Access control for the AWS Marketplace Compliance API
You can use the AWS Marketplace Compliance API to manage seller compliance in AWS Marketplace. However, first make sure your user or role can access the API functionality that you want to call.
Use AWS Identity and Access Management (IAM) to create users and roles and assign policies that grant limited permissions to end users. The policies define the actions that the user or role can take on your resources through the AWS Marketplace Compliance API.
Note
To sell products on AWS Marketplace, your AWS account must be set up as a seller account. For more details about becoming an AWS Marketplace seller, see Getting started as a seller in the AWS Marketplace Seller Guide.
Topics
Allowing actions with AWS managed policies
You can use policies that are managed by AWS to grant permissions to your user or role.
To work with invoice submissions on AWS Marketplace, you can use the
AWSMarketplaceSellerFullAccess IAM managed policy, which includes full
access to the AWS Marketplace Compliance API actions in addition to its other permissions. For more
information, see Policies
and permissions for AWS Marketplace sellers and AWS managed policies for
AWS Marketplace sellers in the AWS Marketplace Seller
Guide.
Alternatively, you can create your own IAM policies to have more granular control than is available in AWS managed policies. Use the following topics to create your own IAM policies.
Allowing actions on all resources
Resources are objects that the actions can act upon. The Compliance API has the following resource types:
-
InvoiceSubmissionTask – An invoice submission task tracks the processing of a seller-submitted invoice in AWS Marketplace.
-
IssuedTaxInvoice – A tax invoice that AWS Marketplace issued on behalf of a seller.
To allow a user or role full access to invoice submission task operations, you can add
the following IAM policy. With this policy, the user or role can use all invoice
submission task actions on all resources ("*").
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aws-marketplace:StartInvoiceSubmissionTask", "aws-marketplace:GetInvoiceSubmissionTask", "aws-marketplace:ListInvoiceSubmissionTasks", "aws-marketplace:ListPayables" ], "Resource": "*" } ] }
To allow a user or role full access to issued tax invoice operations, you can add the following IAM policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aws-marketplace:ListIssuedTaxInvoices", "aws-marketplace:GetIssuedTaxInvoice" ], "Resource": "*" } ] }
For information about all actions available for the Compliance API, see Actions, resources, and condition keys for AWS Marketplace Compliance in the Service Authorization Reference.
Allowing actions on specific resources
You can use resource-level permissions to allow actions on a specific resource instead of
all resources. You do this by specifying the Amazon Resource Name (ARN) of the resource in
the Resource of the IAM policy.
The following example allows the GetInvoiceSubmissionTask action on a
specific invoice submission task.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aws-marketplace:GetInvoiceSubmissionTask" ], "Resource": [ "arn:aws:aws-marketplace:us-east-1:123456789012:catalog/example-catalog/invoice-submission-task/example-task-id" ] } ] }
The following example allows the GetIssuedTaxInvoice action on a specific
issued tax invoice.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aws-marketplace:GetIssuedTaxInvoice" ], "Resource": [ "arn:aws:aws-marketplace:us-east-1:123456789012:catalog/AWSMarketplace/issued-tax-invoice/example-invoice-id" ] } ] }
Allowing actions with specific aws:ResourceTag condition key
You can allow actions on resources based on their tags without having to specify individual ARNs. Adding tags to resources allows you to control access to those resources based on their tags.
For example, the following IAM policy allows the
GetInvoiceSubmissionTask action on any invoice submission task resource
("*") that has a tag key of product-team and tag value of
team-xyz.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aws-marketplace:GetInvoiceSubmissionTask" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/product-team": "team-xyz" } } } ] }
Similarly, the following IAM policy allows the GetIssuedTaxInvoice action
on any issued tax invoice resource ("*") that has a tag key of
Department and tag value of Tax.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aws-marketplace:GetIssuedTaxInvoice" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/Department": "Tax" } } } ] }
Managing tags on resources
You can add, list, and remove tags from existing Compliance API resources such as invoice submission tasks and issued tax invoices.
Add tags to resources
To add tags to a resource, use the TagResource API action.
Request
POST /TagResource HTTP/1.1 Content-type: application/json { "ResourceArn": "string", "Tags": [ { "Key": "string", "Value": "string" } ] }
Request parameters include:
-
ResourceArn (String) – (Required) ARN of the resource.
-
Tags (Array of objects) – (Required) A list of objects specifying each tag key and value. Number of objects allowed: 1–50.
-
Key (String) – (Required) Name of the tag. Regex pattern:
^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$. Character length: 1–128. -
Value (String) – (Required) Value of the tag. Regex pattern:
^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$. Character length: 0–256.
-
Remove tags from resources
To remove a tag or list of tags from a resource, use the
UntagResource API action.
Request
POST /UntagResource HTTP/1.1 Content-type: application/json { "ResourceArn": "string", "TagKeys": [ "string" ] }
Request parameters include:
-
ResourceArn (String) – (Required) ARN of the resource.
-
TagKeys (Array of strings) – (Required) A list of key names of tags to be removed.
List all tags on a resource
To list all tags on a resource, use the
ListTagsForResource API action.
Request
POST /ListTagsForResource HTTP/1.1 Content-type: application/json { "ResourceArn": "string" }
Response
{ "ResourceArn": "string", "Tags": [ { "Key": "string", "Value": "string" } ] }
Granting permission to manage tags on resources
To allow a user or role to add, remove, and list tags on all Compliance API resources, they need the following IAM policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aws-marketplace:TagResource", "aws-marketplace:UntagResource", "aws-marketplace:ListTagsForResource" ], "Resource": "*" } ] }
Granting permission to manage tags on resources only when those resources have specific tags
You can allow a user or role to add, remove, and list tags on Compliance API resources
that have specific tags. The following IAM policy allows those actions on any resource
("*") that has a tag key of
product-team and tag value of team-xyz.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aws-marketplace:TagResource", "aws-marketplace:UntagResource", "aws-marketplace:ListTagsForResource" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/product-team": "team-xyz" } } } ] }
Requiring tags when starting invoice submission tasks
You can enforce tagging when invoice submission tasks are created by using the
aws:RequestTag and aws:TagKeys condition keys with the
StartInvoiceSubmissionTask action.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aws-marketplace:StartInvoiceSubmissionTask" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/product-team": "team-xyz" }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "product-team" ] } } } ] }