AWS Service Catalog
Administrator Guide

Authentication and Access Control for AWS Service Catalog

AWS Service Catalog integrates with AWS Identity and Access Management (IAM) to enable you to grant AWS Service Catalog administrators the permissions they need to create and manage products, and to grant end users the permissions they need to launch products and manage provisioned products. These policies are either created and managed by AWS or individually by administrators and end users. To control access, you attach these policies to the IAM users, groups, and roles that you use with AWS Service Catalog.

Predefined AWS Managed Policies

The managed policies created by AWS grant the required permissions for common use cases. You can attach these policies to your IAM users and roles. For more information, see AWS Managed Policies in the IAM User Guide.

The following are the AWS managed policies for AWS Service Catalog.

Administrators
  • AWSServiceCatalogAdminFullAccess — Grants full access to the administrator console view and permission to create and manage products and portfolios.

  • ServiceCatalogAdminReadOnlyAccess — Grants full access to the administrator console view. Does not grant access to create or manage products and portfolios.

End users
  • AWSServiceCatalogEndUserFullAccess — Grants full access to the end user console view. Grants permission to launch products and manage provisioned products.

  • ServiceCatalogEndUserAccess — Grants read-only access to the end user console view. Does not grant permission to launch products or manage provisioned products.

To attach a policy to an IAM user

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users.

  3. Choose the name (not the check box) of the IAM user.

  4. On the Permissions tab, choose Attach Policy.

  5. On the Attach Policy page, select the check box next to the managed policy for AWS Service Catalog, and then choose Attach Policy.

  6. (Optional) You must grant administrators additional permissions for Amazon S3 if they need to use a private CloudFormation template. For more information, see User Policy Examples in the Amazon Simple Storage Service Developer Guide

Deprecated Policies

The following managed policies are deprecated:

  • ServiceCatalogAdminFullAccess — Use AWSServiceCatalogAdminFullAccess instead.

  • ServiceCatalogEndUserFullAccess — Use AWSServiceCatalogEndUserFullAccess instead.

Use the following procedure to ensure that your administrators and end users are granted permissions using the current policies.

To migrate from the deprecated policies to the current policies

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies.

  3. In the search field, type ServiceCatalog to filter the policy list. Choose the name (not the check box) for ServiceCatalogAdminFullAccess.

  4. For each attached entity (user, group, or role), do the following:

    1. Open the summary page for the entity.

    2. Add one of the current policies, as described in the procedure To attach a policy to an IAM user.

    3. On the Permissions tab, next to ServiceCatalogAdminFullAccess, choose Detach Policy. When prompted for confirmation, choose Detach.

  5. Repeat the process for ServiceCatalogEndUserFullAccess.

Console Access for End Users

Before end users can use a product to which you give access, you must provide them additional IAM permissions to allow them to use each of the underlying AWS resources in a product's AWS CloudFormation template. For example, if a product template includes Amazon Relational Database Service (Amazon RDS), you must grant the users Amazon RDS permissions to launch the product.

The ServiceCatalogEndUserFullAccess and ServiceCatalogEndUserAccess policies grant access to the AWS Service Catalog end user console view. When a user who has either of these policies chooses Service Catalog in the AWS Management Console, the end user console view displays.

If you apply the ServiceCatalogEndUserAccess policy, your users have access to the end user console, but they won't have the permissions that they need to launch products and manage provisioned products. You can grant these permissions directly to an end user using IAM, but if you want to limit the access that end users have to AWS resources, you should attach the policy to a launch role. You then use AWS Service Catalog to apply the launch role to a launch constraint for the product. For more information about applying a launch role, launch role limitations, and a sample launch role, see AWS Service Catalog Launch Constraints.

If you grant users the following IAM permissions, which are meant for AWS Service Catalog administrators, the administrator console view displays instead:

  • catalog-admin:ListPortfolios

  • catalog-admin:SearchListings

Don't grant end users these permissions unless you want them to have access to the administrator console view.

Product Access for End Users

Before end users can use a product to which you give access, you must provide them additional IAM permissions to allow them to use each of the underlying AWS resources in a product's AWS CloudFormation template. For example, if a product template includes Amazon Relational Database Service (Amazon RDS), you must grant the users Amazon RDS permissions to launch the product.

If you apply the ServiceCatalogEndUserAccess policy, your users have access to the end user console view, but they won't have the permissions that they need to launch products and manage provisioned products. You can grant these permissions directly to an end user in IAM, but if you want to limit the access that end users have to AWS resources, you should attach the policy to a launch role. You then use AWS Service Catalog to apply the launch role to a launch constraint for the product. For more information about applying a launch role, launch role limitations, and a sample launch role, see AWS Service Catalog Launch Constraints.