Stage 1: Onboarding prerequisites
Before you start the onboarding steps, ensure you have met the five prerequisites below.
Regardless of the CRM Integration type, there are two mandatory prerequisites:
Regardless of the CRM Integration type, there are three optional prerequisites:
Mandatory prerequisites
Have an AWS account
To get started, partners must have an AWS account in place.
Partners may sign up for a free AWS account or use an
existing one. For more information, refer to
Sign
up for AWS
Set up an IAM principal
To work with the Amazon Simple Storage Service (Amazon S3) buckets AWS provides, partners need to use IAM to authenticate. Keep the names of the IAM principals handy because you need them when you submit your onboarding request. Additionally, you use a custom policy generated by AWS to attach to your IAM principals to access the Amazon S3 bucket. For more information, refer to What is IAM?
-
AWS Partner CRM connector users: Use an IAM user.
-
Custom or third-party solution users: Choose between an IAM user or role. We recommend an IAM role for this purpose.
How to create an IAM user
Creating an IAM user allows individuals to access AWS services.
-
Sign in to the AWS Management Console, and then navigate to the IAM console.
-
Choose Users, and then choose Create user.
-
Enter the user name following this naming convention:
apn-ace-{partner-name}-AccessUser-{prod|beta}
. For example, for a production environment, a partner named AnyAuthority would useapn-ace-anyauthority-AccessUser-prod
.
For more information, refer to Creating an IAM user in your AWS account.
How to create an IAM role
An IAM role is a set of permissions that grant access to actions in AWS but is not tied to a specific individual. It can be assumed by anyone who needs it.
The naming convention for an IAM role follows a similar
pattern to the IAM user:
apn-ace-{partner-name}-AccessRole-{environment}
.
For more information, refer to Creating IAM roles.
Optional prerequisites
Note
Applicable only for partners who want to attach an AWS Marketplace offer to opportunities using the integration.
Link AWS Marketplace to Partner Central
AWS Partners with AWS Marketplace seller accounts can connect their accounts using the Account linking feature in AWS Partner Central. When you connect the AWS Partner Central account to an AWS Marketplace account and map user permissions across portals, it allows users to seamlessly access both accounts through single sign-on access, and enables offer-to-opportunity linking across platforms..
To enable account linking, it’s best practice to have user roles assigned in AWS Partner Central, including the cloud administrator role. If a cloud administrator role is unassigned, the alliance lead may assign themselves this role to link their AWS Partner Central and AWS Marketplace accounts.
Follow these steps to link your AWS Partner Central account to an AWS account.
-
Sign in to AWS Partner Central with an Alliance Lead or Cloud Admin role.
-
Navigate to the Account Linking section on the homepage, and then choose Link Account.
-
On the Account Linking page, choose Link Account again.
-
Choose IAM user, and then enter the AWS Account ID for your AWS account.
-
Choose Next, and then sign in to the AWS account.
-
Choose Allow to authorize the connection between your AWS Partner Central and AWS accounts.
Attaching a policy to an IAM role
-
Verify that you completed the steps to link your AWS Partner Central account to an AWS Marketplace account. For more information, refer to How to create an IAM role.
-
Create an IAM role in your AWS Marketplace account. For more information, refer to Controlling access to AWS Marketplace Management Portal.
-
Assign the following trust policy to the user:
{ "Statement": [ { "Effect": "Allow", "Action": [ "aws-marketplace:ListEntities", "aws-marketplace:SearchAgreements" ], "Resource": "*" } ] }
Alternately, partners can use an existing user in the account who has permissions to perform ListEntities and SearchAgreements actions.
Mapping your IAM role for CRM Integration
Partners who want to associate/disassociate AWS Marketplace private offers to APN Customer Engagements (ACE) opportunities need to map the IAM role that the CRM Integration can assume to call the Marketplace account. Before mapping the IAM user, partners need to have linked their AWS account to their Partner Central account.
By choosing an IAM role, you allow the CRM Integration to access and interact with your AWS Marketplace using that role.
Follow these steps to map an IAM Marketplace role to a CRM Integration user.
-
Sign in to IAM Partner Central as a user with the Alliance Lead or Cloud Admin role.
-
In the Account linking section of the IAM Partner Central homepage, choose Manage Linked Account.
-
On the Account Linking page, in the IAM role for CRM Integration section, choose Map IAM role.
-
Choose an IAM role from the dropdown list that has permissions to perform ListEntities and SearchAgreements, at a minimum. Verify you have completed the steps to attach a trust policy to the Marketplace user. For more information, refer to Attaching a policy to an IAM role.
-
Choose Map role.