Policies and permissions for AWS Marketplace sellers - AWS Marketplace

Policies and permissions for AWS Marketplace sellers

AWS Marketplace has three managed policies you can use with the AWS Marketplace Management Portal. In addition, you can use individual permissions to create your own AWS Identity and Access Management (IAM) policy.

AWS Marketplace has several managed policies that you can use with the AWS Marketplace Management Portal. In addition, you can use individual permissions to create your own AWS Identity and Access Management (IAM) policy.

You can also provide fine-grained access to the AWS Marketplace Management Portal for the Settings, Contact Us, File Upload, and Insights tabs. Using fine-grained access, you can do the following:

  • Grant other people permission to administer and use resources in your AWS account without sharing your password or access key.

  • Grant granular permissions to multiple people for various resources. For example, you might allow some users access to view the Settings tab in the AWS Marketplace Management Portal. For other users, you might allow access to edit in the Settings and Contact Us tabs.

Note

To learn how to use fine-grained permissions, see Using fine-grained permissions.

For more information about policies and permissions in AWS Data Exchange for data products, see Identity and Access Management in AWS Data Exchange in the AWS Data Exchange User Guide.

For more information about how to use fine-grained permissions, see Using fine-grained permissions.

For more information about policies and permissions for AWS Marketplace buyers, see Controlling access to AWS Marketplace subscriptions in the AWS Marketplace Buyer Guide.

Policies for AWS Marketplace sellers

You can use the following managed policies to provide users with controlled access to the AWS Marketplace Management Portal:

AWSMarketplaceSellerFullAccess

Allows full access to all of the pages in the AWS Marketplace Management Portal and other AWS services, such as Amazon Machine Image (AMI) management.

AWSMarketplaceSellerProductsFullAccess

Allows full access to the Products pages in the AWS Marketplace Management Portal.

AWSMarketplaceSellerProductsReadOnly

Allows read-only access to the Products pages in the AWS Marketplace Management Portal.

Important

AWS Marketplace buyers can use managed policies to manage the subscriptions they purchase. The names of the managed policies that you use with AWS Marketplace Management Portal start with AWSMarketplaceSeller. When you search for policies in IAM, make sure to search for policy names that start with AWSMarketplaceSeller.

AWS Marketplace also provides specialized managed policies for specific scenarios. For a full list of AWS managed policies for AWS Marketplace sellers and descriptions of what permissions they provide, see AWS managed policies for AWS Marketplace sellers.

Permissions for AWS Marketplace sellers

You can use the following permissions in IAM policies for the AWS Marketplace Management Portal:

aws-marketplace-management:PutSellerVerificationDetails

Allows access to start the Know Your Customer (KYC) process.

aws-marketplace-management:GetSellerVerificationDetails

Allows access to view the KYC status in the AWS Marketplace Management Portal.

aws-marketplace-management:PutBankAccountVerificationDetails

Allows access to start the bank account verification process.

aws-marketplace-management:GetBankAccountVerificationDetails

Allows access to view the bank account verification status in the AWS Marketplace Management Portal.

aws-marketplace-management:PutSecondaryUserVerificationDetails

Allows access to add secondary users in the AWS Marketplace Management Portal.

aws-marketplace-management:GetSecondaryUserVerificationDetails

Allows access to view the secondary user status in the AWS Marketplace Management Portal.

aws-marketplace-management:GetAdditionalSellerNotificationRecipients

Allows access to view email contacts for AWS Marketplace notifications.

aws-marketplace-management:PutAdditionalSellerNotificationRecipients

Allows access to update email contacts for AWS Marketplace notifications.

tax:PutTaxInterview

Allows access to take the tax interview in the AWS Marketplace Management Portal.

tax:GetTaxInterview

Allows access to view the tax interview status in the AWS Marketplace Management Portal.

tax:GetTaxInfoReportingDocument

Allows AWS Marketplace sellers to view and download tax documents (for example, 1099-K forms) from the Tax dashboard

payments:CreatePaymentInstrument

Allows access to add a bank account to the AWS Marketplace Management Portal.

payments:GetPaymentInstrument

Allows access to view existing bank accounts in the AWS Marketplace Management Portal.

aws-marketplace:ListTasks

Allows access to view a list of tasks pending seller action.

aws-marketplace:DescribeTask

Allows access to view the details of any tasks pending seller action.

aws-marketplace:UpdateTask

Allows access to edit a task pending seller action.

aws-marketplace:CompleteTask

Allows access to submit edits made to a task pending seller action.

support:CreateCase

Allows access to create an AWS Marketplace case within the AWS Marketplace Management Portal.

aws-marketplace-management:viewSupport

Allows access to the Customer Support Eligibility page in the AWS Marketplace Management Portal.

aws-marketplace-management:viewReports

Allows access to the Reports page in the AWS Marketplace Management Portal.

aws-marketplace-management:uploadFiles

Allows access to the File Upload page in the AWS Marketplace Management Portal.

Note

As of May 2023, this permission is no longer available to new sellers. Existing sellers with custom policies can continue to use the aws-marketplace-management:uploadFiles permission.

aws-marketplace-management:viewSettings

Allows access to the Settings page in the AWS Marketplace Management Portal.

Note

As of May 2023, this permission is no longer available to new sellers. Existing sellers with custom policies can continue to use the aws-marketplace-management:viewSettings permission.

aws-marketplace:ListEntities

Allows access to list objects in AWS Marketplace Management Portal. Required to access the File Upload, Offers and Partners pages in the AWS Marketplace Management Portal.

Note

To allow access to view the Settings tab, you can use this permission, the ListEntity permission, and the following Amazon Resource Name (ARN): arn:{partition}:{aws-marketplace}:{region}:{account-id}:AWSMarketplace/Seller/{entity-id}.

aws-marketplace:DescribeEntity

Allows access to view details of objects in AWS Marketplace Management Portal. Required to access the File Upload, Offers, Partners, and Agreements pages in the AWS Marketplace Management Portal.

Note

To allow access to view the Settings tab, you can use this permission, the DescribeEntity permission, and the following ARN: arn:{partition}:{aws-marketplace}:{region}:{account-id}:AWSMarketplace/Seller/*.

aws-marketplace:StartChangeSet

Allows access to create product changes in AWS Marketplace Management Portal. Required to make changes in the File Upload, Offers, Partners, and Agreements pages in the AWS Marketplace Management Portal.

Note

To allow access to register as a seller in AWS Marketplace, you can use this permission, the catalog:ChangeType: "CreateSeller" condition key, and the following ARN: arn:{partition}:{aws-marketplace}:{region}:{account-id}:AWSMarketplace/Seller/{entity-id}.

To allow access to update the seller profile in AWS Marketplace, you can use this permission, the catalog:ChangeType: "UpdateInformation" condition key, and the following ARN: arn:{partition}:{aws-marketplace}:{region}:{account-id}:AWSMarketplace/Seller/{entity-id}.

To allow access to update disbursement preferences for Amazon Web Services, you can use this permission, the catalog:ChangeType: "UpdateDisbursementPreferences" condition key, and the following ARN: arn:{partition}:{aws-marketplace}:{region}:{account-id}:AWSMarketplace/Seller/{entity-id}.

aws-marketplace:SearchAgreements

Allows viewing the high-level list of agreements on the Agreements page, and opportunities between ISVs and channel partners on the Partners page.

aws-marketplace:DescribeAgreement

Allows viewing of high-level agreement details on the Agreements page, and opportunities between ISVs and channel partners on the Partners page.

aws-marketplace:GetAgreementTerms

Allows viewing all agreement term details on the Agreements page, and opportunities between ISVs and channel partners on the Partners page.

aws-marketplace:GetSellerDashboard

Allows access to the dashboards on the Insights page in the AWS Marketplace Management Portal.

Note

To enable a user to access the Manage Products page, you must use either the AWSMarketplaceSellerProductsFullAccess or AWSMarketplaceSellerProductsReadOnly managed permissions.

You can combine the preceding permissions into a single IAM policy to grant the permissions that you want. See the following examples.

Example 1: Permissions to view the KYC status

To grant permissions to view KYC status in the AWS Marketplace Management Portal, use a policy similar to the following example.

To grant permissions to view the KYC status in the AWS Marketplace Management Portal, use a policy similar to the following example.

{"Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "aws-marketplace-management:GetSellerVerificationDetails" ], "Resource": ["*"] }] }

Example 2: Permissions to create upgrades and renewals for private offers

To grant permissions to view and use the Agreements page to create upgrades and renewals for private offers, use a policy similar to the following example.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "aws-marketplace:SearchAgreements", "aws-marketplace:DescribeAgreement", "aws-marketplace:GetAgreementTerms", "aws-marketplace:DescribeEntity", "aws-marketplace:StartChangeSet" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "aws-marketplace:PartyType": "Proposer" }, "ForAllValues:StringEquals": { "aws-marketplace:AgreementType": [ "PurchaseAgreement" ] } } } ] }

Example 3: Permissions to access the Offers page and create new private offers

To grant permissions to view and use the Offers page to view existing private offers and create private offers, use a policy similar to the following example.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "aws-marketplace:ListEntities", "aws-marketplace:DescribeEntity", "aws-marketplace:StartChangeSet" ], "Effect": "Allow", "Resource": "*", } ] }

Example 4: Permissions to access the Settings page

To grant permissions to view and use the Settings page, use a policy similar to the following example.

{ "Version": "2012-10-17", "Statement": [ {"Action": [ "aws-marketplace:ListEntities", "aws-marketplace:DescribeEntity", "aws-marketplace:StartChangeSet" ], "Effect": "Allow", "Resource": "arn:{partition}:{aws-marketplace}:{region}:{account-id}:AWSMarketplace/Seller/*", } ] }

Example 5: Permissions to access the File Upload page

To grant permissions to view and use the File Upload page, use a policy similar to the following example.

{"Version": "2012-10-17", "Statement": [ {"Action": [ "aws-marketplace:ListEntities", "aws-marketplace:DescribeEntity", "aws-marketplace:StartChangeSet" ], "Effect": "Allow", "Resource": "*", } ] }

Using fine-grained permissions

Note

This procedure is only applicable to sellers who implemented custom policies before May 2023.

To use fine-grained permissions access for the AWS Marketplace Management Portal
  1. Add one or more of the following permissions to your existing IAM policies:

    • aws-marketplace-management:PutSellerVerificationDetails

    • aws-marketplace-management:GetSellerVerificationDetails

    • aws-marketplace-management:PutBankAccountVerificationDetails

    • aws-marketplace-management:GetBankAccountVerificationDetails

    • aws-marketplace-management:PutSecondaryUserVerificationDetails

    • aws-marketplace-management:GetSecondaryUserVerificationDetails

    • aws-marketplace-management:GetAdditionalSellerNotificationRecipients

    • aws-marketplace-management:PutAdditionalSellerNotificationRecipients

    • tax:PutTaxInterview

    • tax:GetTaxInterview

    • payments:CreatePaymentInstrument

    • payments:GetPaymentInstrument

    • aws-marketplace:ListTasks

    • aws-marketplace:DescribeTask

    • aws-marketplace:UpdateTask

    • aws-marketplace:CompleteTask

    • support:CreateCase

  2. To enable the permissions, contact your partner development manager. You can also contact the AWS Marketplace Seller Operations team and provide the following request text: Hi, AWS Marketplace team – I added new granular permissions. Please enable granular access to the AWS Marketplace Management Portal features.

    The AWS Marketplace Seller Operations team will enable the access and contact you.

Using IAM groups

Alternatively, you can create separate IAM groups for granting access to each individual page in the AWS Marketplace Management Portal. Users can belong to more than one group. So, if a user needs access to more than one page, you can add the user to all of the appropriate groups. For example, create one IAM group and grant that group permission to access the Insights page, create another group and grant that group permission to access the File Upload page, and so on. If a user needs permission to access both the Insights page and the File Upload page, add the user to both groups.

For more information about users and groups, see IAM Identities (users, groups, and roles) in the IAM User Guide.