# Permissions for the AWS Marketplace API
The following sections provide information about permissions.
**Topics**
+ [Access control for the AWS Marketplace Catalog API](catalog-api-access-control.md)
+ [Access control for the AWS Marketplace Agreement API](agreement-api-access-control.md)
+ [Access control for the AWS Marketplace Metering API](metering-api-access-control.md)
+ [Access control for the AWS Marketplace Entitlement API](entitlement-api-access-control.md)
+ [Access control for the AWS Marketplace Deployment API](deployment-api-access-control.md)
+ [Access control for the AWS Marketplace Compliance API](compliance-api-access-control.md)
+ [Access control for the AWS Marketplace Discovery API](discovery-api-access-control.md)
+ [Access control for the AWS Marketplace Reporting API](reporting-api-access-control.md)
# Access control for the AWS Marketplace Catalog API
You can use the AWS Marketplace Catalog API to manage [a seller product in AWS Marketplace](https://docs.aws.amazon.com/marketplace-catalog/latest/api-reference/seller-products.html) or an [experience in a private marketplace](https://docs.aws.amazon.com/marketplace-catalog/latest/api-reference/private-marketplace.html). However, first make sure your user or role can access the API functionality that you want to call.
Use AWS Identity and Access Management (IAM) to create users and roles and assign policies that grant limited permissions to end users. The policies define the actions that the user or role can take on your resources through the AWS Marketplace Catalog API.
For example, you can define roles such as engineering, marketing, and pricing. Then, you can add a user in your organization to the engineering role. In that role, they might be granted permissions to initiate a change request to publish a new version of your seller product. However, the engineering role doesn't allow the user to list all change sets.
**Note**
To sell products on AWS Marketplace, your AWS account must be set up as a seller account. For more details about becoming an AWS Marketplace seller, see [Getting started as a seller](https://docs.aws.amazon.com/marketplace/latest/userguide/user-guide-for-sellers.html) in the *AWS Marketplace Seller Guide*.
You can use AWS managed policies, or you can create your own IAM policies to have more granular control than what's available in AWS managed policies. For details about these approaches, see the following topics.
**Topics**
+ [Allowing actions with AWS managed policies](#allowing-actions-with-managed-policies)
+ [Allowing actions on all resources](#allowing-actions-on-all-resources)
+ [Allowing actions on specific resources](#allowing-actions-on-specific-resources)
+ [Allowing actions with specific ChangeType condition key](#allowing-actions-with-specific-changetype-condition-key)
+ [Allowing actions with specific aws:ResourceTag condition key](#allowing-actions-with-specific-resource-tag-condition-key)
+ [Creating a custom IAM role](#create-custom-role)
+ [Managing tags on resources](#managing-tags-on-resources)
+ [Managing tags when requesting changes to resources](#managing-tags-when-requesting-changes-to-resources)
+ [Granting permission to manage tags on resources](#grant-permission-to-mange-tags-on-resources)
+ [Granting permission to manage tags on resources only when those resources have specific tags](#grant-permission-to-manage-tags-resources-specific-tags)
+ [Granting permission to create entities and change sets only with tags](#grant-permission-create-entities-change-sets-tags)
## Allowing actions with AWS managed policies
You can use policies that are managed by AWS to grant permissions to your user or role.
To work with products that you sell on AWS Marketplace, you can use the `AWSMarketplaceSellerFullAccess` IAM managed policy, which has full access to the AWS Marketplace Catalog API in addition to its other permissions. You can grant read-only access for the Catalog API with the `AWSMarketplaceSellerProductsReadOnly` policy. For more information, see [Controlling access to AWS Marketplace Management Portal](https://docs.aws.amazon.com/marketplace/latest/userguide/marketplace-management-portal-user-access.html), [Policies and permissions for AWS Marketplace sellers](https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html), and [AWS managed policies for AWS Marketplace sellers](https://docs.aws.amazon.com/marketplace/latest/userguide/security-iam-awsmanpol.html) in the *AWS Marketplace Seller Guide.*
To manage a private marketplace, you can use the `AWSPrivateMarketplaceAdminFullAccess` IAM managed policy, which has full access to create and edit the private marketplace for your account or AWS organization. For more information, see [Controlling access to AWS Marketplace subscriptions](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html), [Creating a private marketplace administrator](https://docs.aws.amazon.com/marketplace/latest/buyerguide/it-administrator.html), and [AWS managed policies for AWS Marketplace buyers](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-security-iam-awsmanpol.html) in the *AWS Marketplace Buyer Guide.*
Alternatively, you can create your own IAM policies to have more granular control than is available in AWS managed policies. Use the following topics to create your own IAM policies.
## Allowing actions on all resources
Resources are objects that the actions can act upon. Not every resource type can be specified with every action. Some resource types work with only certain actions. For more information, see [Actions, resources, and condition keys for the AWS Marketplace Catalog](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplacecatalog.html) in the *Service Authorization Reference*.
There are two resource types in the Catalog API:
+ **Entity** – An entity is a [seller product in AWS Marketplace](https://docs.aws.amazon.com/marketplace-catalog/latest/api-reference/seller-products.html) or an [experience in a private marketplace](https://docs.aws.amazon.com/marketplace-catalog/latest/api-reference/private-marketplace.html).
+ **ChangeSet** – A change set is returned each time you use Catalog API to make changes to an entity. The change set describes the requested changes and its status. A change set can be canceled if the status is in the `PREPARING` state.
To allow a user or role the permission to make changes to all entities in an AWS account, you can add the following IAM policy. With this policy, the user or role can use the `StartChangeSet` action on all resources (`"*"`).
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:StartChangeSet"
],
"Resource": "*"
}
]
}
```
For information about all actions available for the Catalog API, see [Actions, resources, and condition keys for AWS Marketplace Catalog](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplacecatalog.html) in the *Service Authorization Reference*.
## Allowing actions on specific resources
**Note**
Resource-level permissions and condition context keys for the `StartChangeSet` action are supported only when used with Catalog API. They are not supported when used with the [AWS Marketplace Management Portal](https://aws.amazon.com/marketplace/management).
Instead of allowing changes to all resources, you can use resource-level permissions to allow changes to specific resources.
For example, you can allow changes to a specific seller product in the AWS account instead of to all seller products. You do this by specifying the Amazon Resource Name (ARN) of the seller product in the `Resource` of the IAM policy.
**Note**
To specify granular, resource-level permissions with actions that create new change sets, you need to also include a `ChangeSet` ARN to the list of resources. The `ChangeSet` ARN must include the wildcard (`/*`) to match any new change set ID that's created as shown.
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:StartChangeSet"
],
"Resource": [
"arn:aws:aws-marketplace:us-east-1:123456789012:AWSMarketplace/AmiProduct/example1-abcd-1234-5ef6-7890abcdef12",
"arn:aws:aws-marketplace:us-east-1:123456789012:AWSMarketplace/ChangeSet/*"
]
}
]
}
```
For another example, you can allow changes to a specific experience in a private marketplace instead of to all experiences. You do this by specifying the ARN of the experience in the `Resource` of the IAM policy.
**Note**
To specify granular, resource-level permissions with actions that create new change sets, you need to also include a `ChangeSet` ARN to the list of resources. The `ChangeSet` ARN must include the wildcard (`/*`) to match any new change set ID that's created as shown.
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:StartChangeSet"
],
"Resource": [
"arn:aws:aws-marketplace:us-east-1:123456789012:AWSMarketplace/Experience/exp-example12345",
"arn:aws:aws-marketplace:us-east-1:123456789012:AWSMarketplace/ChangeSet/*"
]
}
]
}
```
## Allowing actions with specific ChangeType condition key
**Note**
Resource-level permissions and condition context keys for the `StartChangeSet` action are supported only when used with Catalog API. They are not supported when used with the [AWS Marketplace Management Portal](https://aws.amazon.com/marketplace/management).
The Catalog API action `StartChangeSet` has several different change types. You can allow access to only specific change types.
For example, you might only want to allow changes to the metadata of the seller product, such as the product title, and not allow adding new product versions. In this example, the change type `UpdateInformation` allows changing the metadata of a seller product, including the title. For more information about the different change types, see [Working with seller products](https://docs.aws.amazon.com/marketplace-catalog/latest/api-reference/seller-products.html) and [Working with a private marketplace](https://docs.aws.amazon.com/marketplace-catalog/latest/api-reference/private-marketplace.html) in the *AWS Marketplace Catalog API Reference*.
To limit the action to one or multiple change types, specify the `ChangeType` in the condition keys. In the following example IAM policy, the condition operator `StringEquals` specifies that the action is only allowed if the `ChangeType` matches `UpdateInformation`. For more information about condition keys, see [Condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) in the *AWS Identity and Access Management User Guide*.
**Note**
To specify granular, resource-level permissions with actions that create new change sets, you need to also include a `ChangeSet` ARN to the list of resources. The `ChangeSet` ARN must include the wildcard (`/*`) to match any new change set ID that's created as shown.
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:StartChangeSet"
],
"Resource": [
"arn:aws:aws-marketplace:us-east-1:123456789012:AWSMarketplace/AmiProduct/example1-abcd-1234-5ef6-7890abcdef12",
"arn:aws:aws-marketplace:us-east-1:123456789012:AWSMarketplace/ChangeSet/*"
],
"Condition": {
"StringEquals": {
"catalog:ChangeType": "UpdateInformation"
}
}
}
]
}
```
## Allowing actions with specific aws:ResourceTag condition key
**Note**
Resource-level permissions and condition context keys for the `StartChangeSet` action are supported only when used with Catalog API. They are not supported when used with the [AWS Marketplace Management Portal](https://aws.amazon.com/marketplace/management).
You can allow actions on a group of entities without having to keep updating the policy and specifying a possibly growing list of entity ARNs. You can do this with resource tagging. Adding tags to resources allows you to control access to those resources based on their tags. For example, you might want to allow describing a group of seller products without specifying individual ARNs for each seller product.
For example, the following IAM policy allows the `DescribeEntity` action on any entity resource (`"*"`) that has a tag key of `product-team` and tag value of `team-xyz`.
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:DescribeEntity"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/product-team": "team-xyz"
}
}
}
]
}
```
You can also allow describing and canceling change sets that were created with specific tags.
For example, the following IAM policy allows the `DescribeChangeSet` and `CancelChangeSet` actions on any change set resource (`"*"`) that has a tag key of `product-team` and tag value of `team-xyz`.
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:DescribeChangeSet",
"aws-marketplace:CancelChangeSet"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/product-team": "team-xyz"
}
}
}
]
}
```
Also, you can allow starting change sets on entities only when those entities have specific tags. For example, you can allow changes to seller products with specific tags.
For example, the following IAM policy allows the `StartChangeSet` action on any entity resource (`"*"`) that has a tag key of `product-team` and tag value of `team-xyz`. In addition, the `TagResource` action is required so that when the change set is created, it’s tagged with the same tag key and value.
**Note**
If your policy to allow the `StartChangeSet` action includes a condition to match against specific tags, the same policy must also include the `TagResource` action. This is because the policy condition must match both the tag on the entity and the tag on the newly created change set resulting from the change request. Thus, it requires the user or role to also have the permission to tag the newly created change set. For an example of starting a change set and tagging the change set, see [Example: Adding tags to an entity and change set during creation](#example-adding-tags-entity-creation).
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:StartChangeSet",
"aws-marketplace:TagResource"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/product-team": "team-xyz"
}
}
}
]
}
```
## Creating a custom IAM role
Customers who want to use a Resale Authorization ChangeType or a CPPO ChangeType need to create a custom AWS Identity and Access Management (IAM) role. This will support the creation of the Resale Authorization product lifecycle.
**To create a custom IAM role**
1. Sign in to the IAM console ([https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/)).
1. Under **Access management**, choose **Policies**.
1. Choose **Create policy**.
1. For **Step 1: Specify permissions**,
1. In the **Policy editor**, select the **JSON** button, and then add the following policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowResaleAuthorizationShareActionsRAMCreate",
"Effect": "Allow",
"Action": [
"ram:CreateResourceShare",
"ram:AssociateResourceShare"
],
"Resource": [
"arn:aws:ram:*:*:*"
],
"Condition": {
"ArnLikeIfExists": {
"ram:ResourceArn": "arn:aws:aws-marketplace:*:*:AWSMarketplace/ResaleAuthorization/*"
},
"StringEqualsIfExists": {
"ram:RequestedResourceType": "aws-marketplace:Entity"
}
}
},
{
"Sid": "AllowResaleAuthorizationShareActionsRAMAccept",
"Effect": "Allow",
"Action": [
"ram:AcceptResourceShareInvitation",
"ram:GetResourceShareInvitations",
"ram:GetResourcePolicies",
"ram:GetResourceShareAssociations"
],
"Resource": [
"arn:aws:ram:*:*:*"
]
},
{
"Sid": "AllowResaleAuthorizationShareActionsMarketplace",
"Effect": "Allow",
"Action": [
"aws-marketplace:PutResourcePolicy",
"aws-marketplace:GetResourcePolicy",
"aws-marketplace:DescribeEntity"
],
"Resource": "arn:aws:aws-marketplace:*:*:AWSMarketplace/ResaleAuthorization/*"
}
]
}
```
------
1. Choose **Next**.
1. For **Step 2: Review and create**,
1. For **Policy details**, enter **FullResaleAuthorizationAccess** under **Policy name** and enter an optional **Description**.
1. Review the **Permissions defined in this policy**.
1. For **Add tags**, add tags (optional).
1. Choose **Create policy**.
You have created the FullResaleAuthorizationAccess policy.
1. Under **Access management**, choose **Roles**.
1. Choose **Create role**.
1. For **Step 1: Select trusted entity**,
1. For **Trusted entity type**, choose **Custom trust policy**.
1. Copy and paste the following custom trust policy into the JSON editor.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "resale-authorization.marketplace.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
1. Choose **Next**.
1. For **Step 2: Add permissions**,
1. Enter **FullResaleAuthorizationAccess** in the search bar.
1. Select the **FullResaleAuthorizationAccess** permission policy and then choose **Next**.
1. For **Step 3: Name, review, and create**,
1. For **Role details**, enter **FullResaleAuthorizationAccess** as the **Role name** and enter an optional **Description**.
1. Under **Step 1: Select trusted entities**, ensure that the policy name you choose is attached to the role.
1. Under **Step 2: Add permissions**, review the **Policy name**.
1. Under **Step 3: Add tags**, add tags (optional).
1. Choose **Create role**.
You have created the FullResaleAuthorizationAccess role.
## Managing tags on resources
You can add, list, and remove tags from existing entities or change sets.
### Add tags to resources
To add tags to an entity or change set, use the `TagResource` API action.
**Request**
```
POST /TagResource HTTP/1.1
Content-type: application/json
{
"Catalog": "AWSMarketplace",
"ResourceArn": "string",
"Tags": [
{
"Key": "string",
"Value": "string"
}
...
]
}
```
Request parameters include:
+ Catalog (String) – (Required) Must be `AWSMarketplace`.
+ ResourceArn (String) – (Required) ARN of the change set or entity. A change set describes changes you make with Catalog API. An entity can be a [seller product in AWS Marketplace](https://docs.aws.amazon.com/marketplace-catalog/latest/api-reference/seller-products.html) or an [experience in a private marketplace](https://docs.aws.amazon.com/marketplace-catalog/latest/api-reference/private-marketplace.html).
+ Tags (Array of objects) – (Required) A list of objects specifying each tag key and value. Number of objects allowed: 1–50.
+ Key (String) – (Required) Name of the tag.
+ Regex pattern – `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`
+ Character length – 1–128
+ Value (String) – (Required) Value of the tag.
+ Regex pattern – `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`
+ Character length – 0–256
**Response**
```
{}
```
### Remove tags from resources
To remove a tag or list of tags from an entity or change set, use the `UntagResource` API action.
**Request**
```
POST /UntagResource HTTP/1.1
Content-type: application/json
{
"Catalog": "AWSMarketplace",
"ResourceArn": "string",
"TagKeys": [
"string"
...
]
}
```
Request parameters include:
+ Catalog (String) – (Required) Must be `AWSMarketplace`.
+ ResourceArn (String) – (Required) ARN of the change set or entity. A change set describes changes you make with Catalog API. An entity can be a [seller product in AWS Marketplace](https://docs.aws.amazon.com/marketplace-catalog/latest/api-reference/seller-products.html) or an [experience in a private marketplace](https://docs.aws.amazon.com/marketplace-catalog/latest/api-reference/private-marketplace.html).
+ Tags (Array of objects) – (Required) A list of key names of tags to be removed. Number of strings allowed: 0–256.
**Response**
```
{}
```
### List all tags on a resource
To list all tags that have been added to and not yet removed from a change set or entity, use the `ListTagsForResource` API action.
**Request**
```
POST /ListTagsForResource HTTP/1.1
Content-type: application/json
{
"Catalog": "AWSMarketplace",
"ResourceArn": "string"
}
```
Request parameters include:
+ Catalog (String) – (Required) Must be `AWSMarketplace`.
+ ResourceArn (String) - (Required) ARN of the change set or entity. A change set describes changes you make with Catalog API. An entity can be a [seller product in AWS Marketplace](https://docs.aws.amazon.com/marketplace-catalog/latest/api-reference/seller-products.html) or an [experience in a private marketplace](https://docs.aws.amazon.com/marketplace-catalog/latest/api-reference/private-marketplace.html).
**Response**
```
{
"ResourceArn": "string",
"Tags": [
{
"Key": "string",
"Value": "string"
}
...
]
}
```
## Managing tags when requesting changes to resources
You can add tags when entities or change sets are created.
### Example: Adding tags to a change set when creating a change set
The following is an example of a `StartChangeSet` request that updates the product metadata for a seller product. This request adds a tag to the change set that's created with this request by including the tag in the `ChangeSetTags` property.
```
POST /StartChangeSet HTTP/1.1
Content-type: application/json
{
"Catalog": "AWSMarketplace",
"ChangeSet": [
{
"ChangeType":"UpdateInformation",
"Entity": {
"Identifier":"example1-abcd-1234-5ef6-7890abcdef12",
"Type":"AmiProduct@1.0"
},
"Details": "{\"ProductTitle\":\"My updated title\"}"
}
],
"ChangeSetTags": [
{
"Key": "product-team",
"Value": "team-xyz"
}
]
}
```
For more information about managing seller products, see [Working with seller products](https://docs.aws.amazon.com/marketplace-catalog/latest/api-reference/seller-products.html) in the *AWS Marketplace Catalog API Reference*.
### Example: Adding tags to an entity and change set during creation
The following is an example of a `StartChangeSet` request that creates a private marketplace experience entity. The request adds tags to both the entity resource and change set resource created with this request by including the tags in the `EntityTags` and `ChangeSetTags` properties. With these tags, the permission policy of a user or role can be specified to only allow describing or canceling the change set this request creates or only allow creating further change sets on the entity this request creates. For more information, see [Granting permission to create entities and change sets only with tags](#grant-permission-create-entities-change-sets-tags).
```
POST /StartChangeSet HTTP/1.1
Content-type: application/json
{
"Catalog": "AWSMarketplace",
"ChangeSet": [
{
"ChangeType": "CreateExperience",
"Entity": {
"Type": "Experience@1.0"
},
"Details": "{\"Name\": \"ExamplePrivateMarketplace\"}",
"EntityTags": [
{
"Key": "product-team",
"Value": "team-xyz"
}
]
}
],
"ChangeSetTags": [
{
"Key": "product-team",
"Value": "team-xyz"
}
]
}
```
For more information about managing a private marketplace, see [Working with a private marketplace](https://docs.aws.amazon.com/marketplace-catalog/latest/api-reference/private-marketplace.html) in the *AWS Marketplace Catalog API Reference*.
## Granting permission to manage tags on resources
To allow a user or role to add, remove, and list tags on all entities or change sets, they need the following IAM policy.
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:TagResource",
"aws-marketplace:UntagResource",
"aws-marketplace:ListTagsForResource"
],
"Resource": "*"
}
]
}
```
## Granting permission to manage tags on resources only when those resources have specific tags
You can allow a user or role to add, remove, and list tags on entities or change sets that have specific tags. The following IAM policy allows those actions on any entity resource (`"*"`) that has a tag key of `product-team` and tag value of `team-xyz`.
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:TagResource",
"aws-marketplace:UntagResource",
"aws-marketplace:ListTagsForResource"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/product-team": "team-xyz"
}
}
}
]
}
```
## Granting permission to create entities and change sets only with tags
**Note**
Resource-level permissions and condition context keys for the `StartChangeSet` action are supported only when used with Catalog API. They are not supported when used with the [AWS Marketplace Management Portal](https://aws.amazon.com/marketplace/management).
You can enforce tagging when entities or change sets are created. Add the following policy to allow the `StartChangeSet` and the `TagResource` actions, with a condition specifying the tag key matches `product-team` and the tag value matches `team-xyz`. This policy condition must match both the tag on the newly created entity and the tag on the newly created change set resulting from the creation request. For an example of tagging an entity on creation, see [Example: Adding tags to an entity and change set during creation](#example-adding-tags-entity-creation).
For existing entities, this policy also enforces tagging change sets when requesting changes to those entities. This also requires that the existing entity has this existing tag. This is because the policy condition must match both the tag on the existing entity and the newly created change set resulting from the change request. For an example of adding tags to change requests, see [Example: Adding tags to a change set when creating a change set](#example-adding-tags-creating-change-set).
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:StartChangeSet",
"aws-marketplace:TagResource"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/product-team": "team-xyz"
}
}
}
]
}
```
# Access control for the AWS Marketplace Agreement API
To manage agreements in AWS Marketplace using the Agreement Service, you must ensure that your AWS Identity and Access Management (IAM) policies and roles are set up. Users must have the following policies/permissions to allow them to carry out the actions:
+ `DescribeAgreement` – Grants permission to users to obtain detailed metadata about any of their agreements.
+ `GetAgreementTerms` – Grants permission to users to obtain details about the terms of an agreement.
+ `SearchAgreements` – Grants permission to users to search through all their agreements.
**Note**
For more information about these permissions, see [Policies and permissions for AWS Marketplace sellers](https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html) in the *AWS Marketplace Seller Guide*.
# Access control for the AWS Marketplace Metering API
To integrate the AWS Marketplace Metering API with AWS Marketplace, the service account must have a constrained AWS Identity and Access Management (IAM) policy. For more information, see [AWS Marketplace metering and entitlement API permissions](https://docs.aws.amazon.com/marketplace/latest/userguide/iam-user-policy-for-aws-marketplace-actions.html).
# Access control for the AWS Marketplace Entitlement API
To integrate the AWS Marketplace Entitlement API with AWS Marketplace, the service account must have a constrained AWS Identity and Access Management (IAM). For more information, see [AWS Marketplace metering and entitlement API permissions](https://docs.aws.amazon.com/marketplace/latest/userguide/iam-user-policy-for-aws-marketplace-actions.html).
# Access control for the AWS Marketplace Deployment API
To manage deployments in AWS Marketplace, you must ensure that you have the necessary AWS Identity and Access Management (IAM) roles and permissions.
Before calling the `PutDeploymentParameter` action, buyers must create the **AWSServiceRoleForMarketplaceDeployment** service-linked role. This provides AWS Marketplace with the permissions required to create, manage, and tag the necessary deployment parameter related resources in the buyer’s account. Buyers create this role using prompts as they progress through the configuration process for any Quick Launch experience. For more information, see [Using roles to configure and launch products](https://docs.aws.amazon.com/marketplace/latest/buyerguide/using-service-linked-roles-secrets.html) in * AWS Marketplace Buyer Guide*.
To call `PutDeploymentParameter`, sellers must have IAM permissions for the following actions:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"aws-marketplace:PutDeploymentParameter",
"aws-marketplace:TagResource"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
The `aws-marketplace:PutDeploymentParameter` action permits the user to call the `PutDeploymentParameter` API. The API also accepts an optional `tags` attribute. If the `tags` attribute is included in the request, the caller must also have permissions for `aws-marketplace:TagResource` on the relevant resource. For more information about creating users, see [Creating a user in your AWS account](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) in the *IAM User Guide.* For more information about creating and assigning policies, see [Changing permissions for an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html).
# Access control for the AWS Marketplace Compliance API
You can use the AWS Marketplace Compliance API to manage seller compliance in AWS Marketplace. However, first make sure your user or role can access the API functionality that you want to call.
Use AWS Identity and Access Management (IAM) to create users and roles and assign policies that grant limited permissions to end users. The policies define the actions that the user or role can take on your resources through the AWS Marketplace Compliance API.
**Note**
To sell products on AWS Marketplace, your AWS account must be set up as a seller account. For more details about becoming an AWS Marketplace seller, see [Getting started as a seller](https://docs.aws.amazon.com/marketplace/latest/userguide/user-guide-for-sellers.html) in the *AWS Marketplace Seller Guide*.
**Topics**
+ [Allowing actions with AWS managed policies](#compliance-allowing-actions-with-managed-policies)
+ [Allowing actions on all resources](#compliance-allowing-actions-on-all-resources)
+ [Allowing actions on specific resources](#compliance-allowing-actions-on-specific-resources)
+ [Allowing actions with specific aws:ResourceTag condition key](#compliance-allowing-actions-with-resource-tag)
+ [Managing tags on resources](#compliance-managing-tags-on-resources)
+ [Granting permission to manage tags on resources](#compliance-grant-permission-manage-tags)
+ [Granting permission to manage tags on resources only when those resources have specific tags](#compliance-grant-permission-manage-tags-specific-tags)
+ [Requiring tags when starting invoice submission tasks](#compliance-requiring-tags-when-starting-tasks)
## Allowing actions with AWS managed policies
You can use policies that are managed by AWS to grant permissions to your user or role.
To work with invoice submissions on AWS Marketplace, you can use the `AWSMarketplaceSellerFullAccess` IAM managed policy, which includes full access to the AWS Marketplace Compliance API actions in addition to its other permissions. For more information, see [Policies and permissions for AWS Marketplace sellers](https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html) and [AWS managed policies for AWS Marketplace sellers](https://docs.aws.amazon.com/marketplace/latest/userguide/security-iam-awsmanpol.html) in the *AWS Marketplace Seller Guide*.
Alternatively, you can create your own IAM policies to have more granular control than is available in AWS managed policies. Use the following topics to create your own IAM policies.
## Allowing actions on all resources
Resources are objects that the actions can act upon. There is one resource type in the Compliance API:
+ **InvoiceSubmissionTask** – An invoice submission task tracks the processing of a seller-submitted invoice in AWS Marketplace.
To allow a user or role full access to invoice submission task operations, you can add the following IAM policy. With this policy, the user or role can use all invoice submission task actions on all resources (`"*"`).
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:StartInvoiceSubmissionTask",
"aws-marketplace:GetInvoiceSubmissionTask",
"aws-marketplace:ListInvoiceSubmissionTasks",
"aws-marketplace:ListPayables"
],
"Resource": "*"
}
]
}
```
For information about all actions available for the Compliance API, see [Actions, resources, and condition keys for AWS Marketplace Compliance](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplacecompliance.html) in the *Service Authorization Reference*.
## Allowing actions on specific resources
You can use resource-level permissions to allow actions on a specific invoice submission task instead of all invoice submission tasks. You do this by specifying the Amazon Resource Name (ARN) of the invoice submission task in the `Resource` of the IAM policy.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:GetInvoiceSubmissionTask"
],
"Resource": [
"arn:aws:aws-marketplace:us-east-1:123456789012:catalog/example-catalog/invoice-submission-task/example-task-id"
]
}
]
}
```
## Allowing actions with specific aws:ResourceTag condition key
You can allow actions on invoice submission tasks based on their tags without having to specify individual ARNs. Adding tags to resources allows you to control access to those resources based on their tags.
For example, the following IAM policy allows the `GetInvoiceSubmissionTask` action on any invoice submission task resource (`"*"`) that has a tag key of `product-team` and tag value of `team-xyz`.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:GetInvoiceSubmissionTask"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/product-team": "team-xyz"
}
}
}
]
}
```
## Managing tags on resources
You can add, list, and remove tags from existing invoice submission tasks.
### Add tags to resources
To add tags to an invoice submission task, use the `TagResource` API action.
**Request**
```
POST /TagResource HTTP/1.1
Content-type: application/json
{
"ResourceArn": "string",
"Tags": [
{
"Key": "string",
"Value": "string"
}
]
}
```
Request parameters include:
+ ResourceArn (String) – (Required) ARN of the invoice submission task.
+ Tags (Array of objects) – (Required) A list of objects specifying each tag key and value. Number of objects allowed: 1–50.
+ Key (String) – (Required) Name of the tag. Regex pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`. Character length: 1–128.
+ Value (String) – (Required) Value of the tag. Regex pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`. Character length: 0–256.
### Remove tags from resources
To remove a tag or list of tags from an invoice submission task, use the `UntagResource` API action.
**Request**
```
POST /UntagResource HTTP/1.1
Content-type: application/json
{
"ResourceArn": "string",
"TagKeys": [
"string"
]
}
```
Request parameters include:
+ ResourceArn (String) – (Required) ARN of the invoice submission task.
+ TagKeys (Array of strings) – (Required) A list of key names of tags to be removed.
### List all tags on a resource
To list all tags on an invoice submission task, use the `ListTagsForResource` API action.
**Request**
```
POST /ListTagsForResource HTTP/1.1
Content-type: application/json
{
"ResourceArn": "string"
}
```
**Response**
```
{
"ResourceArn": "string",
"Tags": [
{
"Key": "string",
"Value": "string"
}
]
}
```
## Granting permission to manage tags on resources
To allow a user or role to add, remove, and list tags on all invoice submission tasks, they need the following IAM policy.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:TagResource",
"aws-marketplace:UntagResource",
"aws-marketplace:ListTagsForResource"
],
"Resource": "*"
}
]
}
```
## Granting permission to manage tags on resources only when those resources have specific tags
You can allow a user or role to add, remove, and list tags on invoice submission tasks that have specific tags. The following IAM policy allows those actions on any invoice submission task resource (`"*"`) that has a tag key of `product-team` and tag value of `team-xyz`.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:TagResource",
"aws-marketplace:UntagResource",
"aws-marketplace:ListTagsForResource"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/product-team": "team-xyz"
}
}
}
]
}
```
## Requiring tags when starting invoice submission tasks
You can enforce tagging when invoice submission tasks are created by using the `aws:RequestTag` and `aws:TagKeys` condition keys with the `StartInvoiceSubmissionTask` action.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:StartInvoiceSubmissionTask"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/product-team": "team-xyz"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"product-team"
]
}
}
}
]
}
```
# Access control for the AWS Marketplace Discovery API
The Discovery API uses AWS Identity and Access Management (IAM) for authentication and authorization. Any AWS customer can call the Discovery API by configuring the appropriate IAM permissions.
Users must have the following permissions to call Discovery API operations:
+ `GetListing` – Grants permission to retrieve information about a listing.
+ `GetProduct` – Grants permission to retrieve information about a product.
+ `GetOffer` – Grants permission to retrieve information about an offer.
+ `GetOfferTerms` – Grants permission to retrieve terms for an offer.
+ `GetOfferSet` – Grants permission to retrieve information about an offer set.
+ `ListPurchaseOptions` – Grants permission to list purchase options available to the buyer.
+ `ListFulfillmentOptions` – Grants permission to list fulfillment options for a product.
+ `SearchListings` – Grants permission to search for product listings.
+ `SearchFacets` – Grants permission to retrieve facet values for filtering listings.
## IAM permissions
To call Discovery API operations, the IAM principal (user or role) must have the appropriate `aws-marketplace` permissions. The Discovery API supports resource-level permissions, so you can scope access to specific resource types in your IAM policies.
The following IAM policy grants access to all Discovery API operations with resource-level scoping:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:GetListing",
"aws-marketplace:GetProduct",
"aws-marketplace:GetOffer",
"aws-marketplace:GetOfferTerms",
"aws-marketplace:GetOfferSet",
"aws-marketplace:ListPurchaseOptions",
"aws-marketplace:ListFulfillmentOptions",
"aws-marketplace:SearchFacets",
"aws-marketplace:SearchListings"
],
"Resource": [
"arn:aws:aws-marketplace:::catalog//product/*",
"arn:aws:aws-marketplace:::catalog//listing/*",
"arn:aws:aws-marketplace:::catalog//offer/*",
"arn:aws:aws-marketplace:::catalog//offerSet/*",
"arn:aws:aws-marketplace:::catalog//purchaseOption/*"
]
}
]
}
```
Replace `` with the appropriate catalog identifier (for example, `AWSMarketplace`).
### Resource ARN formats
The following table shows the resource types and their ARN formats used by Discovery API operations:
| Resource type | ARN format | Used by |
| --- | --- | --- |
| Product | arn:aws:aws-marketplace:::catalog/catalog-name/product/\$1 | GetProduct, ListFulfillmentOptions |
| Listing | arn:aws:aws-marketplace:::catalog/catalog-name/listing/\$1 | GetListing, SearchListings, SearchFacets |
| Offer | arn:aws:aws-marketplace:::catalog/catalog-name/offer/\$1 | GetOffer, GetOfferTerms |
| Offer Set | arn:aws:aws-marketplace:::catalog/catalog-name/offerSet/\$1 | GetOfferSet |
| Purchase Option | arn:aws:aws-marketplace:::catalog/catalog-name/purchaseOption/\$1 | ListPurchaseOptions |
### Scoping Get operations to specific resources
For Get operations (GetListing, GetProduct, GetOffer, GetOfferTerms, GetOfferSet), you can scope access down to specific resource IDs instead of using a wildcard. For example, to restrict access to a single listing:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "aws-marketplace:GetListing",
"Resource": "arn:aws:aws-marketplace:::catalog/AWSMarketplace/listing/listing-id"
}
]
}
```
This pattern works for any Get operation. Replace the resource type and ID accordingly:
+ `arn:aws:aws-marketplace:::catalog/catalog-name/product/product-id`
+ `arn:aws:aws-marketplace:::catalog/catalog-name/listing/listing-id`
+ `arn:aws:aws-marketplace:::catalog/catalog-name/offer/offer-id`
+ `arn:aws:aws-marketplace:::catalog/catalog-name/offerSet/offerSet-id`
**Note**
Search and List operations (SearchListings, SearchFacets, ListPurchaseOptions, ListFulfillmentOptions) require wildcard resources since they operate across multiple items. You can also use `"Resource": "*"` for all operations, but resource-level scoping is recommended for least-privilege access.
## Service-linked roles
The Discovery API does not use service-linked roles. All access is controlled through standard IAM policies.
## Cross-account access
You can grant cross-account access to the Discovery API using IAM roles. Create a role in the target account with the appropriate Discovery API permissions, then assume the role from the source account.
# Access control for the AWS Marketplace Reporting API
You use the AWS Marketplace Reporting API to get the **Procurement insights** dashboard. The API supports the [https://docs.aws.amazon.com/marketplace/latest/APIReference/API_marketplace-reporting_GetBuyerDashboard.html](https://docs.aws.amazon.com/marketplace/latest/APIReference/API_marketplace-reporting_GetBuyerDashboard.html) action.
To use the API, you must first create the `AWSServiceRoleForProcurementInsightsPolicy` service-linked role. The role does the following:
+ Enables AWS Marketplace to access and describe the data for all the accounts in a buyer's organization.
+ Gets the **Procurement insights** dashboard
+ Enables you to register and deregister delegated administrators
Buyers create the role when they use the AWS Marketplace console to enable trusted access to the **Procurement insights** dashboard. For more information about that process, see [Activating the dashboard](https://docs.aws.amazon.com/marketplace/latest/buyerguide/enabling-procurement-insights.html#integrate-dashboard), in the *AWS Marketplace Buyer Guide*.
**Important**
When using the API or the CLI, you must create the service-linked role before you enable trusted access to the dashboard.
In addition to the service-linked role, you must enable all features for your organization, and you must belong to an administrator account. For more information, see the following topics in the *AWS Organizations User Guide*:
[Enabling all features for an organization with AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html)
[Tutorial: Creating and configuring an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tutorials_basic.html)
[Managing the management account with AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs-manage_accounts_management.html)
The `AWSServiceRoleForProcurementInsightsPolicy` must have the following IAM permissions in order to call the [https://docs.aws.amazon.com/marketplace/latest/APIReference/API_marketplace-reporting_GetBuyerDashboard.html](https://docs.aws.amazon.com/marketplace/latest/APIReference/API_marketplace-reporting_GetBuyerDashboard.html) action, and to register and deregister delegated administrators:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Sid": "CreateServiceLinkedRoleForProcurementInsights",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/procurement-insights.marketplace.amazonaws.com/AWSServiceRoleForProcurementInsights*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "procurement-insights.marketplace.amazonaws.com"
}
}
},
{
"Sid": "EnableAWSServiceAccessForProcurementInsights",
"Effect": "Allow",
"Action": [
"organizations:EnableAWSServiceAccess"
],
"Resource": "*",
"Condition": {
"StringLike": {
"organizations:ServicePrincipal": "procurement-insights.marketplace.amazonaws.com"
}
}
},
{
"Sid": "ManageDelegatedAdministrators",
"Effect": "Allow",
"Action": [
"organizations:ListDelegatedAdministrators",
"organizations:DeregisterDelegatedAdministrator",
"organizations:RegisterDelegatedAdministrator"
],
"Resource": "*",
"Condition": {
"StringLike": {
"organizations:ServicePrincipal": "procurement-insights.marketplace.amazonaws.com"
}
}
},
{
"Sid": "GetBuyerDashboardStatement",
"Effect": "Allow",
"Action": "aws-marketplace:GetBuyerDashboard",
"Resource": "*"
},
{
"Sid": "ViewOrganizationDetails",
"Effect": "Allow",
"Action": [
"organizations:DescribeOrganization",
"organizations:ListAWSServiceAccessForOrganization"
],
"Resource": "*"
}
]
}
```
------
For more information about creating policies, see [Policies and permissions in AWS Identity and Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html), in the *IAM User Guide*.
For more information about the AWS Organizations actions that the policy uses, see the [AWS Organizations API reference](https://docs.aws.amazon.com/organizations/latest/APIReference/API_Operations.html).