AWS Service Catalog
Administrator Guide

Step 6: Add a Launch Constraint to Assign an IAM Role

A launch constraint designates an IAM role that AWS Service Catalog assumes when an end user launches a product. For this step, you will add a launch constraint to the Linux Desktop product so that AWS Service Catalog can use the AWS resources that are part of the product's AWS CloudFormation template. This launch constraint will enable the end user to launch the product and, after it is launched, manage it as a provisioned product. For more information, see AWS Service Catalog Launch Constraints.

Without a launch constraint, you would need to grant additional IAM permissions to your end users before they could use the Linux Desktop product. For example, the ServiceCatalogEndUserAccess policy grants the minimum IAM permissions required to access the AWS Service Catalog end user console view. By using a launch constraint, you can keep your end users' IAM permissions to a minimum, which is an IAM best practice. For more information, see Grant least privilege in the IAM User Guide.

To add a launch constraint

  1. Open the IAM console at

  2. In the navigation pane, choose Policies. Choose Create policy and do the following:

    1. For Create Your Own Policy, choose Select.

    2. For Policy Name, type linuxDesktopPolicy.

    3. Copy the following example policy and paste it in Policy Document:

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "catalog-user:*", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:GetTemplateSummary", "cloudformation:SetStackPolicy", "cloudformation:ValidateTemplate", "cloudformation:UpdateStack", "ec2:*", "s3:GetObject", "sns:*" ], "Resource": "*" } ] }
    4. Choose Create Policy.

  3. In the navigation pane, choose Roles. Choose Create role and do the following:

    1. For Select role type, choose AWS service and then choose Service Catalog. Select the Service Catalog use case and then choose Next: Permissions.

    2. Select the checkbox for the linuxDesktopPolicy policy, and then choose Next: Review.

    3. For Role name, type linuxDesktopLaunchRole.

    4. Choose Create role.

  4. Open the AWS Service Catalog console at

  5. Choose the Engineering Tools portfolio.

  6. On the portfolio details page, expand the Constraints section, and then choose Add constraints.

  7. For Product, choose Linux Desktop, and for Constraint type, choose Launch. Choose Continue.

  8. On the Launch constraint page, for IAM role, choose linuxDesktopLaunchRole, and then choose Submit.