# Linking AWS Partner Central and AWS accounts
The following steps explain how to use AWS Partner Central to link your accounts. You must be an alliance lead or cloud admin to complete these steps. Also, the IAM permissions policy listed earlier in this guide controls the linking and role mapping tasks you and other AWS Partner Central users can perform. For more information about those tasks, refer to [Granting IAM permissions](linking-prerequisites.md#grant-iam-permissions).
For more information about account linking, refer to the [Account Linking User Guide](https://partnercentral.awspartner.com/partnercentral2/s/article?article=AWS-Partner-Central&category=Introductory_resources) in Partner Central.
**Note**
AWS Partner Central uses the term *AWS Marketplace Account Linking*, but all partners can link accounts, including partners without AWS Marketplace accounts.
Partners in Amazon Web Services India Private Limited (AWS India) can link without registering a business name.
1. Sign in to [AWS Partner Central](https://partnercentral.awspartner.com/APNLogin) as an alliance lead or cloud admin.
**Note**
If your organization uses single sign-on (SSO), use those credentials to sign in to your AWS account first, then sign in to AWS Partner Central.
1. In the **AWS Marketplace** section of the AWS Partner Central home page, choose **Link Account**.
1. On the **AWS Marketplace Account linking** page, choose **Link Account**.
1. On the AWS account sign-in page, choose **IAM user**.
1. Enter the ID of the AWS account and sign in.
**Note**
If you need account information, contact the administrator who completed the prerequisites listed above.
SSO users automatically skip to the next step.
1. Navigate through the self-service linking experience:
1. Review the AWS account ID and the associated AWS Marketplace seller profile legal name and choose **Next**.
**Note**
If your AWS account is not registered as a seller, provide your legal business name to be registered on AWS Marketplace.
Partners in Amazon Web Services India Private Limited (AWS India) can link without registering a business name. Proceed by choosing **Next**.
1. Review the IAM roles and the managed policies attached to them, then choose **Next**.
1. (Optional) To bulk map the IAM roles to the partner users with Alliance team and ACE partner roles, select the checkbox under each role section.
A partner user cannot access AWS Marketplace features, such as linking private offers to ACE opportunities, without an IAM role mapped to their partner user account. If you choose not to bulk assign, you must manually map an IAM role to a partner user after linking the accounts.
1. Review the information, then choose **Submit**.
You are directed to AWS Partner Central with your account successfully linked and the default IAM roles created in your account.
1. (Optional) To use custom policies that enable access to AWS Marketplace features within AWS Partner Central, refer to the next topic, [Using custom policies to map users](user-role-mapping.md).
# Using custom policies to map users
The topics in this section explain how to map AWS Partner Central users to AWS IAM roles. Mapping enables single sign-on access for users across AWS Partner Central and AWS. plus other features such as product and offer linking.
**Topics**
+ [Role mapping prerequisites](#role-mapping-prereqs)
+ [Connecting ACE opportunities with AWS Marketplace private offers](#connect-ace-to-marketplace)
## Role mapping prerequisites
Before mapping, you must complete the following prerequistites:
+ Create IAM roles in the AWS account. For more ionformation, refer to [Create a role using custom trust policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) in the *AWS Identity and Access Management User Guide*.
+ To allow AWS Partner Central to map AWS IAM roles, add the following custom trust policy to the roles.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "partnercentral-account-management.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
+ For AWS Partner Central users with the ACE user role, grant permissions to perform the `ListEntities` and `SearchAgreements` actions. For more information, refer to [Controlling access to AWS Marketplace Management Portal](https://docs.aws.amazon.com/marketplace/latest/userguide/marketplace-management-portal-user-access.html) in the *AWS Marketplace Seller Guide*.
+ [Link your AWS Partner Central account to an AWS Marketplace account](linking-apc-aws-marketplace.md).
To map IAM roles to your AWS Partner Central users, you must create IAM roles with the permissions you want to provide to your users. For cloud admin users, you can only map the cloud admin IAM role created in your account during the account linking process.
You can create one or more IAM roles to associate with your AWS Partner Central users. The role names must start with **PartnerCentralRoleFor**. You can't choose a role unless the name begins with that text.
You can attach custom or managed policies to the IAM role. You can attach the AWS Marketplace managed policies such as `AWSMarketplaceSellerFullAccess` to the IAM roles and provide access to your AWS Partner Central users. For more information about creating roles, refer to [ Creating an IAM role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html#roles-creatingrole-user-console) in the *IAM User Guide*.
## Connecting ACE opportunities with AWS Marketplace private offers
To enable ACE users to attach AWS Marketplace private offers to ACE opportunities, map them to an AWS IAM role in AWS Partner Central.
### Prerequisites
Complete the following before mapping users to AWS Marketplace IAM roles:
+ When you link an AWS Marketplace account to AWS Partner Central, provide `AWSMarketplaceSellerFullAccess` or, minimally, `ListEntities`/`SearchAgreements` to the IAM role assigned to ACE users. This is required to enable ACE users to attach AWS Marketplace private offers to ACE opportunities.
+ (Optional) To grant minimal permission, add a customer managed policy to your AWS account and to the IAM role you create for ACE managers and users. Refer to the following policy as an example:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"aws-marketplace:SearchAgreements",
"aws-marketplace:DescribeAgreement",
"aws-marketplace:GetAgreementTerms",
"aws-marketplace:ListEntities",
"aws-marketplace:DescribeEntity",
"aws-marketplace:StartChangeSet"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws-marketplace:PartyType": "Proposer"
},
"ForAllValues:StringEquals": {
"aws-marketplace:AgreementType": [
"PurchaseAgreement"
]
}
}
}
]
}
```
------
### Mapping users to AWS IAM roles
Use the procedures in this section to map and unmap AWS Partner Central users to AWS IAM roles.
**To map an AWS Partner Central user to an AWS IAM role**
1. Sign in to [AWS Partner Central](https://partnercentral.awspartner.com/APNLogin) as a user with the alliance lead or cloud admin role.
1. In the **Account linking** section of the AWS Partner Central homepage, choose **Manage linked account**.
1. In the **Non-cloud admin users** section of the **Account Linking** page, choose a user.
1. Choose **Map to IAM role**.
1. Choose an IAM role from the dropdown list.
1. Choose **Map role**.
**To ummap an AWS Partner Central user from an AWS IAM role.**
1. Sign in to [AWS Partner Central](https://partnercentral.awspartner.com/APNLogin) as a user with the alliance lead or cloud admin role.
1. In the **Account linking** section of the AWS Partner Central homepage, choose **Manage linked account**.
1. In the **Non-cloud admin users** section of the **Account Linking** page, choose the user you want to unmap.
1. Choose **Unmap role**.