatePrincipalWithPortfolio Associates an IAM principal with a portfolio, giving the specified principal access to any products associated with the specified portfolio

Write

AssociateProductWithPortfolio Associates a product with a portfolio

Write

CreateConstraint Creates a constraint on an associated product and portfolio

Write

CreatePortfolio Creates a portfolio

Tagging

CreatePortfolioShare Shares a portfolio you own with another AWS account

Permissions management

CreateProduct Creates a product and that product's first provisioning artifact

Tagging

CreateProvisioningArtifact Adds a new provisioning artifact to an existing product

Write

DeleteConstraint Removes and deletes an existing constraint from an associated product and portfolio

Write

DeletePortfolio Deletes a portfolio if all associations and shares have been removed from the portfolio

Write

DeletePortfolioShare Unshares a portfolio you own from an AWS account you previously shared the portfolio with

Permissions management

DeleteProduct Deletes a product if all associations have been removed from the product

Write

DeleteProvisioningArtifact Deletes a provisioning artifact from a product

Write

DescribeConstraint Describes a constraint

Read

DescribePortfolio Describes a portfolio

Read

DescribeProduct Describes a product as an end-user

Read

DescribeProductAsAdmin Describes a product as an admin

Read

DescribeProductView Describes a product as an end-user

Read

DescribeProvisioningArtifact Describes a provisioning artifact

Read

DescribeProvisioningParameters Describes the parameters that you need to specify to successfully provision a specified provisioning artifact

Read

DescribeRecord Describes a record and lists any outputs

Read

servicecatalog:accountLevel

servicecatalog:roleLevel

servicecatalog:userLevel

DisassociatePrincipalFromPortfolio Disassociates an IAM principal from a portfolio

Write

DisassociateProductFromPortfolio Disassociates a product from a portfolio

Write

ListAcceptedPortfolioShares Lists the portfolios that have been shared with you and you have accepted

List

ListConstraintsForPortfolio Lists constraints associated with a given portfolio

List

ListLaunchPaths Lists the different ways to launch a given product as an end-user

List

ListPortfolioAccess Lists the AWS accounts you have shared a given portfolio with

List

ListPortfolios Lists the portfolios in your account

List

ListPortfoliosForProduct Lists the portfolios associated with a given product

List

ListPrincipalsForPortfolio Lists the IAM principals associated with a given portfolio

List

ListProvisioningArtifacts Lists the provisioning artifacts associated with a given product

List

ListRecordHistory Lists all the records in your account or all the records related to a given provisioned product

List

servicecatalog:accountLevel

servicecatalog:roleLevel

servicecatalog:userLevel

ProvisionProduct Provisions a product with a specified provisioning artifact and launch parameters

Tagging

RejectPortfolioShare Rejects a portfolio that has been shared with you that you previously accepted

Write

ScanProvisionedProducts Lists all the provisioned products in your account

List

servicecatalog:accountLevel

servicecatalog:roleLevel

servicecatalog:userLevel

SearchProducts Lists the products available to you as an end-user

List

SearchProductsAsAdmin Lists all the products in your account or all the products associated with a given portfolio

List

TerminateProvisionedProduct Terminates an existing provisioned product

Write

servicecatalog:accountLevel

servicecatalog:roleLevel

servicecatalog:userLevel

UpdateConstraint Updates the metadata fields of an existing constraint

Write

UpdatePortfolio Updates the metadata fields and/or tags of an existing portfolio

Tagging

UpdateProduct Updates the metadata fields and/or tags of an existing product

Tagging

UpdateProvisionedProduct Updates an existing provisioned product

Write

servicecatalog:accountLevel

servicecatalog:roleLevel

servicecatalog:userLevel

UpdateProvisioningArtifact Updates the metadata fields of an existing provisioning artifact

Write

Resources Defined by Service Catalog

Service Catalog has no service-defined resources that can be used as the Resource element of an IAM policy statement.

Condition Keys for AWS Service Catalog

AWS Service Catalog defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

For example policies that show how these condition keys can be used in an IAM policy, see Example Access Policies for Provisioned Product Management in the AWS Service Catalog Administrator Guide.

Condition Keys Description Type
servicecatalog:accountLevel Allows users to see and perform actions on resources created by anyone in the account. String
servicecatalog:roleLevel Allows users to see and perform actions on resources created either by them or by anyone federating into the same role as them. String
servicecatalog:userLevel Allows users to see and perform actions on only resources that they created. String