Creating a private marketplace administrator - AWS Marketplace
Example policies for private marketplace administrators

Creating a private marketplace administrator

You can create an administrators group to manage your company’s private marketplace settings. After private marketplace is enabled for your organization, administrators for the private marketplace can perform many tasks including the following:

  • View and create experiences and audiences.

  • Add products to private marketplace experiences.

  • Remove products from private marketplace experiences.

  • Configure the user interface of private marketplace experiences.

  • Enable and disable private marketplace experiences.

  • Call the AWS Marketplace Catalog API to manage private marketplace experiences programmatically.

To create multiple private marketplace administrators where each administrator is limited to a subset of tasks, see Example policies for private marketplace administrators.

Note

Enabling private marketplace is a one-time action that must happen from the management account. For more information, see Getting started with private marketplace.

You grant AWS Identity and Access Management (IAM) permissions to administer your private marketplace by attaching the AWS managed policy: AWSPrivateMarketplaceAdminFullAccess to a user, group, or role. We recommend using a group or role. For more information about how to attach the policy, see Attaching a policy to a user group in the IAM User Guide.

For more information about the permissions in the AWSPrivateMarketplaceAdminFullAccess policy, see AWS managed policy: AWSPrivateMarketplaceAdminFullAccess. To learn about other policies for use in AWS Marketplace, sign in to the AWS Management Console, and go to the IAM policies page. In the search box, enter Marketplace to find all of the policies that are associated with AWS Marketplace.

Example policies for private marketplace administrators

Your organization can create multiple private marketplace administrators where each administrator is limited to a subset of tasks. You can tune AWS Identity and Access Management (IAM) policies to specify condition keys and resources on AWS Marketplace Catalog API actions listed in Actions, resources, and condition keys for AWS Marketplace Catalog. The general mechanism to use AWS Marketplace Catalog API change types and resources to tune IAM policies is described in the AWS Marketplace Catalog API guide. For a list of all change types available in the private AWS Marketplace, see Working with a private marketplace.

To create customer managed policies, see Creating IAM policies. Following is an example policy JSON that you can use to create an administrator who can only add or remove products from private marketplaces.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "aws-marketplace:AssociateProductsWithPrivateMarketplace",
                "aws-marketplace:DisassociateProductsFromPrivateMarketplace",
                "aws-marketplace:ListPrivateMarketplaceRequests",
                "aws-marketplace:DescribePrivateMarketplaceRequests"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "aws-marketplace:DescribeEntity",
                "aws-marketplace:ListEntities",
                "aws-marketplace:ListChangeSets",
                "aws-marketplace:DescribeChangeSet",
                "aws-marketplace:CancelChangeSet"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "aws-marketplace:StartChangeSet"
            ],
            "Condition": {
                "StringEquals": {
                    "catalog:ChangeType": [
                        "AllowProductProcurement",
                        "DenyProductProcurement"
                    ]
                }
            },
            "Resource": "*"
        }
    ]
}

A policy can also be limited to manage a subset of private marketplace resources. Following is an example policy JSON you can use to create an administrator who can only manage a specific private marketplace experience. This example uses a resource string with exp-1234example as the Experience identifier.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "aws-marketplace:AssociateProductsWithPrivateMarketplace",
                "aws-marketplace:DisassociateProductsFromPrivateMarketplace",
                "aws-marketplace:ListPrivateMarketplaceRequests",
                "aws-marketplace:DescribePrivateMarketplaceRequests"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "aws-marketplace:ListEntities",
                "aws-marketplace:DescribeEntity",
                "aws-marketplace:ListChangeSets",
                "aws-marketplace:DescribeChangeSet",
                "aws-marketplace:CancelChangeSet"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "aws-marketplace:StartChangeSet"
            ],
            "Resource": [
                "arn:aws:aws-marketplace:*:*:AWSMarketplace/Experience/exp-1234example"
            ]
        }
    ]
}

For details about how entity identifiers can be retrieved and to view the set of private marketplace resources, see Working with a private marketplace.