AWS Service Catalog
Administrator Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Step 6: Add a Launch Constraint to Assign an IAM Role

A launch constraint designates an IAM role that AWS Service Catalog assumes when an end user launches a product. For this step, you will add a launch constraint to the Linux Desktop product so that AWS Service Catalog can use the AWS resources that are part of the product's AWS CloudFormation template. This launch constraint will enable the end user to launch the product and, after it is launched, manage it as a provisioned product. For more information, see AWS Service Catalog Launch Constraints.

Without a launch constraint, you would need to grant additional IAM permissions to your end users before they could use the Linux Desktop product. For example, the ServiceCatalogEndUserAccess policy grants the minimum IAM permissions required to access the AWS Service Catalog end user console view. By using a launch constraint, you can keep your end users' IAM permissions to a minimum, which is an IAM best practice. For more information, see Grant least privilege in the IAM User Guide.

To add a launch constraint

  1. Open the IAM console at

  2. In the navigation pane, choose Policies. Choose Create policy and do the following:

    1. On the Create policy page, choose the JSON tab.

    2. Copy the following example policy and paste it in Policy Document:

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:GetTemplateSummary", "cloudformation:SetStackPolicy", "cloudformation:ValidateTemplate", "cloudformation:UpdateStack", "ec2:*", "s3:GetObject", "servicecatalog:*", "sns:*" ], "Resource": "*" } ] }
    3. Choose Review policy.

    4. For Policy Name, type linuxDesktopPolicy.

    5. Choose Create policy.

  3. In the navigation pane, choose Roles. Choose Create role and do the following:

    1. For Select role type, choose AWS service and then choose Service Catalog. Select the Service Catalog use case and then choose Next: Permissions.

    2. Search for the linuxDesktopPolicy policy and then select the checkbox.

    3. Choose Next: Tags, and then Next: Review.

    4. For Role name, type linuxDesktopLaunchRole.

    5. Choose Create role.

  4. Open the AWS Service Catalog console at

  5. Choose the Engineering Tools portfolio.

  6. On the portfolio details page, expand the Constraints section, and then choose Add constraints.

  7. For Product, choose Linux Desktop, and for Constraint type, choose Launch. Choose Continue.

  8. On the Launch constraint page, for IAM role, choose linuxDesktopLaunchRole, and then choose Submit.