AWS Service Catalog
Administrator Guide

AWS Service Catalog Launch Constraints

A launch constraint specifies the AWS Identity and Access Management (IAM) role that AWS Service Catalog assumes when an end user launches a product. An IAM role is a collection of permissions that an IAM user or AWS service can assume temporarily to use AWS services. For an introductory example, see Step 6: Add a Launch Constraint to Assign an IAM Role.

Launch constraints are associated with a product within the portfolio (product-portfolio association), not at the portfolio level or to a product across all portfolios. To associate a launch constraint with all products in a portfolio, you must apply the launch constraint to each product individually.

Without a launch constraint, end users must launch and manage products using their own IAM credentials. To do so, they must have permissions for AWS CloudFormation, the AWS services used by the products, and AWS Service Catalog. By using a launch role, you can instead limit the end users' permissions to the minimum that they require for that product. For more information about end user permissions, see Authentication and Access Control for AWS Service Catalog.

To create and assign IAM roles, you must have the following IAM administrative permissions:

  • iam:CreateRole

  • iam:PutRolePolicy

  • iam:PassRole

  • iam:Get*

  • iam:List*

Configuring a Launch Role

The IAM role that you assign to a product as a launch constraint must have permissions to use the following:

  • AWS CloudFormation

  • Services used in the AWS CloudFormation template for the product

  • Read access to the AWS CloudFormation template in Amazon S3

The IAM role also must have a trust relationship with AWS Service Catalog, which you assign by selecting AWS Service Catalog as the role type in the following procedure. The trust relationship allows AWS Service Catalog to assume the role during the launch process to create resources.


The servicecatalog:ProvisionProduct, servicecatalog:TerminateProduct, and servicecatalog:UpdateProduct permissions cannot be assigned in a launch role. You must use IAM roles, as shown in the inline policy steps in the section Grant Permissions to AWS Service Catalog End Users.

To create a launch role

  1. Open the IAM console at

  2. Choose Roles.

  3. Choose Create New Role.

  4. Enter a role name and choose Next Step.

  5. Under AWS Service Roles next to AWS Service Catalog, choose Select.

  6. On the Attach Policy page, Choose Next Step.

  7. To create the role, choose Create Role.

To attach a policy to the new role

  1. Choose the role that you created to view the role details page.

  2. Choose the Permissions tab, and expand the Inline Policies section. Then, choose click here.

  3. Choose Custom Policy, and then choose Select.

  4. Enter a name for the policy, and then paste the following into the Policy Document editor:

    { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "catalog-user:*", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:GetTemplateSummary", "cloudformation:SetStackPolicy", "cloudformation:ValidateTemplate", "cloudformation:UpdateStack", "s3:GetObject" ], "Resource":"*" } ] }
  5. Add a line to the policy for each additional service that the product uses. For example, to add permission for Amazon Relational Database Service (Amazon RDS), type a comma at the end of the last line in the "Action" list, and then add the following line:

  6. Choose Apply Policy.

Applying a Launch Constraint

Next, assign the role to the product as a launch constraint. This tells AWS Service Catalog to assume the role when an end user launches the product.

To assign the role to a product

  1. Open the AWS Service Catalog console at

  2. Choose the portfolio that contains the product.

  3. Expand Constraints and choose Add constraints.

  4. Choose the product from Product and set Constraint type to Launch. Choose Continue.

  5. For IAM role, choose the launch role. Choose Submit.

Verify That the Launch Constraint Is Applied

Verify that AWS Service Catalog uses the role to launch the product and that the provisioned product is created successfully by launching the product from the AWS Service Catalog console. To test a constraint prior to releasing it to users, create a test portfolio that contains the same products and test the constraints with that portfolio.

To launch the product

  1. In the menu for the AWS Service Catalog console, choose Service Catalog, End user.

  2. Choose the product to open the Product details page. In the Launch options table, verify that the Amazon Resource Name (ARN) of the role appears.

  3. Choose Launch product.

  4. Proceed through the launch steps, filling in any required information.

  5. Verify that the product starts successfully.