Access control for the AWS Marketplace Reporting API

You use the AWS Marketplace Reporting API to get the Procurement insights dashboard. The API supports the GetBuyerDashboard action.

To use the API, you must first create the AWSServiceRoleForProcurementInsightsPolicy service-linked role. The role does the following:

Enables AWS Marketplace to access and describe the data for all the accounts in a buyer's organization.
Gets the Procurement insights dashboard
Enables you to register and deregister delegated administrators

Buyers create the role when they use the AWS Marketplace console to enable trusted access to the Procurement insights dashboard. For more information about that process, see Activating the dashboard, in the AWS Marketplace Buyer Guide.

Important

When using the API or the CLI, you must create the service-linked role before you enable trusted access to the dashboard.
In addition to the service-linked role, you must enable all features for your organization, and you must belong to an administrator account. For more information, see the following topics in the AWS Organizations User Guide:

The AWSServiceRoleForProcurementInsightsPolicy must have the following IAM permissions in order to call the GetBuyerDashboard action, and to register and deregister delegated administrators:


{
    "Version": "2012-10-17",
    "Statement": [{
            "Sid": "CreateServiceLinkedRoleForProcurementInsights",
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/procurement-insights.marketplace.amazonaws.com/AWSServiceRoleForProcurementInsights*",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "procurement-insights.marketplace.amazonaws.com"
                }
            }
        },
        {
            "Sid": "EnableAWSServiceAccessForProcurementInsights",
            "Effect": "Allow",
            "Action": [
                "organizations:EnableAWSServiceAccess"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "organizations:ServicePrincipal": "procurement-insights.marketplace.amazonaws.com"
                }
            }
        },
        {
            "Sid": "ManageDelegatedAdministrators",
            "Effect": "Allow",
            "Action": [
                "organizations:ListDelegatedAdministrators",
                "organizations:DeregisterDelegatedAdministrator",
                "organizations:RegisterDelegatedAdministrator"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "organizations:ServicePrincipal": "procurement-insights.marketplace.amazonaws.com"
                }
            }
        },
        {
            "Sid": "GetBuyerDashboardStatement",
            "Effect": "Allow",
            "Action": "aws-marketplace:GetBuyerDashboard",
            "Resource": "*"
        },
        {
            "Sid": "ViewOrganizationDetails",
            "Effect": "Allow",
            "Action": [
                "organizations:DescribeOrganization",
                "organizations:ListAWSServiceAccessForOrganization"
            ],
            "Resource": "*"
        }
    ]
}

For more information about creating policies, see Policies and permissions in AWS Identity and Access Management, in the IAM User Guide.

For more information about the AWS Organizations actions that the policy uses, see the AWS Organizations API reference.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Access for the Discovery API

Quotas