Creating and configuring IAM policies and entities

How to create and configure IAM polices and entities for use with SP-API.

The following steps explain how to create and configure IAM policies and entities with the end goal of creating an IAM role that you provide when you register your application. In this workflow you create an IAM user (with an AWS STS policy attached) that assumes an IAM role that has permissions to call the Selling Partner API.

Step 1. Create an AWS account

You must have an AWS account because the Selling Partner API security model uses AWS authentication credentials. If you're not already an AWS customer, you can create a free AWS account. For more information, refer to AWS Free Tier.

Step 2. Create an IAM user

Create an IAM user to get AWS keys to authenticate calls to the Selling Partner API. We recommend creating a new IAM user exclusively for this purpose. Use the IAM user to assume the IAM role that you create in Step 4. Create an IAM role.

Use the following procedure to create an IAM user

  1. Sign in to the AWS Management Console, and then open the IAM console at console.aws.amazon.com/iam.

  2. From the left navigation pane, choose Users and then select Add user.

  3. Enter a user name.

  4. Select Programmatic access and then choose Next: Permissions.

  5. On the Set Permissions page, accept the defaults and then choose Next: Tags. You will set permissions when you create an IAM role.

  6. On the Add tags (optional) page, add any desired tags, and then choose Next: Review.

  7. On the Review page, ignore the This user has no permissions warning. You will set permissions when you create an IAM role.

  8. Select Create user.

  9. Choose Show to view the AWS secret access key. To save the AWS access key, select Download .csv, and then save the file to a safe location.

🚧

Important!

This is your only opportunity to view or download your AWS secret access key, which you must use to authenticate your calls to the Selling Partner API. Save the AWS access key ID and AWS secret access key in a safe and secure place.

You will not have access to the AWS access key again after this step.

If you lose your AWS secret access key you must create a new IAM user with a new set of keys.

  1. Choose Close.

  2. In the User name column, select your new IAM user and record the User ARN. You will use the ARN in Step 4. Create an IAM role.

For more information about creating IAM users, refer to Creating an IAM User in Your AWS Account in the AWS documentation.

Step 3. Create an IAM policy

This IAM policy defines the permissions required to make calls to the Selling Partner API. Attach this policy to the IAM role that you create in Step 4. Create an IAM role.

Note: If your AWS account leverages AWS Organizations you must ensure that your organization level policy allows access to the Selling Partner API. For more information, refer to Managing AWS Organizations policies in the AWS documentation.

Use the following procedure to create an IAM policy

  1. Sign in to the AWS Management Console, and then open the IAM console at console.aws.amazon.com/iam.

  2. From the left navigation pane, select Policies.

    If this is your first time choosing Policies, the Welcome to Managed Policies page appears. Choose Get Started.

  3. Select Create policy.

  4. Choose the JSON tab.

  5. Paste the following code into the text box (replacing the existing code), and then choose Next: Tags.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "execute-api:Invoke",
      "Resource": "arn:aws:execute-api:*:*:*"
    }
  ]
}

  1. On the Add tags (Optional) page, add any desired tags, then choose Next: Review.

  2. On the Review policy page, enter a Name and a Description (optional) for the policy that you are creating. We recommend naming your IAM policy, SellingPartnerAPI.

  3. Review the policy Summary, then choose Create policy.

For more information, refer to Creating IAM Policies in the AWS documentation.

Step 4. Create an IAM role

Create an IAM role that trusts the IAM user that you created in Step 2. Create an IAM user and has permissions to call the Selling Partner API.

Use the following procedure to create an IAM role

  1. Sign in to the AWS Management Console, and then open the IAM console at console.aws.amazon.com/iam.

  2. From the left navigation pane, select Roles and then choose Create role.

  3. On the Create role page, choose Another AWS account.

  4. In the Account ID box, enter the account identifier for the AWS account where you created your IAM user in Step 2. Create an IAM user. The account identifier is the 12 digit number in the User ARN. Then, choose Next: Permissions.

  5. On the Attach permissions policies page, under Policy name, select the policy that you created in Step 3. Create an IAM policy, and then choose Next: Tags.

    Tip: Choose Filter policies and then select Customer managed to narrow your choices.

  6. On the Add tags (optional) page, add any custom tags, then choose Next: Review.

  7. On the Create role page, enter a role name in the Role name box, an optional role description in the Role description box, and then choose Create role.

  8. Under Role name, select the name of your new role.

  9. On the Summary page, save your role ARN. You must have the role ARN for the following tasks:

    1. Register your application.

    2. Add an AWS Security Token Service policy to your IAM user.

For more information, refer to Creating a Role to Delegate Permissions to an IAM User in the AWS documentation.

Step 5. Add an AWS Security Token Service (AWS STS) policy to your IAM user

Adding an AWS Security Token Service (AWS STS) policy to your IAM use allows you to request temporary AWS access keys that you can use to authenticate your requests to the Selling Partner API. These credentials expire after a set period of time, which helps you to control access to your AWS resources.

  1. Sign in to the AWS Management Console, and then open the IAM console at console.aws.amazon.com/iam.

  2. From the left navigation pane, select Users and then choose the user that requires the AWS STS policy. In this tutorial, choose the user you created in Step 2. Create an IAM user.

  3. On the Permissions tab, choose Add inline policy.

  4. On the Create policy page, choose Choose a service.

  5. Select the STS service.

    Tip: Enter STS in the search box to narrow your choices.

  6. Under Access Level, select the arrow next to Write.

  7. Select AssumeRole.

  8. Select the arrow next to Resources, and then choose Add ARN.

  9. In the Add ARN(s) dialog box, enter the role ARN from Step 4. Create an IAM role, choose Add, and then choose Review policy.

  10. On the Review policy page, enter a name for your policy. Review your setting, then choose Create policy.

Step 6. (Optional) Verify that the STS policy is attached to your IAM user or role

Use the following procedure to verify that the STS policy is attached to your IAM user or role

  1. Install the AWS Command Line Interface (AWS CLI). For detailed instructions on installing the AWS CLI, refer to Getting Started with the AWS CLI in the AWS documentation.

  2. Sign in to the AWS Management Console, and then open the IAM console at console.aws.amazon.com/iam.

  3. Select your IAM user, and then paste the following code into the text box. This policy grants access for IAM to read any information related to IAM services.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:GenerateCredentialReport",
                "iam:GenerateServiceLastAccessedDetails",
                "iam:Get*",
                "iam:List*",
                "iam:SimulateCustomPolicy",
                "iam:SimulatePrincipalPolicy"
            ],
            "Resource": "*"
        }
    ]
}
  1. From the AWS CLI, run the following commands to verify that the policy is attached to your IAM user or role.
  • Retrieve the inline policy document embedded in the specified IAM user:

    aws iam get-user-policy --user-name Bob --policy-name ExamplePolicy

  • List all the manged policies that are attached to the specified IAM user:

    aws iam list-attached-user-policies --user-name {{ARN of IAM User}}

  • Retrieve information about the specified managed policy:

    aws iam get-policy --policy-arn {{ARN of the policy}}

  • List policies attached to a particular role:

    aws iam list-role-policies --role-name

  • Attach a policy to a role:

    aws iam attach-role-policy --policy-arn arn*:*aws*:*iam*::*aws*:*policy/ReadOnlyAccess --role-name ReadOnlyRole