Actions, resources, and condition keys for AWS Service Catalog
AWS Service Catalog (service prefix: servicecatalog) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by AWS Service Catalog
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AcceptPortfolioShare | Grants permission to accept a portfolio that has been shared with you | Write | |||
| AssociateAttributeGroup | Grants permission to associate an attribute group with an application | Write | |||
| AssociateBudgetWithResource | Grants permission to associate a budget with a resource | Write | |||
| AssociatePrincipalWithPortfolio | Grants permission to associate an IAM principal with a portfolio, giving the specified principal access to any products associated with the specified portfolio | Write | |||
| AssociateProductWithPortfolio | Grants permission to associate a product with a portfolio | Write | |||
| AssociateResource | Grants permission to associate a resource with an application | Write |
cloudformation:DescribeStacks resource-groups:CreateGroup resource-groups:GetGroup resource-groups:Tag |
||
| AssociateServiceActionWithProvisioningArtifact | Grants permission to associate an action with a provisioning artifact | Write | |||
| AssociateTagOptionWithResource | Grants permission to associate the specified TagOption with the specified portfolio or product | Write | |||
| BatchAssociateServiceActionWithProvisioningArtifact | Grants permission to associate multiple self-service actions with provisioning artifacts | Write | |||
| BatchDisassociateServiceActionFromProvisioningArtifact | Grants permission to disassociate a batch of self-service actions from the specified provisioning artifact | Write | |||
| CopyProduct | Grants permission to copy the specified source product to the specified target product or a new product | Write | |||
| CreateApplication | Grants permission to create an application | Write |
iam:CreateServiceLinkedRole |
||
| CreateAttributeGroup | Grants permission to create an attribute group | Write | |||
| CreateConstraint | Grants permission to create a constraint on an associated product and portfolio | Write | |||
| CreatePortfolio | Grants permission to create a portfolio | Write | |||
| CreatePortfolioShare | Grants permission to share a portfolio you own with another AWS account | Permissions management | |||
| CreateProduct | Grants permission to create a product and that product's first provisioning artifact | Write | |||
| CreateProvisionedProductPlan | Grants permission to add a new provisioned product plan | Write | |||
| CreateProvisioningArtifact | Grants permission to add a new provisioning artifact to an existing product | Write | |||
| CreateServiceAction | Grants permission to create a self-service action | Write | |||
| CreateTagOption | Grants permission to create a TagOption | Write | |||
| DeleteApplication | Grants permission to delete an application if all associations have been removed from the application | Write | |||
| DeleteAttributeGroup | Grants permission to delete an attribute group if all associations have been removed from the attribute group | Write | |||
| DeleteConstraint | Grants permission to remove and delete an existing constraint from an associated product and portfolio | Write | |||
| DeletePortfolio | Grants permission to delete a portfolio if all associations and shares have been removed from the portfolio | Write | |||
| DeletePortfolioShare | Grants permission to unshare a portfolio you own from an AWS account you previously shared the portfolio with | Permissions management | |||
| DeleteProduct | Grants permission to delete a product if all associations have been removed from the product | Write | |||
| DeleteProvisionedProductPlan | Grants permission to delete a provisioned product plan | Write | |||
| DeleteProvisioningArtifact | Grants permission to delete a provisioning artifact from a product | Write | |||
| DeleteServiceAction | Grants permission to delete a self-service action | Write | |||
| DeleteTagOption | Grants permission to delete the specified TagOption | Write | |||
| DescribeConstraint | Grants permission to describe a constraint | Read | |||
| DescribeCopyProductStatus | Grants permission to get the status of the specified copy product operation | Read | |||
| DescribePortfolio | Grants permission to describe a portfolio | Read | |||
| DescribePortfolioShareStatus | Grants permission to get the status of the specified portfolio share operation | Read | |||
| DescribePortfolioShares | Grants permission to view a summary of each of the portfolio shares that were created for the specified portfolio | List | |||
| DescribeProduct | Grants permission to describe a product as an end-user | Read | |||
| DescribeProductAsAdmin | Grants permission to describe a product as an admin | Read | |||
| DescribeProductView | Grants permission to describe a product as an end-user | Read | |||
| DescribeProvisionedProduct | Grants permission to describe a provisioned product | Read | |||
| DescribeProvisionedProductPlan | Grants permission to describe a provisioned product plan | Read | |||
| DescribeProvisioningArtifact | Grants permission to describe a provisioning artifact | Read | |||
| DescribeProvisioningParameters | Grants permission to describe the parameters that you need to specify to successfully provision a specified provisioning artifact | Read | |||
| DescribeRecord | Grants permission to describe a record and lists any outputs | Read | |||
| DescribeServiceAction | Grants permission to describe a self-service action | Read | |||
| DescribeServiceActionExecutionParameters | Grants permission to get the default parameters if you executed the specified Service Action on the specified Provisioned Product | Read | |||
| DescribeTagOption | Grants permission to get information about the specified TagOption | Read | |||
| DisableAWSOrganizationsAccess | Grants permission to disable portfolio sharing through AWS Organizations feature | Write | |||
| DisassociateAttributeGroup | Grants permission to disassociate an attribute group from an application | Write | |||
| DisassociateBudgetFromResource | Grants permission to disassociate a budget from a resource | Write | |||
| DisassociatePrincipalFromPortfolio | Grants permission to disassociate an IAM principal from a portfolio | Write | |||
| DisassociateProductFromPortfolio | Grants permission to disassociate a product from a portfolio | Write | |||
| DisassociateResource | Grants permission to disassociate a resource from an application | Write |
resource-groups:DeleteGroup |
||
| DisassociateServiceActionFromProvisioningArtifact | Grants permission to disassociate the specified self-service action association from the specified provisioning artifact | Write | |||
| DisassociateTagOptionFromResource | Grants permission to disassociate the specified TagOption from the specified resource | Write | |||
| EnableAWSOrganizationsAccess | Grants permission to enable portfolio sharing feature through AWS Organizations | Write | |||
| ExecuteProvisionedProductPlan | Grants permission to execute a provisioned product plan | Write | |||
| ExecuteProvisionedProductServiceAction | Grants permission to executes a provisioned product plan | Write | |||
| GetAWSOrganizationsAccessStatus | Grants permission to get the access status of AWS Organization portfolio share feature | Read | |||
| GetApplication | Grants permission to get an application | Read | |||
| GetAssociatedResource | Grants permission to get information about a resource associated to an application | Read | |||
| GetAttributeGroup | Grants permission to get an attribute group | Read | |||
| GetConfiguration | Grants permission to read AppRegistry configurations | Read | |||
| GetProvisionedProductOutputs | Grants permission to get the provisioned product output with either provisioned product id or name | Read | |||
| ImportAsProvisionedProduct | Grants permission to import a resource into a provisioned product | Write | |||
| ListAcceptedPortfolioShares | Grants permission to list the portfolios that have been shared with you and you have accepted | List | |||
| ListApplications | Grants permission to list your applications | List | |||
| ListAssociatedAttributeGroups | Grants permission to list the attribute groups associated with an application | List | |||
| ListAssociatedResources | Grants permission to list the resources associated with an application | List | |||
| ListAttributeGroups | Grants permission to list your attribute groups | List | |||
| ListAttributeGroupsForApplication | Grants permission to list the associated attribute groups for a given application | List | |||
| ListBudgetsForResource | Grants permission to list all the budgets associated to a resource | List | |||
| ListConstraintsForPortfolio | Grants permission to list constraints associated with a given portfolio | List | |||
| ListLaunchPaths | Grants permission to list the different ways to launch a given product as an end-user | List | |||
| ListOrganizationPortfolioAccess | Grants permission to list the organization nodes that have access to the specified portfolio | List | |||
| ListPortfolioAccess | Grants permission to list the AWS accounts you have shared a given portfolio with | List | |||
| ListPortfolios | Grants permission to list the portfolios in your account | List | |||
| ListPortfoliosForProduct | Grants permission to list the portfolios associated with a given product | List | |||
| ListPrincipalsForPortfolio | Grants permission to list the IAM principals associated with a given portfolio | List | |||
| ListProvisionedProductPlans | Grants permission to list the provisioned product plans | List | |||
| ListProvisioningArtifacts | Grants permission to list the provisioning artifacts associated with a given product | List | |||
| ListProvisioningArtifactsForServiceAction | Grants permission to list all provisioning artifacts for the specified self-service action | List | |||
| ListRecordHistory | Grants permission to list all the records in your account or all the records related to a given provisioned product | List | |||
| ListResourcesForTagOption | Grants permission to list the resources associated with the specified TagOption | List | |||
| ListServiceActions | Grants permission to list all self-service actions | List | |||
| ListServiceActionsForProvisioningArtifact | Grants permission to list all the service actions associated with the specified provisioning artifact in your account | List | |||
| ListStackInstancesForProvisionedProduct | Grants permission to list account, region and status of each stack instances that are associated with a CFN_STACKSET type provisioned product | List | |||
| ListTagOptions | Grants permission to list the specified TagOptions or all TagOptions | List | |||
| ListTagsForResource | Grants permission to list the tags for a service catalog appregistry resource | Read | |||
| NotifyProvisionProductEngineWorkflowResult | Grants permission to notify the result of the provisioning engine execution | Write | |||
| NotifyTerminateProvisionedProductEngineWorkflowResult | Grants permission to notify the result of the terminate engine execution | Write | |||
| NotifyUpdateProvisionedProductEngineWorkflowResult | Grants permission to notify the result of the update engine execution | Write | |||
| ProvisionProduct | Grants permission to provision a product with a specified provisioning artifact and launch parameters | Write | |||
| PutConfiguration | Grants permission to assign AppRegistry configurations | Write | |||
| RejectPortfolioShare | Grants permission to reject a portfolio that has been shared with you that you previously accepted | Write | |||
| ScanProvisionedProducts | Grants permission to list all the provisioned products in your account | List | |||
| SearchProducts | Grants permission to list the products available to you as an end-user | List | |||
| SearchProductsAsAdmin | Grants permission to list all the products in your account or all the products associated with a given portfolio | List | |||
| SearchProvisionedProducts | Grants permission to list all the provisioned products in your account | List | |||
| SyncResource | Grants permission to sync a resource with its current state in AppRegistry | Write |
cloudformation:UpdateStack |
||
| TagResource | Grants permission to tag a service catalog appregistry resource | Tagging | |||
| TerminateProvisionedProduct | Grants permission to terminate an existing provisioned product | Write | |||
| UntagResource | Grants permission to remove a tag from a service catalog appregistry resource | Tagging | |||
| UpdateApplication | Grants permission to update the attributes of an existing application | Write |
iam:CreateServiceLinkedRole |
||
| UpdateAttributeGroup | Grants permission to update the attributes of an existing attribute group | Write | |||
| UpdateConstraint | Grants permission to update the metadata fields of an existing constraint | Write | |||
| UpdatePortfolio | Grants permission to update the metadata fields and/or tags of an existing portfolio | Write | |||
| UpdatePortfolioShare | Grants permission to enable or disable resource sharing for an existing portfolio share | Permissions management | |||
| UpdateProduct | Grants permission to update the metadata fields and/or tags of an existing product | Write | |||
| UpdateProvisionedProduct | Grants permission to update an existing provisioned product | Write | |||
| UpdateProvisionedProductProperties | Grants permission to update the properties of an existing provisioned product | Write | |||
| UpdateProvisioningArtifact | Grants permission to update the metadata fields of an existing provisioning artifact | Write | |||
| UpdateServiceAction | Grants permission to update a self-service action | Write | |||
| UpdateTagOption | Grants permission to update the specified TagOption | Write |
Resource types defined by AWS Service Catalog
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| Application |
arn:${Partition}:servicecatalog:${Region}:${Account}:/applications/${ApplicationId}
|
|
| AttributeGroup |
arn:${Partition}:servicecatalog:${Region}:${Account}:/attribute-groups/${AttributeGroupId}
|
|
| Portfolio |
arn:${Partition}:catalog:${Region}:${Account}:portfolio/${PortfolioId}
|
|
| Product |
arn:${Partition}:catalog:${Region}:${Account}:product/${ProductId}
|
Condition keys for AWS Service Catalog
AWS Service Catalog defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
Note
For example policies that show how these condition keys can be used in an IAM policy, see Example Access Policies for Provisioned Product Management in the Service Catalog Administrator Guide.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters access by the presence of tag key-value pairs in the request | String |
| aws:ResourceTag/${TagKey} | Filters access by tag key-value pairs attached to the resource | String |
| aws:TagKeys | Filters access by the presence of tag keys in the request | ArrayOfString |
| servicecatalog:Resource | Filters access by controlling what value can be specified as the Resource parameter in an AppRegistry associate resource API | String |
| servicecatalog:ResourceType | Filters access by controlling what value can be specified as the ResourceType parameter in an AppRegistry associate resource API | String |
| servicecatalog:accountLevel | Filters access by user to see and perform actions on resources created by anyone in the account | String |
| servicecatalog:roleLevel | Filters access by user to see and perform actions on resources created either by them or by anyone federating into the same role as them | String |
| servicecatalog:userLevel | Filters access by user to see and perform actions on only resources that they created | String |
