Access control for the AWS Marketplace Compliance API - AWS Marketplace
Allowing actions with AWS managed policiesAllowing actions on all resourcesAllowing actions on specific resourcesAllowing actions with specific aws:ResourceTag condition keyManaging tags on resourcesGranting permission to manage tags on resourcesGranting permission to manage tags on resources only when those resources have specific tagsRequiring tags when starting invoice submission tasks

Access control for the AWS Marketplace Compliance API

You can use the AWS Marketplace Compliance API to manage seller compliance in AWS Marketplace. However, first make sure your user or role can access the API functionality that you want to call.

Use AWS Identity and Access Management (IAM) to create users and roles and assign policies that grant limited permissions to end users. The policies define the actions that the user or role can take on your resources through the AWS Marketplace Compliance API.

Note

To sell products on AWS Marketplace, your AWS account must be set up as a seller account. For more details about becoming an AWS Marketplace seller, see Getting started as a seller in the AWS Marketplace Seller Guide.

Allowing actions with AWS managed policies

You can use policies that are managed by AWS to grant permissions to your user or role.

To work with invoice submissions on AWS Marketplace, you can use the AWSMarketplaceSellerFullAccess IAM managed policy, which includes full access to the AWS Marketplace Compliance API actions in addition to its other permissions. For more information, see Policies and permissions for AWS Marketplace sellers and AWS managed policies for AWS Marketplace sellers in the AWS Marketplace Seller Guide.

Alternatively, you can create your own IAM policies to have more granular control than is available in AWS managed policies. Use the following topics to create your own IAM policies.

Allowing actions on all resources

Resources are objects that the actions can act upon. There is one resource type in the Compliance API:

  • InvoiceSubmissionTask – An invoice submission task tracks the processing of a seller-submitted invoice in AWS Marketplace.

To allow a user or role full access to invoice submission task operations, you can add the following IAM policy. With this policy, the user or role can use all invoice submission task actions on all resources ("*").

{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "aws-marketplace:StartInvoiceSubmissionTask",
        "aws-marketplace:GetInvoiceSubmissionTask",
        "aws-marketplace:ListInvoiceSubmissionTasks",
        "aws-marketplace:ListPayables"
      ],
      "Resource": "*"
    }
  ]
}

For information about all actions available for the Compliance API, see Actions, resources, and condition keys for AWS Marketplace Compliance in the Service Authorization Reference.

Allowing actions on specific resources

You can use resource-level permissions to allow actions on a specific invoice submission task instead of all invoice submission tasks. You do this by specifying the Amazon Resource Name (ARN) of the invoice submission task in the Resource of the IAM policy.

{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "aws-marketplace:GetInvoiceSubmissionTask"
      ],
      "Resource": [
        "arn:aws:aws-marketplace:us-east-1:123456789012:AWSMarketplace/InvoiceSubmissionTask/example-task-id"
      ]
    }
  ]
}

Allowing actions with specific aws:ResourceTag condition key

You can allow actions on invoice submission tasks based on their tags without having to specify individual ARNs. Adding tags to resources allows you to control access to those resources based on their tags.

For example, the following IAM policy allows the GetInvoiceSubmissionTask action on any invoice submission task resource ("*") that has a tag key of product-team and tag value of team-xyz.

{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "aws-marketplace:GetInvoiceSubmissionTask"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/product-team": "team-xyz"
        }
      }
    }
  ]
}

Managing tags on resources

You can add, list, and remove tags from existing invoice submission tasks.

Add tags to resources

To add tags to an invoice submission task, use the TagResource API action.

Request

POST /TagResource HTTP/1.1
Content-type: application/json

{
  "ResourceArn": "string",
  "Tags": [
    {
      "Key": "string",
      "Value": "string"
    }
  ]
}

Request parameters include:

  • ResourceArn (String) – (Required) ARN of the invoice submission task.

  • Tags (Array of objects) – (Required) A list of objects specifying each tag key and value. Number of objects allowed: 1–50.

    • Key (String) – (Required) Name of the tag. Regex pattern: ^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$. Character length: 1–128.

    • Value (String) – (Required) Value of the tag. Regex pattern: ^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$. Character length: 0–256.

Remove tags from resources

To remove a tag or list of tags from an invoice submission task, use the UntagResource API action.

Request

POST /UntagResource HTTP/1.1
Content-type: application/json

{
  "ResourceArn": "string",
  "TagKeys": [
    "string"
  ]
}

Request parameters include:

  • ResourceArn (String) – (Required) ARN of the invoice submission task.

  • TagKeys (Array of strings) – (Required) A list of key names of tags to be removed.

List all tags on a resource

To list all tags on an invoice submission task, use the ListTagsForResource API action.

Request

POST /ListTagsForResource HTTP/1.1
Content-type: application/json

{
  "ResourceArn": "string"
}

Response

{
  "ResourceArn": "string",
  "Tags": [
    {
      "Key": "string",
      "Value": "string"
    }
  ]
}

Granting permission to manage tags on resources

To allow a user or role to add, remove, and list tags on all invoice submission tasks, they need the following IAM policy.

{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "aws-marketplace:TagResource",
        "aws-marketplace:UntagResource",
        "aws-marketplace:ListTagsForResource"
      ],
      "Resource": "*"
    }
  ]
}

Granting permission to manage tags on resources only when those resources have specific tags

You can allow a user or role to add, remove, and list tags on invoice submission tasks that have specific tags. The following IAM policy allows those actions on any invoice submission task resource ("*") that has a tag key of product-team and tag value of team-xyz.

{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "aws-marketplace:TagResource",
        "aws-marketplace:UntagResource",
        "aws-marketplace:ListTagsForResource"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/product-team": "team-xyz"
        }
      }
    }
  ]
}

Requiring tags when starting invoice submission tasks

You can enforce tagging when invoice submission tasks are created by using the aws:RequestTag and aws:TagKeys condition keys with the StartInvoiceSubmissionTask action.

{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "aws-marketplace:StartInvoiceSubmissionTask"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/product-team": "team-xyz"
        },
        "ForAllValues:StringEquals": {
          "aws:TagKeys": [
            "product-team"
          ]
        }
      }
    }
  ]
}