Policies and permissions for AWS Marketplace sellers

AWS Marketplace has several managed policies that you can use with the AWS Marketplace Management Portal. In addition, you can use individual permissions to create your own AWS Identity and Access Management (IAM) policy.

You can also provide fine-grained access to the AWS Marketplace Management Portal for the Settings, Contact Us, File Upload, and Insights tabs. Using fine-grained access, you can do the following:

Grant other people permission to administer and use resources in your AWS account without sharing your password or access key.
Grant granular permissions to multiple people for various resources. For example, you might allow some users access to view the Settings tab in the AWS Marketplace Management Portal. For other users, you might allow access to edit in the Settings and Contact Us tabs.

Note

For more information about how to use fine-grained permissions, see Using fine-grained permissions.

For more information about policies and permissions in AWS Data Exchange for data products, see Identity and Access Management in AWS Data Exchange in the AWS Data Exchange User Guide.

For more information about policies and permissions for AWS Marketplace buyers, see Controlling access to AWS Marketplace subscriptions in the AWS Marketplace Buyer Guide.

Policies for AWS Marketplace sellers

You can use the following managed policies to provide users with controlled access to the AWS Marketplace Management Portal:

AWSMarketplaceSellerFullAccess: Allows full access to all of the pages in the AWS Marketplace Management Portal and other AWS services, such as Amazon Machine Image (AMI) management.
AWSMarketplaceSellerProductsFullAccess: Allows full access to the Products pages in the AWS Marketplace Management Portal.
AWSMarketplaceSellerProductsReadOnly: Allows read-only access to the Products pages in the AWS Marketplace Management Portal.

Important

AWS Marketplace buyers can use managed policies to manage the subscriptions they purchase. The names of the managed policies that you use with AWS Marketplace Management Portal start with AWSMarketplaceSeller. When you search for policies in IAM, make sure to search for policy names that start with AWSMarketplaceSeller.

AWS Marketplace also provides specialized managed policies for specific scenarios. For a full list of AWS managed policies for AWS Marketplace sellers and descriptions of what permissions they provide, see AWS managed policies for AWS Marketplace sellers.

Permissions for AWS Marketplace sellers

You can use the following permissions in IAM policies for the AWS Marketplace Management Portal:

aws-marketplace-management:PutSellerVerificationDetails: Allows access to start the Know Your Customer (KYC) process.
aws-marketplace-management:GetSellerVerificationDetails: Allows access to view the KYC status in the AWS Marketplace Management Portal.
aws-marketplace-management:PutBankAccountVerificationDetails: Allows access to start the bank account verification process.
aws-marketplace-management:GetBankAccountVerificationDetails: Allows access to view the bank account verification status in the AWS Marketplace Management Portal.
aws-marketplace-management:PutSecondaryUserVerificationDetails: Allows access to add secondary users in the AWS Marketplace Management Portal.
aws-marketplace-management:GetSecondaryUserVerificationDetails: Allows access to view the secondary user status in the AWS Marketplace Management Portal.
aws-marketplace-management:GetAdditionalSellerNotificationRecipients: Allows access to view email contacts for AWS Marketplace notifications.
aws-marketplace-management:PutAdditionalSellerNotificationRecipients: Allows access to update email contacts for AWS Marketplace notifications.
tax:PutTaxInterview: Allows access to take the tax interview in the AWS Marketplace Management Portal.
tax:GetTaxInterview: Allows access to view the tax interview status in the AWS Marketplace Management Portal.
payments:CreatePaymentInstrument: Allows access to add a bank account to the AWS Marketplace Management Portal.
payments:GetPaymentInstrument: Allows access to view existing bank accounts in the AWS Marketplace Management Portal.
aws-marketplace:ListTasks: Allows access to view a list of tasks pending seller action.
aws-marketplace:DescribeTask: Allows access to view the details of any tasks pending seller action.
aws-marketplace:UpdateTask: Allows access to edit a task pending seller action.
aws-marketplace:CompleteTask: Allows access to submit edits made to a task pending seller action.

support:CreateCase: Allows access to create an AWS Support case within the AWS Marketplace Management Portal.
aws-marketplace-management:viewSupport: Allows access to the Customer Support Eligibility page in the AWS Marketplace Management Portal.
aws-marketplace-management:viewReports: Allows access to the Reports page in the AWS Marketplace Management Portal.
aws-marketplace-management:uploadFiles: Allows access to the File Upload page in the AWS Marketplace Management Portal.

Note
As of May 2023, this permission is no longer available to new sellers. Existing sellers with custom policies can continue to use the aws-marketplace-management:uploadFiles permission.
aws-marketplace-management:viewSettings: Allows access to the Settings page in the AWS Marketplace Management Portal.

Note
As of May 2023, this permission is no longer available to new sellers. Existing sellers with custom policies can continue to use the aws-marketplace-management:viewSettings permission.
aws-marketplace:ListEntities: Allows access to list objects in AWS Marketplace Management Portal. Required to access the Offers and Partners pages in the AWS Marketplace Management Portal.

Note
To allow access to view the Settings tab, you can use this permission, the ListEntity permission, and the following Amazon Resource Name (ARN): arn:{partition}:{aws-marketplace}:{region}:{account-id}:AWSMarketplace/Seller/{entity-id}.
aws-marketplace:DescribeEntity: Allows access to view details of objects in AWS Marketplace Management Portal. Required to access the Offers, Partners, and Agreements pages in the AWS Marketplace Management Portal.

Note
To allow access to view the Settings tab, you can use this permission, the DescribeEntity permission, and the following ARN: arn:{partition}:{aws-marketplace}:{region}:{account-id}:AWSMarketplace/Seller/*.
aws-marketplace:StartChangeSet: Allows access to create product changes in AWS Marketplace Management Portal. Required to make changes in the Offers, Partners, and Agreements pages in the AWS Marketplace Management Portal.

Note
To allow access to register as a seller in AWS Marketplace, you can use this permission, the catalog:ChangeType: "CreateSeller" condition key, and the following ARN: arn:{partition}:{aws-marketplace}:{region}:{account-id}:AWSMarketplace/Seller/{entity-id}.
To allow access to update the seller profile in AWS Marketplace, you can use this permission, the catalog:ChangeType: "UpdateInformation" condition key, and the following ARN: arn:{partition}:{aws-marketplace}:{region}:{account-id}:AWSMarketplace/Seller/{entity-id}.
To allow access to update disbursement preferences for Amazon Web Services, you can use this permission, the catalog:ChangeType: "UpdateDisbursementPreferences" condition key, and the following ARN: arn:{partition}:{aws-marketplace}:{region}:{account-id}:AWSMarketplace/Seller/{entity-id}.
aws-marketplace:SearchAgreements: Allows viewing the high-level list of agreements on the Agreements page, and opportunities between ISVs and channel partners on the Partners page.
aws-marketplace:DescribeAgreement: Allows viewing of high-level agreement details on the Agreements page, and opportunities between ISVs and channel partners on the Partners page.
aws-marketplace:GetAgreementTerms: Allows viewing all agreement term details on the Agreements page, and opportunities between ISVs and channel partners on the Partners page.
aws-marketplace:GetSellerDashboard: Allows access to the dashboards on the Insights page in the AWS Marketplace Management Portal.

Note

To enable a user to access the Manage Products page, you must use either the AWSMarketplaceSellerProductsFullAccess or AWSMarketplaceSellerProductsReadOnly managed permissions.

You can combine the preceding permissions into a single IAM policy to grant the permissions that you want. See the following examples.

Example 1: Permissions to view the KYC status

To grant permissions to view the KYC status in the AWS Marketplace Management Portal, use a policy similar to the following example.


{"Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "aws-marketplace-management:GetSellerVerificationDetails"
    ],
    "Resource": ["*"]
  }]
}

Example 2: Permissions to create upgrades and renewals for private offers

To grant permissions to view and use the Agreements page to create upgrades and renewals for private offers, use a policy similar to the following example.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "aws-marketplace:SearchAgreements",
                "aws-marketplace:DescribeAgreement",
                "aws-marketplace:GetAgreementTerms",
                "aws-marketplace:DescribeEntity",
                "aws-marketplace:StartChangeSet"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws-marketplace:PartyType": "Proposer"
                },
                "ForAllValues:StringEquals": {
                    "aws-marketplace:AgreementType": [
                        "PurchaseAgreement"
                    ]
                }
            }
        }
    ]
}

Example 3: Permissions to access the Offers page and create new private offers

To grant permissions to view and use the Offers page to view existing private offers and create private offers, use a policy similar to the following example.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "aws-marketplace:ListEntities",
                "aws-marketplace:DescribeEntity",
                "aws-marketplace:StartChangeSet"
            ],
            "Effect": "Allow",
            "Resource": "*",
        }
    ]
}

Example 4: Permissions to access the Settings page

To grant permissions to view and use the Settings page, use a policy similar to the following example.


{
    "Version": "2012-10-17",
    "Statement": [
        {"Action": [
                "aws-marketplace:ListEntities",
                "aws-marketplace:DescribeEntity",
                "aws-marketplace:StartChangeSet"
            ],
            "Effect": "Allow",
            "Resource": "arn:{partition}:{aws-marketplace}:{region}:{account-id}:AWSMarketplace/Seller/*",
        }
    ]
}

Using fine-grained permissions

Note

This procedure is only applicable to sellers who implemented custom policies before May 2023.

To use fine-grained permissions access for the AWS Marketplace Management Portal

Add one or more of the following permissions to your existing IAM policies:
- aws-marketplace-management:PutSellerVerificationDetails
- aws-marketplace-management:GetSellerVerificationDetails
- aws-marketplace-management:PutBankAccountVerificationDetails
- aws-marketplace-management:GetBankAccountVerificationDetails
- aws-marketplace-management:PutSecondaryUserVerificationDetails
- aws-marketplace-management:GetSecondaryUserVerificationDetails
- aws-marketplace-management:GetAdditionalSellerNotificationRecipients
- aws-marketplace-management:PutAdditionalSellerNotificationRecipients
- tax:PutTaxInterview
- tax:GetTaxInterview
- payments:CreatePaymentInstrument
- payments:GetPaymentInstrument
- aws-marketplace:ListTasks
- aws-marketplace:DescribeTask
- aws-marketplace:UpdateTask
- aws-marketplace:CompleteTask
- support:CreateCase
To enable the permissions, contact your partner development manager. You can also contact the AWS Marketplace Seller Operations team and provide the following request text: Hi, AWS Marketplace team – I added new granular permissions. Please enable granular access to the AWS Marketplace Management Portal features.

The AWS Marketplace Seller Operations team will enable the access and contact you.

Using IAM groups

Alternatively, you can create separate IAM groups for granting access to each individual page in the AWS Marketplace Management Portal. Users can belong to more than one group. If a user needs access to more than one page, you can add the user to all of the appropriate groups. For example, create one IAM group and grant that group permission to access the Marketing page, create another group and grant that group permission to access the File Upload page, and so on. If a user needs permission to access both the Marketing page and the File Upload page, add the user to both groups.

For more information about users and groups, see IAM Identities (users, groups, and roles) in the IAM User Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

IAM for AWS Marketplace

AWS managed policies