# Access control for the AWS Marketplace Compliance API
You can use the AWS Marketplace Compliance API to manage seller compliance in AWS Marketplace. However, first make sure your user or role can access the API functionality that you want to call.
Use AWS Identity and Access Management (IAM) to create users and roles and assign policies that grant limited permissions to end users. The policies define the actions that the user or role can take on your resources through the AWS Marketplace Compliance API.
**Note**
To sell products on AWS Marketplace, your AWS account must be set up as a seller account. For more details about becoming an AWS Marketplace seller, see [Getting started as a seller](https://docs.aws.amazon.com/marketplace/latest/userguide/user-guide-for-sellers.html) in the *AWS Marketplace Seller Guide*.
**Topics**
+ [Allowing actions with AWS managed policies](#compliance-allowing-actions-with-managed-policies)
+ [Allowing actions on all resources](#compliance-allowing-actions-on-all-resources)
+ [Allowing actions on specific resources](#compliance-allowing-actions-on-specific-resources)
+ [Allowing actions with specific aws:ResourceTag condition key](#compliance-allowing-actions-with-resource-tag)
+ [Managing tags on resources](#compliance-managing-tags-on-resources)
+ [Granting permission to manage tags on resources](#compliance-grant-permission-manage-tags)
+ [Granting permission to manage tags on resources only when those resources have specific tags](#compliance-grant-permission-manage-tags-specific-tags)
+ [Requiring tags when starting invoice submission tasks](#compliance-requiring-tags-when-starting-tasks)
## Allowing actions with AWS managed policies
You can use policies that are managed by AWS to grant permissions to your user or role.
To work with invoice submissions on AWS Marketplace, you can use the `AWSMarketplaceSellerFullAccess` IAM managed policy, which includes full access to the AWS Marketplace Compliance API actions in addition to its other permissions. For more information, see [Policies and permissions for AWS Marketplace sellers](https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html) and [AWS managed policies for AWS Marketplace sellers](https://docs.aws.amazon.com/marketplace/latest/userguide/security-iam-awsmanpol.html) in the *AWS Marketplace Seller Guide*.
Alternatively, you can create your own IAM policies to have more granular control than is available in AWS managed policies. Use the following topics to create your own IAM policies.
## Allowing actions on all resources
Resources are objects that the actions can act upon. The Compliance API has the following resource types:
+ **InvoiceSubmissionTask** – An invoice submission task tracks the processing of a seller-submitted invoice in AWS Marketplace.
+ **IssuedTaxInvoice** – A tax invoice that AWS Marketplace issued on behalf of a seller.
To allow a user or role full access to invoice submission task operations, you can add the following IAM policy. With this policy, the user or role can use all invoice submission task actions on all resources (`"*"`).
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:StartInvoiceSubmissionTask",
"aws-marketplace:GetInvoiceSubmissionTask",
"aws-marketplace:ListInvoiceSubmissionTasks",
"aws-marketplace:ListPayables"
],
"Resource": "*"
}
]
}
```
To allow a user or role full access to issued tax invoice operations, you can add the following IAM policy.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:ListIssuedTaxInvoices",
"aws-marketplace:GetIssuedTaxInvoice"
],
"Resource": "*"
}
]
}
```
For information about all actions available for the Compliance API, see [Actions, resources, and condition keys for AWS Marketplace Compliance](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplacecompliance.html) in the *Service Authorization Reference*.
## Allowing actions on specific resources
You can use resource-level permissions to allow actions on a specific resource instead of all resources. You do this by specifying the Amazon Resource Name (ARN) of the resource in the `Resource` of the IAM policy.
The following example allows the `GetInvoiceSubmissionTask` action on a specific invoice submission task.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:GetInvoiceSubmissionTask"
],
"Resource": [
"arn:aws:aws-marketplace:us-east-1:{{123456789012}}:catalog/{{example-catalog}}/invoice-submission-task/{{example-task-id}}"
]
}
]
}
```
The following example allows the `GetIssuedTaxInvoice` action on a specific issued tax invoice.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:GetIssuedTaxInvoice"
],
"Resource": [
"arn:aws:aws-marketplace:us-east-1:{{123456789012}}:catalog/{{AWSMarketplace}}/issued-tax-invoice/{{example-invoice-id}}"
]
}
]
}
```
## Allowing actions with specific aws:ResourceTag condition key
You can allow actions on resources based on their tags without having to specify individual ARNs. Adding tags to resources allows you to control access to those resources based on their tags.
For example, the following IAM policy allows the `GetInvoiceSubmissionTask` action on any invoice submission task resource (`"*"`) that has a tag key of `product-team` and tag value of `team-xyz`.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:GetInvoiceSubmissionTask"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/product-team": "team-xyz"
}
}
}
]
}
```
Similarly, the following IAM policy allows the `GetIssuedTaxInvoice` action on any issued tax invoice resource (`"*"`) that has a tag key of `Department` and tag value of `Tax`.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:GetIssuedTaxInvoice"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Department": "Tax"
}
}
}
]
}
```
## Managing tags on resources
You can add, list, and remove tags from existing Compliance API resources such as invoice submission tasks and issued tax invoices.
### Add tags to resources
To add tags to a resource, use the `TagResource` API action.
**Request**
```
POST /TagResource HTTP/1.1
Content-type: application/json
{
"ResourceArn": "string",
"Tags": [
{
"Key": "string",
"Value": "string"
}
]
}
```
Request parameters include:
+ ResourceArn (String) – (Required) ARN of the resource.
+ Tags (Array of objects) – (Required) A list of objects specifying each tag key and value. Number of objects allowed: 1–50.
+ Key (String) – (Required) Name of the tag. Regex pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`. Character length: 1–128.
+ Value (String) – (Required) Value of the tag. Regex pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`. Character length: 0–256.
### Remove tags from resources
To remove a tag or list of tags from a resource, use the `UntagResource` API action.
**Request**
```
POST /UntagResource HTTP/1.1
Content-type: application/json
{
"ResourceArn": "string",
"TagKeys": [
"string"
]
}
```
Request parameters include:
+ ResourceArn (String) – (Required) ARN of the resource.
+ TagKeys (Array of strings) – (Required) A list of key names of tags to be removed.
### List all tags on a resource
To list all tags on a resource, use the `ListTagsForResource` API action.
**Request**
```
POST /ListTagsForResource HTTP/1.1
Content-type: application/json
{
"ResourceArn": "string"
}
```
**Response**
```
{
"ResourceArn": "string",
"Tags": [
{
"Key": "string",
"Value": "string"
}
]
}
```
## Granting permission to manage tags on resources
To allow a user or role to add, remove, and list tags on all Compliance API resources, they need the following IAM policy.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:TagResource",
"aws-marketplace:UntagResource",
"aws-marketplace:ListTagsForResource"
],
"Resource": "*"
}
]
}
```
## Granting permission to manage tags on resources only when those resources have specific tags
You can allow a user or role to add, remove, and list tags on Compliance API resources that have specific tags. The following IAM policy allows those actions on any resource (`"*"`) that has a tag key of `product-team` and tag value of `team-xyz`.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:TagResource",
"aws-marketplace:UntagResource",
"aws-marketplace:ListTagsForResource"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/product-team": "team-xyz"
}
}
}
]
}
```
## Requiring tags when starting invoice submission tasks
You can enforce tagging when invoice submission tasks are created by using the `aws:RequestTag` and `aws:TagKeys` condition keys with the `StartInvoiceSubmissionTask` action.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:StartInvoiceSubmissionTask"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/product-team": "team-xyz"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"product-team"
]
}
}
}
]
}
```