API access control - AWS Marketplace Catalog API

API access control

Before you can use the AWS Marketplace Catalog API, your account must have access to the functionality you want to call through the API.

You must create AWS Identity and Access Management (IAM) users, roles, and policies before you can use the AWS Marketplace Catalog API.

Use AWS Identity and Access Management to create IAM roles and assign policies that grant limited permissions to end users. The policies define the actions the role can take on your product entities through the AWS Marketplace Catalog API. For example, you can define roles such as engineering, marketing, and pricing. A user in your organization who has been added to the engineering role might be granted permissions to initiate a change request to publish a new version but cannot list all change sets.

Note

To sell products on AWS Marketplace, your AWS account must be set up as a seller account. For more details about becoming an AWS Marketplace seller, see Getting started as a seller in the AWS Marketplace Seller Guide.

Set up IAM permissions

You can use policies that are managed by AWS to grant IAM permissions to your users.

To manage a private marketplace, you can use the AWSPrivateMarketplaceAdminFullAccess IAM managed policy which has full access to create and edit the private marketplace for your account or AWS organization.

To work with products that you sell on AWS Marketplace, you can use the AWSMarketplaceSellerFullAccess IAM managed policy which has full access to the AWS Marketplace Catalog API in addition to its other permissions. You can grant read-only access for the Catalog API with the AWSMarketplaceSellerProductsReadOnly policy.

For more details about these policies, their permissions, and other IAM managed policies, sign into the IAM console at https://console.aws.amazon.com/iam/, choose Policies, and enter marketplace in the Search field.

You can also create your own policies or limit the scope of managed policies to a subset of functionality available in the AWS Marketplace Catalog API. The following is a list of the actions that you can use in your IAM policies for scoping permissions to the AWS Marketplace Catalog API:

  • aws-marketplace:ListChangeSets

  • aws-marketplace:DescribeChangeSet

  • aws-marketplace:StartChangeSet

  • aws-marketplace:CancelChangeSet

  • aws-marketplace:ListEntities

  • aws-marketplace:DescribeEntity

For more information about using policies in AWS Marketplace, see the following topics:

Condition keys

The AWS Marketplace Catalog API also supports condition keys for the StartChangeSet action, allowing you to tune IAM policies for each change type. For example, if an IAM user has the policy attached to their user, then they can only perform StartChangeSet when the change type name is ExampleChangeTypeName.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "aws-marketplace:StartChangeSet", "Resource": "*", "Condition": { "StringEquals": { "catalog:ChangeType": [ "ExampleChangeTypeName" ] } } } ] }
Note

Condition keys are supported when used with the AWS Marketplace Catalog API only. Using condition keys will not allow the user to use the AWS Marketplace Management Portal to make changes to products. For users to use the AWS Marketplace Management Portal, create a policy without a condition key on the StartChangeSet action.

Specifying resources in policy

The AWS Marketplace Catalog API supports specifying resources for the StartChangeSet action, allowing you to tune IAM policies for specific products. For example, if an IAM user has the policy attached to their user, then they can only perform StartChangeSet for the specified products.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "aws-marketplace:StartChangeSet", "Resource": [ "arn:aws:aws-marketplace:us-east-1:123456789012:AWSMarketplace/AmiProduct/example1-abcd-1234-5ef6", "arn:aws:aws-marketplace:us-east-1:123456789012:AWSMarketplace/AmiProduct/example2-abcd-1234-5ef6" ] } ] }
Note

Resource-level permissions are supported when used with the AWS Marketplace Catalog API only. Using resource-level permissions will not allow the user to use the AWS Marketplace Management Portal to make changes to products. For users to use the AWS Marketplace Management Portal, create a policy without a resource-level permission on the StartChangeSet action.