Actions, resources, and condition keys for AWS Service Catalog - Service Authorization Reference

Actions, resources, and condition keys for AWS Service Catalog

AWS Service Catalog (service prefix: servicecatalog) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS Service Catalog

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AcceptPortfolioShare Grants permission to accept a portfolio that has been shared with you Write

Portfolio*

AssociateAttributeGroup Grants permission to associate an attribute group with an application. Write

Application*

AttributeGroup*

AssociateBudgetWithResource Grants permission to associate a budget with a resource Write
AssociatePrincipalWithPortfolio Grants permission to associate an IAM principal with a portfolio, giving the specified principal access to any products associated with the specified portfolio Write

Portfolio*

AssociateProductWithPortfolio Grants permission to associate a product with a portfolio Write
AssociateResource Grants permission to associate a resource with an application. Write

Application*

AssociateServiceActionWithProvisioningArtifact Grants permission to associate an action with a provisioning artifact Write

Product*

AssociateTagOptionWithResource Grants permission to associate the specified TagOption with the specified portfolio or product Write

Portfolio

Product

BatchAssociateServiceActionWithProvisioningArtifact Grants permission to associate multiple self-service actions with provisioning artifacts Write
BatchDisassociateServiceActionFromProvisioningArtifact Grants permission to disassociate a batch of self-service actions from the specified provisioning artifact Write
CopyProduct Grants permission to copy the specified source product to the specified target product or a new product Write
CreateApplication Grants permission to create an application. Write

Application*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateAttributeGroup Grants permission to create an attribute group. Write

AttributeGroup*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateConstraint Grants permission to create a constraint on an associated product and portfolio Write

Product*

CreatePortfolio Grants permission to create a portfolio Write

Portfolio*

aws:RequestTag/${TagKey}

aws:TagKeys

CreatePortfolioShare Grants permission to share a portfolio you own with another AWS account Permissions management

Portfolio*

CreateProduct Grants permission to create a product and that product's first provisioning artifact Write

Product*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateProvisionedProductPlan Grants permission to add a new provisioned product plan Write
CreateProvisioningArtifact Grants permission to add a new provisioning artifact to an existing product Write

Product*

CreateServiceAction Grants permission to create a self-service action Write
CreateTagOption Grants permission to create a TagOption Write
DeleteApplication Grants permission to delete an application if all associations have been removed from the application. Write

Application*

DeleteAttributeGroup Grants permission to delete an attribute group if all associations have been removed from the attribute group. Write

AttributeGroup*

DeleteConstraint Grants permission to remove and delete an existing constraint from an associated product and portfolio Write
DeletePortfolio Grants permission to delete a portfolio if all associations and shares have been removed from the portfolio Write

Portfolio*

DeletePortfolioShare Grants permission to unshare a portfolio you own from an AWS account you previously shared the portfolio with Permissions management

Portfolio*

DeleteProduct Grants permission to delete a product if all associations have been removed from the product Write

Product*

DeleteProvisionedProductPlan Grants permission to delete a provisioned product plan Write
DeleteProvisioningArtifact Grants permission to delete a provisioning artifact from a product Write

Product*

DeleteServiceAction Grants permission to delete a self-service action Write
DeleteTagOption Grants permission to delete the specified TagOption Write
DescribeConstraint Grants permission to describe a constraint Read
DescribeCopyProductStatus Grants permission to get the status of the specified copy product operation Read
DescribePortfolio Grants permission to describe a portfolio Read

Portfolio*

DescribePortfolioShareStatus Grants permission to get the status of the specified portfolio share operation Read
DescribeProduct Grants permission to describe a product as an end-user Read

Product*

DescribeProductAsAdmin Grants permission to describe a product as an admin Read

Product*

DescribeProductView Grants permission to describe a product as an end-user Read
DescribeProvisionedProduct Grants permission to describe a provisioned product Read
DescribeProvisionedProductPlan Grants permission to describe a provisioned product plan Read
DescribeProvisioningArtifact Grants permission to describe a provisioning artifact Read

Product*

DescribeProvisioningParameters Grants permission to describe the parameters that you need to specify to successfully provision a specified provisioning artifact Read

Product*

DescribeRecord Grants permission to describe a record and lists any outputs Read

servicecatalog:accountLevel

servicecatalog:roleLevel

servicecatalog:userLevel

DescribeServiceAction Grants permission to describe a self-service action Read
DescribeServiceActionExecutionParameters Grants permission to get the default parameters if you executed the specified Service Action on the specified Provisioned Product Read
DescribeTagOption Grants permission to get information about the specified TagOption Read
DisableAWSOrganizationsAccess Grants permission to disable portfolio sharing through AWS Organizations feature Write
DisassociateAttributeGroup Grants permission to disassociate an attribute group from an application. Write

Application*

AttributeGroup*

DisassociateBudgetFromResource Grants permission to disassociate a budget from a resource Write
DisassociatePrincipalFromPortfolio Grants permission to disassociate an IAM principal from a portfolio Write

Portfolio*

DisassociateProductFromPortfolio Grants permission to disassociate a product from a portfolio Write
DisassociateResource Grants permission to disassociate a resource from an application. Write

Application*

DisassociateServiceActionFromProvisioningArtifact Grants permission to disassociate the specified self-service action association from the specified provisioning artifact Write

Product*

DisassociateTagOptionFromResource Grants permission to disassociate the specified TagOption from the specified resource Write

Portfolio

Product

EnableAWSOrganizationsAccess Grants permission to enable portfolio sharing feature through AWS Organizations Write
ExecuteProvisionedProductPlan Grants permission to execute a provisioned product plan Write
ExecuteProvisionedProductServiceAction Grants permission to executes a provisioned product plan Write
GetAWSOrganizationsAccessStatus Grants permission to get the access status of AWS Organization portfolio share feature Read
GetApplication Grants permission to get an application. Read

Application*

GetAttributeGroup Grants permission to get an attribute group. Read

AttributeGroup*

ImportAsProvisionedProduct Grants permission to import a resource into a provisioned product. Write

Product*

ListAcceptedPortfolioShares Grants permission to list the portfolios that have been shared with you and you have accepted List
ListApplications Grants permission to list the applications in your account. List
ListAssociatedAttributeGroups Grants permission to list the attribute groups associated with an application. List

Application*

ListAssociatedResources Grants permission to list the resources associated with an application. List

Application*

ListAttributeGroups Grants permission to list the attribute groups in your account. List
ListBudgetsForResource Grants permission to list all the budgets associated to a resource List
ListConstraintsForPortfolio Grants permission to list constraints associated with a given portfolio List
ListLaunchPaths Grants permission to list the different ways to launch a given product as an end-user List

Product*

ListOrganizationPortfolioAccess Grants permission to list the organization nodes that have access to the specified portfolio List
ListPortfolioAccess Grants permission to list the AWS accounts you have shared a given portfolio with List

Portfolio*

ListPortfolios Grants permission to list the portfolios in your account List
ListPortfoliosForProduct Grants permission to list the portfolios associated with a given product List

Product*

ListPrincipalsForPortfolio Grants permission to list the IAM principals associated with a given portfolio List

Portfolio*

ListProvisionedProductPlans Grants permission to list the provisioned product plans List
ListProvisioningArtifacts Grants permission to list the provisioning artifacts associated with a given product List

Product*

ListProvisioningArtifactsForServiceAction Grants permission to list all provisioning artifacts for the specified self-service action List
ListRecordHistory Grants permission to list all the records in your account or all the records related to a given provisioned product List

servicecatalog:accountLevel

servicecatalog:roleLevel

servicecatalog:userLevel

ListResourcesForTagOption Grants permission to list the resources associated with the specified TagOption List
ListServiceActions Grants permission to list all self-service actions List
ListServiceActionsForProvisioningArtifact Grants permission to list all the service actions associated with the specified provisioning artifact in your account List

Product*

ListStackInstancesForProvisionedProduct Grants permission to list account, region and status of each stack instances that are associated with a CFN_STACKSET type provisioned product List
ListTagOptions Grants permission to list the specified TagOptions or all TagOptions List
ProvisionProduct Grants permission to provision a product with a specified provisioning artifact and launch parameters Write

Product*

RejectPortfolioShare Grants permission to reject a portfolio that has been shared with you that you previously accepted Write

Portfolio*

ScanProvisionedProducts Grants permission to list all the provisioned products in your account List

servicecatalog:accountLevel

servicecatalog:roleLevel

servicecatalog:userLevel

SearchProducts Grants permission to list the products available to you as an end-user List
SearchProductsAsAdmin Grants permission to list all the products in your account or all the products associated with a given portfolio List
SearchProvisionedProducts Grants permission to list all the provisioned products in your account List

servicecatalog:accountLevel

servicecatalog:roleLevel

servicecatalog:userLevel

TerminateProvisionedProduct Grants permission to terminate an existing provisioned product Write

servicecatalog:accountLevel

servicecatalog:roleLevel

servicecatalog:userLevel

UpdateApplication Grants permission to update the attributes of an existing application. Write

Application*

UpdateAttributeGroup Grants permission to update the attributes of an existing attribute group. Write

AttributeGroup*

UpdateConstraint Grants permission to update the metadata fields of an existing constraint Write
UpdatePortfolio Grants permission to update the metadata fields and/or tags of an existing portfolio Write

Portfolio*

aws:RequestTag/${TagKey}

aws:TagKeys

UpdateProduct Grants permission to update the metadata fields and/or tags of an existing product Write

Product*

aws:RequestTag/${TagKey}

aws:TagKeys

UpdateProvisionedProduct Grants permission to update an existing provisioned product Write

servicecatalog:accountLevel

servicecatalog:roleLevel

servicecatalog:userLevel

UpdateProvisionedProductProperties Grants permission to update the properties of an existing provisioned product Write
UpdateProvisioningArtifact Grants permission to update the metadata fields of an existing provisioning artifact Write

Product*

UpdateServiceAction Grants permission to update a self-service action Write
UpdateTagOption Grants permission to update the specified TagOption Write

Resource types defined by AWS Service Catalog

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table.

Resource types ARN Condition keys
Application arn:${Partition}:servicecatalog:${Region}:${Account}:/applications/${ApplicationId}

aws:ResourceTag/${TagKey}

AttributeGroup arn:${Partition}:servicecatalog:${Region}:${Account}:/attribute-groups/${AttributeGroupId}

aws:ResourceTag/${TagKey}

Portfolio arn:${Partition}:catalog:${Region}:${Account}:portfolio/${PortfolioId}

aws:ResourceTag/${TagKey}

Product arn:${Partition}:catalog:${Region}:${Account}:product/${ProductId}

aws:ResourceTag/${TagKey}

Condition keys for AWS Service Catalog

AWS Service Catalog defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Note

For example policies that show how these condition keys can be used in an IAM policy, see Example Access Policies for Provisioned Product Management in the AWS Service Catalog Administrator Guide.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access based on the presence of tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters access based on tag key-value pairs attached to the resource String
aws:TagKeys Filters access based on the presence of tag keys in the request String
servicecatalog:accountLevel Filters users to see and perform actions on resources created by anyone in the account String
servicecatalog:roleLevel Filters users to see and perform actions on resources created either by them or by anyone federating into the same role as them String
servicecatalog:userLevel Filters users to see and perform actions on only resources that they created String