  | Did this page help you? Yes | No | Tell us about it... |
Controlling Access to AWS Marketplace Subscriptions
AWS Marketplace is an online store where you can find, buy, and quickly deploy software that runs on Amazon Web Services (AWS). To use AWS Marketplace, you subscribe to software and then launch the software as an EC2 instance.
Your company might also have other people who should be allowed to manage subscriptions on your behalf. In order for other people to manage subscriptions, they must be logged into AWS. However, it's not a good idea to share the primary credentials of your AWS account in order to manage subscriptions, for these reasons:
It's difficult to revoke shared credentials. For example, some people might change responsibilities in your company and should no longer be allowed to manage your subscriptions or log in using your credentials.
Anyone who has your primary credentials also has access to the billing information for your account.
Using IAM Users and Groups to Manage Subscription Access
A better approach is to use AWS Identity and Access Management (IAM) to create users and groups. You can create an IAM user for each user in your company who needs to work with subscriptions. When you create users, each user has an individual user ID and password that they use to log in to AWS services, including AWS Marketplace.
After you've created users, you can create IAM groups and configure the groups to provide different levels of access to AWS Marketplace subscriptions. For example, one group might have permission only to view your subscriptions; another group might be able to subscribe and unsubscribe; and a third group might have complete control, which includes starting and stopping instances.
Finally, after you've created the groups, you can assign each individual user to one of the groups, based on what level of access that user should have. For example, if user Rodrigo should only be allowed to view your subscriptions, you can add him to the read-only group. If a user changes responsibility or leaves the company, you can change the group that the user belongs to, or you can change that user's information in IAM.
Important
All of your IAM users work on the same AWS Marketplace account. Any change that an IAM user makes to manage a software subscription is global and applies to all your IAM users for that subscription.
Creating Users
To let users in your company manage subscriptions, you have to have an IAM user for each company user. If you do not already have IAM users for your company users, follow these steps:
To create IAM users for AWS Marketplace subscriptions
Log into your AWS account.
Open the IAM console at https://console.aws.amazon.com/iam/home.
In the left-hand pane, click Users.
Click Create New Users, which displays the Create User dialog box.
Enter a name for each user you want to create.
Unselect the Generate an access key for User option.
Click Create. New users are listed.
To assign a password to each user:
Click the name, and then at the bottom of the window, click the Security Credentials tab.
Click Manage Password and create an auto-assigned or a custom password.
Note
Create a user and password for yourself as well, even though you are the AWS account owner. It's a good idea for everyone to work in AWS Marketplace as an IAM user, even the account owner.
Creating Groups for AWS Marketplace Access
To create IAM users for AWS Marketplace subscriptions
In your AWS account, open the IAM console at https://console.aws.amazon.com/iam/.
In the left-hand pane, click Groups.
Click Create New Group, which starts a wizard.
Enter a name for the group (such as
MarketplaceReadOnlyorMarketplaceFullControl) and then click Continue.
In the Set Permissions step, choose the Select Policy Template option that you want and then click Select.
To allow users only to view subscriptions (but not change them), select the AWS Marketplace Read-only policy.
To allow users to also be able to subscribe and unsubscribe, select the AWS Marketplace Manage Subscriptions policy.
To allow users complete control of your subscriptions, select the AWS Marketplace Full Access policy.
In the Edit Permissions step, click Continue.
In the next step, click Create Group. The new group is listed.
Click the group, and then in the Users tab at the bottom of the window, click Add Users to Group.
Select the users to add to the group and then click Add Users. (If you created an IAM user for yourself, as is recommended, make sure you add yourself to the group that has full control.)
Repeat these steps to create other groups with different permissions and to assign users to those groups.
You are not limited to the permissions that are defined in the policy templates that are illustrated here. When you create a group, you can create a custom policy that grants or denies AWS Marketplace permissions differently than how the permissions are set in the policy templates. For details, see Creating and Listing Groups in the IAM documentation.
Note
To see permissions settings for the templated policies (for example, if you are making API calls and need to see the policy details), see Permissions Details for Managing Marketplace Subscriptions later in this document.
Logging In Using a User Name That You Created
After you've created users in IAM, users can log in using their own user name and password. To do so, they need to use a URL that is associated with your primary account.
To get your site's URL
In your AWS account, open the IAM console at https://console.aws.amazon.com/iam/.
In the left-hand pane, click IAM Dashboard.
Under AWS Account Alias in the bottom pane, take note of the sign-in link, which will have a format like this:
https://account-number.signin.aws.amazon.com/console/
Note
If you want the URL for your sign-in page to contain your company name (or other friendly identifier) instead of your AWS account ID, you can create an alias for your AWS account ID. For more information, see Using an Alias for Your AWS Account ID in the AWS Identity and Access Management Using IAM guide.
Distribute this URL to the users at your company who can work with AWS Marketplace, and give users the user name and password that you created for them.
As users work in AWS Marketplace, AWS makes sure that they have the appropriate permissions. (Specifically, that they belong to a group that has the appropriate permissions.) For example, user Rodrigo might belong to a group that has only read-only permissions to work with your subscriptions. When he logs into AWS Marketplace, he can click the Your Software link at the top of the page:
When he clicks the link, he can see the software that you've subscribed to, but he cannot manage it. A message is displayed that tells him this:
Finding the Account Number for Customer Support
If you or your users need to contact customer service, you need your AWS account number.
To get your account number
Go to the AWS Marketplace main page at https://aws.amazon.com/marketplace and sign in using your IAM user name.
At the top of the page, click Your Account.
In the Your Account page, click the Review and change your AWS profile link.
At the top of the page AWS account information page, find the account number and make a note of it.
Permissions Details for Managing Marketplace Subscriptions
This section provides in-depth information about the permissions that you can work with in order to control access to your AWS Marketplace subscriptions. The information that follows is primarily of interest to you if:
You are curious about the details of the IAM permissions that are set when you use the policy templates.
You want to create a custom policy that sets permissions that are different from the permissions that are available when you use the policy templates. (For details about how to create custom policies, see Creating and Listing Groups in the AWS Identity and Access Management Using IAM guide.)
You are making API-level calls to AWS Marketplace and you need to see what the policy language looks like for setting permissions.
The following table summarizes all the actions that are needed in order to manage AWS Marketplace subscriptions. Some of the permissions pertain to Amazon EC2, because part of managing subscriptions consists of managing EC2 instances that run your subscribed software. The examples that follow the table show how to set permissions for these actions so that users can have either read-only or full permissions to manage subscriptions. (The policies that are illustrated are the ones that you can select as AWS Marketplace policy templates when you create a new group in the IAM console.)
| Action | Description |
|---|---|
| Granting access to this action allows users to see subscribed software. Without this permission, no other permissions will work. |
|
Granting access to this action allows users to add new software subscriptions using the Your Software page. (Note that adding a subscription might cause you to incur a monthly charge, even if users don't launch any instances.) Allowing this action does not allow an IAM user to start, stop, or otherwise manipulate instances. The user must have EC2 permissions (described later in this table) in order to manipulate instances from AWS Marketplace. |
| Granting access to this action allows users to remove software subscriptions using the Your Software page. (Unsubscribing might fail if there are running instances of the software.) Allowing this action does not allow an IAM user to start, stop, or otherwise manipulate instances. The user must have EC2 permissions (described later in this table) in order to manipulate instances from AWS Marketplace. |
|
Granting access to these EC2 actions allows users to manipulate running instances of AWS Marketplace software. For AWS Marketplace, these permissions act as a group. If an IAM user is not granted access to all of these actions, the user will not be able to use AWS Marketplace to manipulate instances. |
Read-Only Policy
The following policy defines read-only permissions that let users view subscriptions without being able to make any changes:
{
"Statement":[{
"Effect":"Allow",
"Action":["aws-marketplace:ViewSubscriptions"],
"Resource":"*"
}]
}Subscribe and Unsubscribe Policy
The following policy includes permissions that let the user subscribe and unsubscribe from Marketplace software:
{
"Statement":[{
"Effect":"Allow",
"Action":["aws-marketplace:ViewSubscriptions",
"aws-marketplace:Subscribe",
"aws-marketplace:Unsubscribe"]
"Resource":"*"
}]
}Full Permissions Policy
The following policy includes permissions that let users perform all tasks associated with subscriptions: subscribe and unsubscribe from Marketplace software, and view, start, and stop instances:
{
"Statement":[{
"Effect":"Allow",
"Action":["aws-marketplace:ViewSubscriptions",
"aws-marketplace:Subscribe",
"aws-marketplace:Unsubscribe",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeKeyPairs",
"ec2:DescribeSecurityGroups",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"],
"Resource":"*"
}]
}For More Information
For details about managing IAM users and groups, see Getting Started in the AWS Identity and Access Management Using IAM guide.
