# Access control for the AWS Marketplace Compliance API
You can use the AWS Marketplace Compliance API to manage seller compliance in AWS Marketplace. However, first make sure your user or role can access the API functionality that you want to call.
Use AWS Identity and Access Management (IAM) to create users and roles and assign policies that grant limited permissions to end users. The policies define the actions that the user or role can take on your resources through the AWS Marketplace Compliance API.
**Note**
To sell products on AWS Marketplace, your AWS account must be set up as a seller account. For more details about becoming an AWS Marketplace seller, see [Getting started as a seller](https://docs.aws.amazon.com/marketplace/latest/userguide/user-guide-for-sellers.html) in the *AWS Marketplace Seller Guide*.
**Topics**
+ [Allowing actions with AWS managed policies](#compliance-allowing-actions-with-managed-policies)
+ [Allowing actions on all resources](#compliance-allowing-actions-on-all-resources)
+ [Allowing actions on specific resources](#compliance-allowing-actions-on-specific-resources)
+ [Allowing actions with specific aws:ResourceTag condition key](#compliance-allowing-actions-with-resource-tag)
+ [Managing tags on resources](#compliance-managing-tags-on-resources)
+ [Granting permission to manage tags on resources](#compliance-grant-permission-manage-tags)
+ [Granting permission to manage tags on resources only when those resources have specific tags](#compliance-grant-permission-manage-tags-specific-tags)
+ [Requiring tags when starting invoice submission tasks](#compliance-requiring-tags-when-starting-tasks)
## Allowing actions with AWS managed policies
You can use policies that are managed by AWS to grant permissions to your user or role.
To work with invoice submissions on AWS Marketplace, you can use the `AWSMarketplaceSellerFullAccess` IAM managed policy, which includes full access to the AWS Marketplace Compliance API actions in addition to its other permissions. For more information, see [Policies and permissions for AWS Marketplace sellers](https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html) and [AWS managed policies for AWS Marketplace sellers](https://docs.aws.amazon.com/marketplace/latest/userguide/security-iam-awsmanpol.html) in the *AWS Marketplace Seller Guide*.
Alternatively, you can create your own IAM policies to have more granular control than is available in AWS managed policies. Use the following topics to create your own IAM policies.
## Allowing actions on all resources
Resources are objects that the actions can act upon. There is one resource type in the Compliance API:
+ **InvoiceSubmissionTask** – An invoice submission task tracks the processing of a seller-submitted invoice in AWS Marketplace.
To allow a user or role full access to invoice submission task operations, you can add the following IAM policy. With this policy, the user or role can use all invoice submission task actions on all resources (`"*"`).
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:StartInvoiceSubmissionTask",
"aws-marketplace:GetInvoiceSubmissionTask",
"aws-marketplace:ListInvoiceSubmissionTasks",
"aws-marketplace:ListPayables"
],
"Resource": "*"
}
]
}
```
For information about all actions available for the Compliance API, see [Actions, resources, and condition keys for AWS Marketplace Compliance](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplacecompliance.html) in the *Service Authorization Reference*.
## Allowing actions on specific resources
You can use resource-level permissions to allow actions on a specific invoice submission task instead of all invoice submission tasks. You do this by specifying the Amazon Resource Name (ARN) of the invoice submission task in the `Resource` of the IAM policy.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:GetInvoiceSubmissionTask"
],
"Resource": [
"arn:aws:aws-marketplace:us-east-1:123456789012:catalog/example-catalog/invoice-submission-task/example-task-id"
]
}
]
}
```
## Allowing actions with specific aws:ResourceTag condition key
You can allow actions on invoice submission tasks based on their tags without having to specify individual ARNs. Adding tags to resources allows you to control access to those resources based on their tags.
For example, the following IAM policy allows the `GetInvoiceSubmissionTask` action on any invoice submission task resource (`"*"`) that has a tag key of `product-team` and tag value of `team-xyz`.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:GetInvoiceSubmissionTask"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/product-team": "team-xyz"
}
}
}
]
}
```
## Managing tags on resources
You can add, list, and remove tags from existing invoice submission tasks.
### Add tags to resources
To add tags to an invoice submission task, use the `TagResource` API action.
**Request**
```
POST /TagResource HTTP/1.1
Content-type: application/json
{
"ResourceArn": "string",
"Tags": [
{
"Key": "string",
"Value": "string"
}
]
}
```
Request parameters include:
+ ResourceArn (String) – (Required) ARN of the invoice submission task.
+ Tags (Array of objects) – (Required) A list of objects specifying each tag key and value. Number of objects allowed: 1–50.
+ Key (String) – (Required) Name of the tag. Regex pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`. Character length: 1–128.
+ Value (String) – (Required) Value of the tag. Regex pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`. Character length: 0–256.
### Remove tags from resources
To remove a tag or list of tags from an invoice submission task, use the `UntagResource` API action.
**Request**
```
POST /UntagResource HTTP/1.1
Content-type: application/json
{
"ResourceArn": "string",
"TagKeys": [
"string"
]
}
```
Request parameters include:
+ ResourceArn (String) – (Required) ARN of the invoice submission task.
+ TagKeys (Array of strings) – (Required) A list of key names of tags to be removed.
### List all tags on a resource
To list all tags on an invoice submission task, use the `ListTagsForResource` API action.
**Request**
```
POST /ListTagsForResource HTTP/1.1
Content-type: application/json
{
"ResourceArn": "string"
}
```
**Response**
```
{
"ResourceArn": "string",
"Tags": [
{
"Key": "string",
"Value": "string"
}
]
}
```
## Granting permission to manage tags on resources
To allow a user or role to add, remove, and list tags on all invoice submission tasks, they need the following IAM policy.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:TagResource",
"aws-marketplace:UntagResource",
"aws-marketplace:ListTagsForResource"
],
"Resource": "*"
}
]
}
```
## Granting permission to manage tags on resources only when those resources have specific tags
You can allow a user or role to add, remove, and list tags on invoice submission tasks that have specific tags. The following IAM policy allows those actions on any invoice submission task resource (`"*"`) that has a tag key of `product-team` and tag value of `team-xyz`.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:TagResource",
"aws-marketplace:UntagResource",
"aws-marketplace:ListTagsForResource"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/product-team": "team-xyz"
}
}
}
]
}
```
## Requiring tags when starting invoice submission tasks
You can enforce tagging when invoice submission tasks are created by using the `aws:RequestTag` and `aws:TagKeys` condition keys with the `StartInvoiceSubmissionTask` action.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:StartInvoiceSubmissionTask"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/product-team": "team-xyz"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"product-team"
]
}
}
}
]
}
```