Prerequisites - AWS Partner Central
User roles and permissionsSelecting the right AWS accountGranting IAM permissionsUnderstanding the role permissionsCreating a permission set for single sign-on

Prerequisites

The following topics list the prerequisites needed to link AWS Partner Central and AWS accounts. We recommend following the topics in the order listed.

Note

Due to user interface, feature, and performance issues, account linking does not support Firefox Extended Support Release (Firefox ESR). We recommend using the regular version of Firefox or one of the chrome browsers.

User roles and permissions

To link your AWS account with an AWS Partner Central account, you need people in the following roles:

Identity and Access Management (IAM ) Administrator

Manages user permissions through IAM . Typically works in IT Security, Information Security, dedicated IAM teams, or Governance and Compliance organizations. Responsible for implementing IAM policies, configuring SSO solutions, handling compliance reviews, and maintaining role-based access control structures.

AWS Partner Central Alliance Lead or Cloud Administrator

Your company's primary account administrator. This person must have a business development or business leadership role and legal authority to accept AWS Partner Network terms and conditions. The Alliance Lead can delegate account linking to a Partner Central user with the Cloud Admin user role.

Use the information in the following table to help decide which AWS account you should link with your Partner Central account.

Important

Consider the following when selecting an AWS account:

  • AWS Partner Central requires an AWS account that uses IAM policies to control access.

  • The linked AWS account manages APN fee payment, solutions, and APN Customer Engagement (ACE) opportunity tracking using the Partner Central APIs.

  • AWS Partner Network features and APIs are available through the linked AWS account.

  • AWS resources such as ACE opportunities, opportunity history, and multi-partner opportunity invitations are created in the linked AWS account and can't be transferred to other AWS accounts.

  • The AWS account that you link to must be on a Paid AWS account plan. When you sign up for an AWS account, choose the Paid account plan. To upgrade an AWS account to the Paid AWS account plan, refer to Choosing an AWS Free Tier plan in the AWS Billing User Guide.

  • AWS recommends linking an AWS account that is not used for the following purposes.

    • A management account, where you manage the account information and metadata for all of the AWS accounts in your organization.

    • A production account, where users and data interact with applications and services.

    • A developer or sandbox account, where developers write code.

    • A personal account where individuals for learn, experiment, and work on personal projects.

    • An AWS Marketplace buyer account, where you procure products from AWS Marketplace.

    Keeping the linked account separate from your AWS Partner Network engagements ensures flexibility for configurations specific to AWS Partner Central without affecting other environments. Doing so also simplifies financial tracking, tax reporting, and audits.

AWS Partner scenario Example AWS account options Considerations

Scenario 1: You own AWS account(s) managed by a third-party and you are not registered as an AWS Marketplace seller

AWS Partners working with AWS Distributor partners

Option 1: Create an AWS account and link to it.

Option 2: Link to an existing AWS account

Option 1:

  • Is it acceptable to bill the APN fee to this account? The AWS Management account can pay the fee if the account is in an AWS Organization.

  • Is this where you want to access AWS Partner Network features and APIs?

Option 2:

  • Same considerations as Option 1

  • Is this an AWS Management, Production, Developer, or personal account?

  • Can you allow external personnel to access the account that manages AWS Partner Central engagements?

  • Is this account appropriate for managing Partner Central user access?

Scenario 2: You own AWS account(s) and are not registered as an AWS Marketplace seller

AWS Partners who don't transact through AWS Marketplace or partners in countries where AWS Marketplace is not available

Same as Scenario 1

Same as Scenario 1

Scenario 3: You own AWS account(s) and are registered as an AWS Marketplace seller with a single Marketplace seller account

AWS Partners who have a consolidated product listing in a single country or operate globally

Option 1: Create and link to a new AWS account

Option 2: Link to an existing AWS account

Option 3: Link to an AWS Marketplace seller account

Option 1:

  • Do you need access to AWS Marketplace features that require a linked Marketplace seller account?

  • Do you plan to join the AWS ISV Accelerate Program? See the program requirements.

  • Do you need to share AWS Partner Central and Marketplace resources like opportunities, offers, solutions, and product listings?

  • Would it be better to designate an AWS Marketplace seller account with the most product listings or transactions as a primary Marketplace seller account?

  • Is it acceptable to bill the APN fee to this account?

Option 2:

  • Same considerations as Option 1

  • Is this an AWS Management, Production, Developer, or personal account?

  • Is this account appropriate for managing Partner Central user access?

Option 3:

  • Same considerations as Options 1 and 2

  • Do you plan to create additional AWS Marketplace seller accounts? If so, is it acceptable to designate the current Marketplace seller account as a primary Marketplace seller account?

Scenario 4: You own AWS account(s) and are registered as an AWS Marketplace seller with multiple seller accounts

AWS Partners who have multiple product listings under different lines of business or have to meet regulatory and compliance requirements

Same as Scenario 3

Same as Scenario 3

Granting IAM permissions

The IAM policy listed in this section grants AWS Partner Central users limited access to a linked AWS account. The level of access depends on the IAM role assigned to the user. For more information about permission levels, refer to Understanding the role permissions later in this topic.

To create the policy, you must be an IT administrator responsible for an AWS environment. When finished, you must assign the policy to an IAM user or role.

The steps in this section explain how to use the IAM console to create the policy.

Note

If you're an alliance lead or cloud admin, and you already have an IAM user or role with AWS administrator permissions, skip to Linking AWS Partner Central and AWS accounts.

For more information about AWS Partner Central roles, refer to AWS Partner Central roles later in this guide.

To create the policy

  1. Sign in to the IAM console.

  2. Under Access management, choose Policies.

  3. Choose Create policy, choose JSON, and add the following policy:

    JSON
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreatePartnerCentralRoles",
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/PartnerCentralRoleForCloudAdmin*",
                "arn:aws:iam::*:role/PartnerCentralRoleForAce*",
                "arn:aws:iam::*:role/PartnerCentralRoleForAlliance*"
            ]
        },
        {
            "Sid": "AttachPolicyToPartnerCentralCloudAdminRole",
            "Effect": "Allow",
            "Action": "iam:AttachRolePolicy",
            "Resource": "arn:aws:iam::*:role/PartnerCentralRoleForCloudAdmin*",
            "Condition": {
                "ArnLike": {
                    "iam:PolicyARN": [
                        "arn:aws:iam::*:policy/PartnerCentralAccountManagementUserRoleAssociation",
                        "arn:aws:iam::*:policy/AWSPartnerCentralFullAccess",
                        "arn:aws:iam::*:policy/AWSMarketplaceSellerFullAccess"
                    ]
                }
            }
        },
        {
            "Sid": "AttachPolicyToPartnerCentralAceRole",
            "Effect": "Allow",
            "Action": [
                "iam:AttachRolePolicy"
            ],
            "Resource": "arn:aws:iam::*:role/PartnerCentralRoleForAce*",
            "Condition": {
                "ArnLike": {
                    "iam:PolicyARN": [
                        "arn:aws:iam::*:policy/AWSPartnerCentralOpportunityManagement",
                        "arn:aws:iam::*:policy/AWSMarketplaceSellerOfferManagement"
                    ]
                }
            }
        },
        {
            "Sid": "AttachPolicyToPartnerCentralAllianceRole",
            "Effect": "Allow",
            "Action": [
                "iam:AttachRolePolicy"
            ],
            "Resource": "arn:aws:iam::*:role/PartnerCentralRoleForAlliance*",
            "Condition": {
                "ArnLike": {
                    "iam:PolicyARN": [
                        "arn:aws:iam::*:policy/AWSPartnerCentralFullAccess",
                        "arn:aws:iam::*:policy/AWSMarketplaceSellerFullAccess"
                    ]
                }
            }
        },
        {
            "Sid": "AssociatePartnerAccount",
            "Effect": "Allow",
            "Action": [
                "partnercentral-account-management:AssociatePartnerAccount"
            ],
            "Resource": "*"
        },
        {
            "Sid": "SellerRegistration",
            "Effect": "Allow",
            "Action": [
                "aws-marketplace:ListChangeSets",
                "aws-marketplace:DescribeChangeSet",
                "aws-marketplace:StartChangeSet",
                "aws-marketplace:ListEntities",
                "aws-marketplace:DescribeEntity"
            ],
            "Resource": "*"
        }
    ]
}

  4. Choose Next.

  5. Under Policy details, in the Policy name box, enter a name for the policy and an optional description.

  6. Review the policy permissions, add tags as needed, and then choose Create policy.

  7. Attach your IAM user or role to the policy. For information on attaching, refer to Adding IAM identity permissions (console) in the IAM User Guide.

Understanding the role permissions

After the IT administrator completes the steps in the previous section, alliance leads and others in AWS Partner Central can assign security policies and map user roles. The following table lists and describes the standard roles created during account linking, and the tasks available to each role.

Standard IAM role AWS Partner Central managed policies used Can do Cannot do
Cloud admin

  • Map and assign IAM roles to AWS Partner Central users.

  • Complete the same tasks as alliance and ACE teams.
Alliance team

  • Full access to all seller operations on AWS Marketplace, including the AWS Marketplace Management Portal. You can also manage the Amazon EC2 AMI used in AMI-based products.

  • Link AWS customer engagement opportunities with AWS Marketplace private offers.

  • Associate APN solutions with AWS Marketplace product listings.

  • Access the Partner Analytics dashboard.

 Map or assign IAM roles to AWS Partner Central users. Only alliance leads and cloud admins map or assign roles.
ACE team

  • Create AWS Marketplace private offers.

  • Link AWS customer engagement opportunities with AWS Marketplace private offers.

  • Map or assign IAM roles to AWS Partner Central users. Only alliance leads and cloud admins can map or assign roles.

  • Use all the AWS Marketplace tools and features.

  • Use the Partners Analytics dashboard.

Creating a permission set for single sign-on

The following steps explain how to use the IAM Identity Center to create a permission set that enables single sign-on for accessing AWS Partner Central.

For more information about permission sets, refer to Create a permission set in the AWS IAM Identity Center User Guide.

  1. Sign in to the IAM Identity Center console.

  2. Under Multi-account permissions, choose Permission sets.

  3. Choose Create permission set.

  4. On the Select permission set type page, under Permission set type, choose Custom permission set, then choose Next.

  5. Do the following:

    1. On the Specify policies and permission boundary page, choose the types of IAM policies that you want to apply to the permission set.

      By default, you can add any combination of up to 10 AWS managed policies and customer managed policies to your permission set. IAM sets this quota. To raise it, request an increase to the IAM quota Managed policies attached to an IAM role in the Service Quotas console in each AWS account where you want to assign the permission set.

    2. Expand Inline policy to add custom JSON-formatted policy text. Inline policies don't correspond to existing IAM resources. To create an inline policy, enter custom policy language in the provided form. IAM Identity Center adds the policy to the IAM resources that it creates in your member accounts. For more information, see Inline policies.

    3. Copy and paste the JSON policy from AWS Partner Central and AWS Account Linking pre-requisite

  6. On the Specify permission set details page, do the following:

    1. Under Permission set name, type a name to identify this permission set in IAM Identity Center. The name that you specify for this permission set appears in the AWS access portal as an available role. Users sign into the AWS access portal, choose an AWS account, and then choose the role.

    2. (Optional) You can also type a description. The description appears in the IAM Identity Center console only, not the AWS access portal.

    3. (Optional) Specify the value for Session duration. This value determines the length of time that a user can be logged on before the console logs them out of their session. For more information, see Set session duration for AWS accounts.

    4. (Optional) Specify the value for Relay state. This value is used in the federation process to redirect users within the account. For more information, refer to Set relay state for quick access to the AWS Management Console.

      Note

      You must use an AWS Management Console URL for the relay state. For example: https://console.aws.amazon.com/ec2/

    5. Expand Tags (optional), choose Add tag, and then specify values for Key and Value (optional).

      For information about tags, refer to Tagging AWS IAM Identity Center resources.

    6. Choose Next.

  7. On the Review and create page, review the selections that you made, and then choose Create.

    By default, when you create a permission set, the permission set isn't provisioned (used in any AWS accounts). To provision a permission set in an AWS account, you must assign IAM Identity Center access to users and groups in the account, and then apply the permission set to those users and groups. For more information, refer to Assign user access to AWS accounts in the AWS IAM Identity Center User Guide.