Mapping AWS Partner Central users to AWS Marketplace IAM roles
This section explains how to map AWS Partner Central users to AWS Marketplace AWS Identity and Access Management (IAM) roles. Mapping enables single sign-on access for users across AWS Partner Central and AWS Marketplace and other features such as product linking and offer linking.
Before mapping, you must first complete the following:
To allow AWS Partner Central to map AWS Marketplace IAM roles, add the following custom trust policy to the roles.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "partnercentral-account-management.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
For AWS Partner Central users with the ACE user role, grant permissions to perform the
ListEntities
andSearchAgreements
actions. For more information, refer to Controlling access to AWS Marketplace Management Portal.Link your AWS Partner Central account to an AWS Marketplace account.
To map IAM roles to your AWS Partner Central users, you must create IAM roles with the
permissions you want to provide to your users. For cloud admin users, you can only map the cloud
admin IAM role created in your account during the account linking process. You can create one
or multiple IAM roles to be associated with your AWS Partner Central users. The IAM roles must
be configured with names starting with PartnerCentralRoleFor
. When mapping IAM
roles to AWS Partner Central users, you cannot choose an IAM role that does not start with
PartnerCentralRoleFor
to map.
You can attach custom or managed policies to the IAM role. You can attach the AWS Marketplace managed policies such as AWSMarketplaceSellerFullAccess
to the IAM roles and provide access to your AWS Partner Central users. For more information about creating roles, refer to Creating an IAM role (console).
Connecting ACE opportunities with AWS Marketplace private offers
To enable ACE users to attach AWS Marketplace private offers to ACE opportunities, map them to an AWS Marketplace IAM role in AWS Partner Central.
Prerequisites
Complete the following before mapping users to AWS Marketplace IAM roles:
-
When you link an AWS Marketplace account to AWS Partner Central, provide
AWSMarketplaceSellerFullAccess
or, minimally,ListEntities
/SearchAgreements
to the IAM role assigned to ACE users. This is required to enable ACE users to attach AWS Marketplace private offers to ACE opportunities. -
(Optional) To grant minimal permission, add a customer managed policy to your AWS account and to the IAM role you create for ACE managers and users. Refer to the following policy as an example:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "aws-marketplace:SearchAgreements", "aws-marketplace:DescribeAgreement", "aws-marketplace:GetAgreementTerms", "aws-marketplace:ListEntities", "aws-marketplace:DescribeEntity", "aws-marketplace:StartChangeSet" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "aws-marketplace:PartyType": "Proposer" }, "ForAllValues:StringEquals": { "aws-marketplace:AgreementType": [ "PurchaseAgreement" ] } } } ] }
Mapping users to AWS Marketplace IAM roles
Use the procedures in this section to map and unmap AWS Partner Central users to AWS Marketplace IAM roles.
To map an AWS Partner Central user to an AWS Marketplace IAM role
-
Sign in to AWS Partner Central
as a user with the alliance lead or cloud admin role. -
In the Account linking section of the AWS Partner Central homepage, choose Manage linked account.
-
In the Non-cloud admin users section of the Account Linking page, choose a user.
-
Choose Map to IAM role.
-
Choose an IAM role from the dropdown list.
-
Choose Map role.
To ummap an AWS Partner Central user from an AWS Marketplace IAM role.
-
Sign in to AWS Partner Central
as a user with the alliance lead or cloud admin role. -
In the Account linking section of the AWS Partner Central homepage, choose Manage linked account.
-
In the Non-cloud admin users section of the Account Linking page, choose the user you want to unmap.
-
Choose Unmap role.