# Prerequisites The following topics list the prerequisites needed to link AWS Partner Central and AWS accounts. We recommend following the topics in the order listed. **Note** Due to user interface, feature, and performance issues, account linking does not support Firefox Extended Support Release (Firefox ESR). We recommend using the regular version of Firefox or one of the chrome browsers. **Topics** + [ ## User roles and permissions ](#people-roles) + [ ## Selecting the right AWS account ](#which-accounts-to-link) + [ ## Granting IAM permissions ](#grant-iam-permissions) + [ ## Understanding the role permissions ](#standard-role-permissions) + [ ## Creating a permission set for single sign-on ](#create-permission-set) ## User roles and permissions To link your AWS account with an AWS Partner Central account, you need people in the following roles: **Identity and Access Management (IAM ) Administrator** Manages user permissions through IAM . Typically works in IT Security, Information Security, dedicated IAM teams, or Governance and Compliance organizations. Responsible for implementing IAM policies, configuring SSO solutions, handling compliance reviews, and maintaining role-based access control structures. **AWS Partner Central Alliance Lead or Cloud Administrator** Your company's primary account administrator. This person must have a business development or business leadership role and legal authority to accept AWS Partner Network terms and conditions. The Alliance Lead can delegate account linking to a Partner Central user with the Cloud Admin user role. ## Selecting the right AWS account Use the information in the following table to help decide which AWS account you should link with your Partner Central account. **Important** Consider the following when selecting an AWS account: AWS Partner Central requires an AWS account that uses IAM policies to control access. The linked AWS account manages APN fee payment, solutions, and APN Customer Engagement (ACE) opportunity tracking using the Partner Central APIs. AWS Partner Network features and APIs are available through the linked AWS account. AWS resources such as ACE opportunities, opportunity history, and multi-partner opportunity invitations are created in the linked AWS account and can't be transferred to other AWS accounts. The AWS account that you link to must be on a Paid AWS account plan. When you sign up for an AWS account, choose the Paid account plan. To upgrade an AWS account to the Paid AWS account plan, refer to [ Choosing an AWS Free Tier plan](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/free-tier-plans.html) in the *AWS Billing User Guide*. AWS recommends linking an AWS account that is *not* used for the following purposes. A management account, where you manage the account information and metadata for all of the AWS accounts in your organization. A production account, where users and data interact with applications and services. A developer or sandbox account, where developers write code. A personal account where individuals for learn, experiment, and work on personal projects. An AWS Marketplace buyer account, where you procure products from AWS Marketplace. Keeping the linked account separate from your AWS Partner Network engagements ensures flexibility for configurations specific to AWS Partner Central without affecting other environments. Doing so also simplifies financial tracking, tax reporting, and audits. | AWS Partner scenario | Example | AWS account options | Considerations | | --- | --- | --- | --- | | Scenario 1: You own AWS account(s) managed by a third-party and you are not registered as an AWS Marketplace seller | AWS Partners working with AWS Distributor partners | **Option 1:** Create an AWS account and link to it. **Option 2:** Link to an existing AWS account | **Option 1:** [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/partner-central/latest/getting-started/linking-prerequisites.html) **Option 2:** [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/partner-central/latest/getting-started/linking-prerequisites.html) | | Scenario 2: You own AWS account(s) and are not registered as an AWS Marketplace seller | AWS Partners who don't transact through AWS Marketplace or partners in countries where AWS Marketplace is not available | Same as Scenario 1 | Same as Scenario 1 | | Scenario 3: You own AWS account(s) and are registered as an AWS Marketplace seller with a single Marketplace seller account | AWS Partners who have a consolidated product listing in a single country or operate globally | **Option 1:** Create and link to a new AWS account **Option 2:** Link to an existing AWS account **Option 3:** Link to an AWS Marketplace seller account | **Option 1:** [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/partner-central/latest/getting-started/linking-prerequisites.html) **Option 2:** [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/partner-central/latest/getting-started/linking-prerequisites.html) **Option 3:** [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/partner-central/latest/getting-started/linking-prerequisites.html) | | Scenario 4: You own AWS account(s) and are registered as an AWS Marketplace seller with multiple seller accounts | AWS Partners who have multiple product listings under different lines of business or have to meet regulatory and compliance requirements | Same as Scenario 3 | Same as Scenario 3 | ## Granting IAM permissions The IAM policy listed in this section grants AWS Partner Central users limited access to a linked AWS account. The level of access depends on the IAM role assigned to the user. For more information about permission levels, refer to [Understanding the role permissions](#standard-role-permissions) later in this topic. To create the policy, you must be an IT administrator responsible for an AWS environment. When finished, you must assign the policy to an IAM user or role. The steps in this section explain how to use the IAM console to create the policy. **Note** If you're an alliance lead or cloud admin, and you already have an IAM user or role with AWS administrator permissions, skip to [Linking AWS Partner Central and AWS accounts](linking-apc-aws-marketplace.md). **To create the policy** 1. Sign in to the [IAM console](https://console.aws.amazon.com/iam/). 1. Under **Access management**, choose **Policies**. 1. Choose **Create policy**, choose **JSON**, and add the following policy: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "CreatePartnerCentralRoles", "Effect": "Allow", "Action": [ "iam:CreateRole" ], "Resource": [ "arn:aws:iam::*:role/PartnerCentralRoleForCloudAdmin*", "arn:aws:iam::*:role/PartnerCentralRoleForAce*", "arn:aws:iam::*:role/PartnerCentralRoleForAlliance*" ] }, { "Sid": "AttachPolicyToPartnerCentralCloudAdminRole", "Effect": "Allow", "Action": "iam:AttachRolePolicy", "Resource": "arn:aws:iam::*:role/PartnerCentralRoleForCloudAdmin*", "Condition": { "ArnLike": { "iam:PolicyARN": [ "arn:aws:iam::*:policy/PartnerCentralAccountManagementUserRoleAssociation", "arn:aws:iam::*:policy/AWSPartnerCentralFullAccess", "arn:aws:iam::*:policy/AWSMarketplaceSellerFullAccess" ] } } }, { "Sid": "AttachPolicyToPartnerCentralAceRole", "Effect": "Allow", "Action": [ "iam:AttachRolePolicy" ], "Resource": "arn:aws:iam::*:role/PartnerCentralRoleForAce*", "Condition": { "ArnLike": { "iam:PolicyARN": [ "arn:aws:iam::*:policy/AWSPartnerCentralOpportunityManagement", "arn:aws:iam::*:policy/AWSMarketplaceSellerOfferManagement" ] } } }, { "Sid": "AttachPolicyToPartnerCentralAllianceRole", "Effect": "Allow", "Action": [ "iam:AttachRolePolicy" ], "Resource": "arn:aws:iam::*:role/PartnerCentralRoleForAlliance*", "Condition": { "ArnLike": { "iam:PolicyARN": [ "arn:aws:iam::*:policy/AWSPartnerCentralFullAccess", "arn:aws:iam::*:policy/AWSMarketplaceSellerFullAccess" ] } } }, { "Sid": "AssociatePartnerAccount", "Effect": "Allow", "Action": [ "partnercentral-account-management:AssociatePartnerAccount" ], "Resource": "*" }, { "Sid": "SellerRegistration", "Effect": "Allow", "Action": [ "aws-marketplace:ListChangeSets", "aws-marketplace:DescribeChangeSet", "aws-marketplace:StartChangeSet", "aws-marketplace:ListEntities", "aws-marketplace:DescribeEntity" ], "Resource": "*" } ] } ``` ------ 1. Choose **Next**. 1. Under **Policy details**, in the **Policy name** box, enter a name for the policy and an optional description. 1. Review the policy permissions, add tags as needed, and then choose **Create policy**. 1. Attach your IAM user or role to the policy. For information on attaching, refer to [Adding IAM identity permissions (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html#add-policies-console) in the *IAM User Guide*. ## Understanding the role permissions After the IT administrator completes the steps in the previous section, alliance leads and others in AWS Partner Central can assign security policies and map user roles. The following table lists and describes the standard roles created during account linking, and the tasks available to each role. | **Standard IAM role** | **AWS Partner Central managed policies used** | **Can do** | **Cannot do** | | --- | --- | --- | --- | | Cloud admin | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/partner-central/latest/getting-started/linking-prerequisites.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/partner-central/latest/getting-started/linking-prerequisites.html) | | | Alliance team | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/partner-central/latest/getting-started/linking-prerequisites.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/partner-central/latest/getting-started/linking-prerequisites.html) | Map or assign IAM roles to AWS Partner Central users. Only alliance leads and cloud admins map or assign roles. | | ACE team | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/partner-central/latest/getting-started/linking-prerequisites.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/partner-central/latest/getting-started/linking-prerequisites.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/partner-central/latest/getting-started/linking-prerequisites.html) | ## Creating a permission set for single sign-on The following steps explain how to use the IAM Identity Center to create a permission set that enables single sign-on for accessing AWS Partner Central. For more information about permission sets, refer to [Create a permission set](https://docs.aws.amazon.com/singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*. 1. Sign in to the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon). 1. Under **Multi-account permissions**, choose **Permission sets**. 1. Choose **Create permission set**. 1. On the **Select permission set type** page, under **Permission set type**, choose **Custom permission set**, then choose **Next**. 1. Do the following: 1. On the **Specify policies and permission boundary** page, choose the types of IAM policies that you want to apply to the permission set. By default, you can add any combination of up to 10 AWS managed policies and customer managed policies to your permission set. IAM sets this quota. To raise it, request an increase to the IAM quota **Managed policies attached to an IAM role** in the Service Quotas console in each AWS account where you want to assign the permission set. 1. Expand **Inline policy** to add custom JSON-formatted policy text. Inline policies don't correspond to existing IAM resources. To create an inline policy, enter custom policy language in the provided form. IAM Identity Center adds the policy to the IAM resources that it creates in your member accounts. For more information, see [Inline policies](https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetcustom.html#permissionsetsinlineconcept). 1. Copy and paste the JSON policy from [AWS Partner Central and AWS Account Linking pre-requisite](https://docs.aws.amazon.com/partner-central/latest/getting-started/account-linking.html#linking-prerequisites) 1. On the **Specify permission set details** page, do the following: 1. Under **Permission set name**, type a name to identify this permission set in IAM Identity Center. The name that you specify for this permission set appears in the AWS access portal as an available role. Users sign into the AWS access portal, choose an AWS account, and then choose the role. 1. (Optional) You can also type a description. The description appears in the IAM Identity Center console only, not the AWS access portal. 1. (Optional) Specify the value for **Session duration**. This value determines the length of time that a user can be logged on before the console logs them out of their session. For more information, see [Set session duration for AWS accounts](https://docs.aws.amazon.com/singlesignon/latest/userguide/howtosessionduration.html). 1. (Optional) Specify the value for **Relay state**. This value is used in the federation process to redirect users within the account. For more information, refer to [Set relay state for quick access to the AWS Management Console](https://docs.aws.amazon.com/singlesignon/latest/userguide/howtopermrelaystate.html). **Note** You must use an AWS Management Console URL for the relay state. For example: `https://console.aws.amazon.com/ec2/` 1. Expand **Tags (optional)**, choose **Add tag**, and then specify values for **Key** and **Value (optional)**. For information about tags, refer to [Tagging AWS IAM Identity Center resources](https://docs.aws.amazon.com/singlesignon/latest/userguide/tagging.html). 1. Choose **Next**. 1. On the **Review and create** page, review the selections that you made, and then choose **Create**. By default, when you create a permission set, the permission set isn't provisioned (used in any AWS accounts). To provision a permission set in an AWS account, you must assign IAM Identity Center access to users and groups in the account, and then apply the permission set to those users and groups. For more information, refer to [Assign user access to AWS accounts](https://docs.aws.amazon.com/singlesignon/latest/userguide/assignusers.html) in the *AWS IAM Identity Center User Guide*.