Prerequisites Using AWS managed policies Custom policies Assigning policies to IAM roles and users Managing permissions using condition keys Summary of required permissions

Access control and permissions

Access control and permissions are managed by AWS Identity and Access Management (IAM). This section provides guidance for configuring the necessary permissions to interact with the API, including the permissions required to list AWS Marketplace entities.

Prerequisites

Before configuring permissions, ensure that your AWS account is linked to Partner Central and that you created the necessary IAM roles and users. For more information, see Setup and Authentication.

Using AWS managed policies

AWS provides managed policies that grant the required permissions to interact with the API. To provide the necessary access to manage opportunities, attach the AWSPartnerCentralOpportunityManagement policy to your IAM identities. For more information, see AWS managed policies for AWS Partner Central users.

AWSPartnerCentralOpportunityManagement policy

This policy grants full access to Partner Central opportunity management actions.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "partnercentral:CreateOpportunity",
                "partnercentral:UpdateOpportunity",
                "partnercentral:ListOpportunities",
                "partnercentral:GetOpportunity",
                "partnercentral:GetAwsOpportunitySummary",
                "partnercentral:ListSolutions",
                "partnercentral:AssociateOpportunity",
                "partnercentral:DisassociateOpportunity",
                "partnercentral:AssignOpportunity",
                "partnercentral:SubmitOpportunity",
                "partnercentral:AcceptEngagementInvitation",
                "partnercentral:CreateEngagementInvitation",
                "partnercentral:RejectEngagementInvitation",
                "partnercentral:GetEngagementInvitation",
                "partnercentral:ListEngagementInvitations",
                "partnercentral:StartEngagementFromOpportunityTask",
                "partnercentral:StartEngagementByAcceptingInvitationTask",
                "partnercentral:CreateResourceSnapshotJob",
                "partnercentral:StartResourceSnapshotJob",
                "partnercentral:CreateEngagement"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "aws-marketplace:ListEntities",
                "aws-marketplace:DescribeEntity"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "aws-marketplace:SearchAgreements",
                "aws-marketplace:DescribeAgreement"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws-marketplace:PartyType": "Proposer"
                }
            }
        }
    ]
}

Custom policies

If the managed policies don't meet your needs, create custom IAM policies that grant the permissions required for your use case. The following example is a custom policy that grants permissions to list AWS Marketplace entities:

Example of custom policy


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "partnercentral:ListOpportunities",
                "aws-marketplace:ListEntities"
            ],
            "Resource": "*"
        }
    ]
}
}

Custom permissive policy

This policy provides broad access to Partner Central selling actions, including features that may be added in the future without requiring policy updates. By using the wild card action partnercentral:*, this policy automatically grants access to new Partner Central selling features as they become available, reducing the need for manual updates. This policy also includes permissions for interacting with AWS Marketplace entities, which helps to ensure access is maintained for both selling and Marketplace actions.


{
    "Version": "2012-10-17",
    "Statement":
    [
        {
            "Effect": "Allow",
            "Action":
            [
                "partnercentral:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action":
            [
                "aws-marketplace:ListEntities",
                "aws-marketplace:DescribeEntity"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action":
            [
                "aws-marketplace:SearchAgreements",
                "aws-marketplace:DescribeAgreement"
            ],
            "Resource": "*",
            "Condition":
            {
                "StringEquals":
                {
                    "aws-marketplace:PartyType": "Proposer"
                }
            }
        }
    ]
}

Assigning policies to IAM roles and users

Follow these steps to assign policies to IAM roles and users:

Sign in to the AWS Management Console.
Navigate to the IAM service.
Select roles or users, and choose the IAM role or user to which you want to attach a policy.
Attach the AWSPartnerCentralOpportunityManagement policy or your custom policy to the selected IAM role or user.

For more information, see Adding and removing IAM identity permissions.

Managing permissions using condition keys

Condition keys in IAM policies provide resource-level permissions for when to enforce statement policies. You can use condition keys to specify conditions that dictate when certain permissions are allowed or denied.

For more information, see IAM JSON policy elements: Condition operators.

Condition keys overview
Condition key	Description	Applicable actions	Valid values
partnercentral:Catalog	filters access by the type of the associated catalog entity	all actions	AWS, sandbox
aws-marketplace:PartyType	filters access based on the type of party (e.g., proposer)	SearchAgreements, DescribeAgreement	proposer

Summary of required permissions

Summary of required permissions
Action	Description
partnercentral:CreateOpportunity	allows creating opportunities
partnercentral:UpdateOpportunity	allows updating opportunities
partnercentral:ListOpportunities	allows listing opportunities
partnercentral:GetOpportunity	allows retrieving opportunity details
partnercentral:ListSolutions	allows listing solutions
partnercentral:AssociateOpportunity	allows associating opportunities with other entities
partnercentral:DisassociateOpportunity	allows disassociating opportunities from other entities
partnercentral:AcceptEngagementInvitation	allows accepting engagement invitations
partnercentral:RejectEngagementInvitation	allows rejecting engagement invitations
partnercentral:GetEngagementInvitation	allows retrieving engagement invitation details
partnercentral:ListEngagementInvitations	allows listing engagement invitations
partnercentral:SubmitOpportunity	allows submitting opportunities
partnercentral:GetAwsOpportunitySummary	allows retrieving AWS opportunity summary
aws-marketplace:ListEntities	allows listing AWS Marketplace entities
aws-marketplace:DescribeEntity	allows describing AWS Marketplace entities
aws-marketplace:SearchAgreements	allows searching agreements in AWS Marketplace
aws-marketplace:DescribeAgreement	allows describing agreements in AWS Marketplace

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Setup and authentication

Testing in a sandbox