# Creating the IAM user in your AWS Marketplace seller account
<a name="create-iam-user-seller-account"></a>

The steps in the following sections explain how to create the IAM user that enables Salesforce to connect to your AWS Marketplace seller account. You create the user, then you assign permissions that enable the user to connect to an Amazon S3 bucket and generate pre-signed URLs.

You create the user in your AWS Marketplace seller account, and you must have AWS administrator permissions to complete these steps.

**Topics**
+ [Creating the IAM user](create-user-steps.md)
+ [Setting Amazon S3 permissions for the IAM user](s3-iam-perms.md)

# Creating the IAM user
<a name="create-user-steps"></a>

Follow these steps to create the IAM user in your AWS Marketplace seller account.

1. In the AWS Marketplace portal, sign in to your seller account.

1. In the navigation pane, choose **Users**, then **Create user**.

1. In the **User name** box, enter **apn-ace-***CompanyName***-AccessUser-prod**, where *CompanyName* is the name of your company, then choose **Next**.

1. On the **Set permissions** page, choose **Attach policies directly**, then choose **Next**.

   The **Permissions policies** section appears.

1. Search for **AWSPartnerCentralOpportunityManagement**.

   The policy appears in the search results.

1. Select the checkbox next to the policy, then choose **Next**.
**Important**  
Do not add other policies or permissions.

1. On the **Review and create** page, choose **Create user**.

# Setting Amazon S3 permissions for the IAM user
<a name="s3-iam-perms"></a>

The IAM user created for an AWS Marketplace configuration must have permissions to interact with Amazon S3. The Amazon S3 policy shown below grants the IAM user permission to view a bucket, list its contents, upload objects to the bucket, and generate pre-signed URLs for objects in the bucket. The connector requires these permissions because it must upload a custom EULA to an Amazon S3 bucket and generate a pre-signed URL to pass to the AWS Marketplace Catalog API.

The following policy uses the \$1\$1amzn-s3-demo-bucket\$1 fictitious name. Replace it with the name of the your bucket, then attach the policy to your IAM user.

------
#### [ JSON ]

****  

```
{
"Version":"2012-10-17",		 	 	 
          "Statement": [
                  {
                            "Sid": "S3ListBucket",
                           "Effect": "Allow",
                           "Action": [
                           "s3:ListBucket"
                           ],
                           "Resource": [
                                   "arn:aws:s3:::${amzn-s3-demo-bucket}"
                           ]
                  },
                  {
                            "Sid": "AllowS3PutObject",
                           "Effect": "Allow",
                           "Action": [
                           "s3:PutObject"
                           ],
                           "Resource": [
                           "arn:aws:s3:::${amzn-s3-demo-bucket}/"
                           ]
                  },
                  {
                            "Sid": "AllowCreatePresignedUrl",
                           "Effect": "Allow",
                           "Action": [
                           "s3:PutObject",
                           "s3:PutObjectAcl",
                           "s3:GetObject",
                           "s3:GetObjectAcl"
                           ],
                           "Resource": [
                           "arn:aws:s3:::${amzn-s3-demo-bucket}/"
                           ]
                  }
         ]
}
```

------