Step 6: Add a Launch Constraint to Assign an IAM Role - AWS Service Catalog

Step 6: Add a Launch Constraint to Assign an IAM Role

A launch constraint designates an IAM role that AWS Service Catalog assumes when an end user launches a product. For this step, you will add a launch constraint to the Linux Desktop product so that AWS Service Catalog can use the AWS resources that are part of the product's AWS CloudFormation template. This launch constraint will enable the end user to launch the product and, after it is launched, manage it as a provisioned product. For more information, see AWS Service Catalog Launch Constraints.

Without a launch constraint, you would need to grant additional IAM permissions to your end users before they could use the Linux Desktop product. For example, the ServiceCatalogEndUserAccess policy grants the minimum IAM permissions required to access the AWS Service Catalog end user console view. By using a launch constraint, you can keep your end users' IAM permissions to a minimum, which is an IAM best practice. For more information, see Grant least privilege in the IAM User Guide.

To add a launch constraint

  1. Open the IAM console at

  2. In the navigation pane, choose Policies. Choose Create policy and do the following:

    1. On the Create policy page, choose the JSON tab.

    2. Copy the following example policy and paste it in Policy Document, replacing the placeholder JSON in the text field:

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:GetTemplateSummary", "cloudformation:SetStackPolicy", "cloudformation:ValidateTemplate", "cloudformation:UpdateStack", "ec2:*", "s3:GetObject", "servicecatalog:*", "sns:*" ], "Resource": "*" } ] }
    3. Choose Review policy.

    4. For Policy Name, type linuxDesktopPolicy.

    5. Choose Create policy.

  3. In the navigation pane, choose Roles. Choose Create role and do the following:

    1. For Select role type, choose AWS service and then choose Service Catalog. Select the Service Catalog use case and then choose Next: Permissions.

    2. Search for the linuxDesktopPolicy policy and then select the checkbox.

    3. Choose Next: Tags, and then Next: Review.

    4. For Role name, type linuxDesktopLaunchRole.

    5. Choose Create role.

  4. Open the AWS Service Catalog console at

  5. Choose the All engineering tools portfolio.

  6. On the portfolio details page, choose the Constraints tab, and then choose Create constraint.

  7. For Product, choose Linux Desktop, and for Constraint type, choose Launch. Choose Continue.

  8. On the Launch constraint page, choose Search IAM roles, choose linuxDesktopLaunchRole, and then choose Submit.