Configuring baseline AWS permissions
Follow the instructions in Creating an IAM user in your AWS account to create the user required for the integration. To install and configure the AWS Partner CRM Connector for Salesforce, the user needs programmatic and AWS Management Console access. Then follow the instructions in Creating IAM Policies, and attach the following policies to the user you create.
Topics
Available template for baseline permissions
Use an AWS CloudFormation template to configure the AWS configurations of the AWS Partner CRM connector. To download the file, refer to AWSPartnerCRMConnectorSetup
Configuring AWS Marketplace account
The following components are required to integrate AWS services in AWS Marketplace integration within the connector.
AWS seller account
You must have an AWS account that’s registered as a seller and have products listed in AWS Marketplace. For more information, refer to Drive revenue by selling in AWS Marketplace
Confirm that you have added the required permissions in your AWS seller account. For more information, refer to Policies and permissions for AWS Marketplace sellers in the Seller Guide.
Amazon S3 bucket
Configure an Amazon Simple Storage Service (Amazon S3) bucket to store your custom End User License Agreement (EULA). This information is required when onboarding the AWS seller account into the connector. For more information, see Creating a bucket.
Amazon SQS
Set up an Amazon Simple Queue Service (Amazon SQS) queue in the us-east-1 Region (N. Virginia) to enable buyer notification for the private offer. Provide a name for the queue, for example AWSMPSQSQueue. For more information, refer to Getting started with Amazon SQS and Subscribing an Amazon SQS queue to an Amazon SNS topic.
Service Linked Role setup supporting Channel Partner Private Offer
Independent Software Vendors (ISVs) and Channel Partners (CPs) must create a custom AWS Identity and Access Management (IAM) role that provides permissions to AWS for ISVs and CPs to use resale authorizations to create Channel Partner Private Offers (CPPOs). Refer to CPPO prerequisites.
Required policies and permissions
AWS Marketplace
The AWSMarketplaceSellerFullAccess managed policy is required to work with AWS Marketplace Catalog API (CAPI).
To create and receive resale authorizations and create AWS Channel Partner private offers, refer to Creating a custom IAM role.
Amazon S3
The Amazon S3 policy allows the IAM role or user to see the bucket defined by ${bucketName}, upload objects to the bucket, and create pre-signed URLs for objects in the bucket. This policy is required because the connector uploads a custom EULA to an S3 bucket that’s defined in the configuration and generates a pre-signed URL to pass to the AWS Marketplace CAPI.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "S3ListBucket", "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::${bucketName}" ] }, "Sid": "AllowS3PutObject", "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::${bucketName}/" ] }, { "Sid": "AllowCreatePresignedUrl", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:GetObjectAcl" ], "Resource": [ "arn:aws:s3:::${bucketName}/" ] } ] }
Amazon SQS
The following policy is required to extract and delete Amazon SNS notifications from the Amazon SQS queue.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "sqs:ReceiveMessage", "sqs:DeleteMessage", "sqs:GetQueueAttributes", "sqs:GetQueueUrl" ], "Effect": "Allow", "Resource": "arn:aws:sqs:us-east-1:<AWS account ID>:<QUEUENAME>" } ] }
