# Setting Up AWS Service Catalog
Before you get started with AWS Service Catalog, complete the following tasks.
**Topics**
+ [Sign up for an AWS account](#sign-up-for-aws)
+ [Create a user with administrative access](#create-an-admin)
+ [Grant permissions to AWS Service Catalog administrators](getstarted-iamadmin.md)
+ [Grant permissions to AWS Service Catalog end users](getstarted-iamenduser.md)
+ [Install and configure the Terraform provisioning engine](install-config-engine.md)
## Sign up for an AWS account
If you do not have an AWS account, complete the following steps to create one.
**To sign up for an AWS account**
1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup).
1. Follow the online instructions.
Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad.
When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks).
AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**.
## Create a user with administrative access
After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.
**Secure your AWS account root user**
1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password.
For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*.
1. Turn on multi-factor authentication (MFA) for your root user.
For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*.
**Create a user with administrative access**
1. Enable IAM Identity Center.
For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*.
1. In IAM Identity Center, grant administrative access to a user.
For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the *AWS IAM Identity Center User Guide*.
**Sign in as the user with administrative access**
+ To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.
For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.
**Assign access to additional users**
1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.
For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*.
1. Assign users to a group, and then assign single sign-on access to the group.
For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the *AWS IAM Identity Center User Guide*.
**Topics**
+ [Sign up for an AWS account](#sign-up-for-aws)
+ [Create a user with administrative access](#create-an-admin)
+ [Grant permissions to AWS Service Catalog administrators](getstarted-iamadmin.md)
+ [Grant permissions to AWS Service Catalog end users](getstarted-iamenduser.md)
+ [Install and configure the Terraform provisioning engine](install-config-engine.md)
To provide access, add permissions to your users, groups, or roles:
+ Users and groups in AWS IAM Identity Center:
Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
+ Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
+ Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
+ (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
# Grant permissions to AWS Service Catalog administrators
As a catalog administrator, you require access to the AWS Service Catalog administrator console view and IAM permissions that allow you to perform tasks such as the following:
+ Creating and managing portfolios
+ Creating and managing products
+ Adding template constraints to control the options that are available to end users when launching a product
+ Adding launch constraints to define the IAM roles that AWS Service Catalog assumes when end users launch products
+ Granting end users access to your products
You, or an administrator who manages your IAM permissions, must attach policies to your IAM user, group, or role that are required to complete this tutorial.
**To grant permissions to a catalog administrator**
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Access management**, and then choose **Users**. If you already created an IAM user that you would like to use as the catalog administrator, choose the user name, and then choose **Add permissions**. Otherwise, create a user as follows:
1. Choose **Add user**.
1. For **User name**, type **ServiceCatalogAdmin**.
1. Select **Programmatic access** and **AWS Management Console access**.
1. Choose **Next: Permissions**.
1. Choose **Attach existing policies directly**.
1. Choose **Create policy**, and then do the following:
1. Choose the **JSON** tab.
1. Copy the following example policy, and paste it in **Policy Document**:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateKeyPair",
"iam:AddRoleToInstanceProfile",
"iam:AddUserToGroup",
"iam:AttachGroupPolicy",
"iam:CreateAccessKey",
"iam:CreateGroup",
"iam:CreateInstanceProfile",
"iam:CreateLoginProfile",
"iam:CreateRole",
"iam:CreateUser",
"iam:Get*",
"iam:List*",
"iam:PutRolePolicy",
"iam:UpdateAssumeRolePolicy"
],
"Resource": [
"*"
]
}
]
}
```
1. Choose **Next: Tags**.
1. (Optional) Choose **Add tag** to associate a key-value pair with the resource. You can add a maximum of 50 tags.
**Note**
Tags are key-value pairs that you can add to resources. This helps identify, organize, and search for resources. For more information, see [Tagging AWS resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) in the *AWS General Reference Reference Guide*.
1. Choose **Next: Review**.
1. For **Policy Name**, type **ServiceCatalogAdmin-AdditionalPermissions**.
**Important**
You must grant administrators Amazon S3 permissions to access templates that AWS Service Catalog stores in Amazon S3. For more information, see [User Policy Examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-policies-s3.html) in the *Amazon Simple Storage Service User Guide*.
1. Choose **Create Policy**.
1. Return to the browser window with the permissions page and choose **Refresh**.
1. In the search field, type **ServiceCatalog** to filter the policy list.
1. Select the checkboxes for the **`AWSServiceCatalogAdminFullAccess`** and **`ServiceCatalogAdmin-AdditionalPermissions`** policies, and then choose **Next: Review**.
1. If you are updating a user, choose **Add permissions**.
If you are creating a user, choose **Create user**. You can download or copy the credentials and then choose **Close**.
1. To sign in as the catalog administrator, use your account-specific URL. To find this URL, choose **Dashboard** in the navigation pane and choose **Copy Link**. Paste the link in your browser, and use the name and password of the IAM user you created or updated in this procedure.
# Grant permissions to AWS Service Catalog end users
Before the end user can use AWS Service Catalog, you must grant access to the AWS Service Catalog end user console view. To grant access, you attach policies to the IAM user, group, or role that is used by the end user. In the following procedure, we attach the ****`AWSServiceCatalogEndUserFullAccess`**** policy to an IAM group.
**To grant permissions to an end user group**
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **User groups**.
1. Choose **Create group** and do the following:
1. For **User group name**, type **Endusers**.
1. In the search field, type **AWSServiceCatalog** to filter the policy list.
1. Select the checkbox for the ****`AWSServiceCatalogEndUserFullAccess`**** policy. You also have the option to choose ****`AWSServiceCatalogEndUserReadOnlyAccess`**** instead.
1. Choose **Create Group**.
1. In the navigation pane, choose **Users**.
1. Choose **Add users** and do the following:
1. For **User name**, type a name for the user.
1. Select **Password - AWS Management Console access**.
1. Choose **Next: Permissions**.
1. Choose **Add user to group**.
1. Select the checkbox for the **Endusers** group and choose **Next: Tags** and then **Next: Review**.
1. On the **Review** page, choose **Create user**. Download or copy the credentials and then choose **Close**.
# Install and configure the Terraform provisioning engine
To successfully use Terraform products with AWS Service Catalog, you must install and configure a Terraform provisioning engine in the same account where you will be administering Terraform products. To get started, you can use the Terraform provisioning engine provided by AWS, which installs and configures the code and infrastructure required for the Terraform provisioning engine to work with AWS Service Catalog. This one-time setup takes approximately 30 minutes. AWS Service Catalog provides a GitHub repository with instructions on [ installing and configuring the Terraform provisioning engine](https://github.com/aws-samples/service-catalog-engine-for-terraform-os).
## Queue determination
When you call a provisioning operation, AWS Service Catalog prepares a payload message to send to the relevant queue in the provisioning engine. In order to build the ARN for the queue, AWS Service Catalog makes a the following assumptions:
+ The provisioning engine is located in the account of the product owner
+ The provisioning engine is located in the same region in which the call to AWS Service Catalog was made
+ The provisioning engine queues follows the documented naming schema detailed below
For example, if ProvisionProduct is called in `us-east-1` from account 1111111111 using a product created by account 0000000000000, AWS Service Catalog assumes the correct SQS ARN is `arn:aws:sqs:us-east-1:0000000000000:ServiceCatalogTerraformOSProvisionOperationQueue`.
The same logic applies for the Lambda function called by `DescribeProvisioningParameters`.
# Adding Confused Deputy to your Terraform provisioning engine
## Confused Deputy context keys on the endpoints to restrict access for `lambda:Invoke` operations
The parameter parser Lambda function created by AWS Service Catalog-provided engines has an access policy that grants cross-account `lambda:Invoke` permission only to the AWS Service Catalog service principal:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "servicecatalog.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:111122223333:function:ServiceCatalogTerraformOSParameterParser"
}
]
}
```
------
This should be the only permission necessary in order for the integration with AWS Service Catalog to function properly. However, you can constrain this further using the `aws:SourceAccount` [ Confused Deputy](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy) context key. When AWS Service Catalog sends messages to these queues, AWS Service Catalog populates the key with the provisioning account's ID. This is helpful when you intend to distribute products via portfolio sharing and want to ensure that only specific accounts are using your engine.
For example, you can restrict your engine to only allow requests that originate from 000000000000 and 111111111111 using the condition shown below:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "servicecatalog.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:111122223333:function:ServiceCatalogTerraformOSParameterParser",
"Condition": {
"StringLike": {
"aws:SourceAccount": [
"000000000000",
"111111111111"
]
}
}
}
]
}
```
------
## Confused Deputy context keys on the endpoints to restrict access for `sqs:SendMessage` operations
The provisioning operation intake Amazon SQS queues created by AWS Service Catalog-provided engines have an access policy that grants cross-account `sqs:SendMessage` (and associated KMS) permissions only to the AWS Service Catalog service principal:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Enable AWS Service Catalog to send messages to the queue",
"Effect": "Allow",
"Principal": {
"Service": "servicecatalog.amazonaws.com"
},
"Action": "sqs:SendMessage",
"Resource": [
"arn:aws:sqs:us-east-1:111122223333:ServiceCatalogTerraformOSProvisionOperationQueue"
]
},
{
"Sid": "Enable AWS Service Catalog encryption/decryption permissions when sending message to queue",
"Effect": "Allow",
"Principal": {
"Service": "servicecatalog.amazonaws.com"
},
"Action": [
"kms:DescribeKey",
"kms:Decrypt",
"kms:ReEncryptFrom",
"kms:ReEncryptTo",
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:us-east-1:111122223333:key/key_id"
}
]
}
```
------
This should be the only permission necessary in order for the integration with AWS Service Catalog to function properly. However, you can constrain this further using the `aws:SourceAccount` [ Confused Deputy](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy) context key. When AWS Service Catalog sends messages to these queues, AWS Service Catalog populates the keys with the provisioning account's ID. This is helpful when you intend to distribute products via portfolio sharing and want to ensure that only specific accounts are using your engine.
For example, you can restrict your engine to only allow requests that originate from 000000000000 and 111111111111 using the condition shown below:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Enable AWS Service Catalog to send messages to the queue",
"Effect": "Allow",
"Principal": {
"Service": "servicecatalog.amazonaws.com"
},
"Action": "sqs:SendMessage",
"Resource": [
"arn:aws:sqs:us-east-1:111122223333:ServiceCatalogTerraformOSProvisionOperationQueue"
],
"Condition": {
"StringLike": {
"aws:SourceAccount": [
"000000000000",
"111111111111"
]
}
}
},
{
"Sid": "Enable AWS Service Catalog encryption/decryption permissions when sending message to queue",
"Effect": "Allow",
"Principal": {
"Service": "servicecatalog.amazonaws.com"
},
"Action": [
"kms:DescribeKey",
"kms:Decrypt",
"kms:ReEncryptFrom",
"kms:ReEncryptTo",
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:us-east-1:111122223333:key/key_id"
}
]
}
```
------