Menu
AWS Service Catalog
Administrator Guide

Grant Permissions to AWS Service Catalog Administrators

As a catalog administrator, you require access to the AWS Service Catalog administrator console view and IAM permissions that allow you to perform tasks such as the following:

  • Creating and managing portfolios

  • Creating and managing products

  • Adding template constraints to control the options that are available to end users when launching a product

  • Adding launch constraints to define the IAM roles that AWS Service Catalog assumes when end users launch products

  • Granting end users access to your products

You, or an administrator who manages your IAM permissions, must attach policies to your IAM user, group, or role that are required to complete this tutorial.

To grant permissions to a catalog administrator

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users. If you have already created an IAM user that you would like to use as the catalog administrator, choose the user name and choose Add permissions. Otherwise, create a user as follows:

    1. Choose Add user.

    2. For User name, type ServiceCatalogAdmin.

    3. Select Programmatic access and AWS Management Console access.

    4. Choose Next: Permissions.

  3. Choose Attach existing policies directly.

  4. Choose Create policy and do the following:

    1. For Create Your Own Policy, choose Select.

    2. For Policy Name, type ServiceCatalogAdmin-AdditionalPermissions.

    3. Copy the following example policy and paste it in Policy Document:

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateKeyPair", "iam:AddRoleToInstanceProfile", "iam:AddUserToGroup", "iam:AttachGroupPolicy", "iam:CreateAccessKey", "iam:CreateGroup", "iam:CreateInstanceProfile", "iam:CreateLoginProfile", "iam:CreateRole", "iam:CreateUser", "iam:Get*", "iam:List*", "iam:PutRolePolicy", "iam:UpdateAssumeRolePolicy" ], "Resource": [ "*" ] } ] }
    4. (Optional) You must grant administrators additional permissions for Amazon S3 if they need to use a private CloudFormation template. For more information, see User Policy Examples in the Amazon Simple Storage Service Developer Guide

    5. Choose Create Policy.

  5. Return to the browser window with the permissions page and choose Refresh.

  6. In the search field, type ServiceCatalog to filter the policy list.

  7. Select the checkboxes for the AWSServiceCatalogAdminFullAccess and ServiceCatalogAdmin-AdditionalPermissions policies, and then choose Next: Review.

  8. If you are updating a user, choose Add permissions.

    If you are creating a user, choose Create user. You can download or copy the credentials and then choose Close.

  9. To sign in as the catalog administrator, use your account-specific URL. To find this URL, choose Dashboard in the navigation pane and choose Copy Link. Paste the link in your browser, and use the name and password of the IAM user you created or updated in this procedure.