Creating and configuring IAM policies and entities

The following steps explain how to create and configure Identity and Access Management (IAM) policies and entities with the end goal of creating an IAM role that you provide when you register your application. In this workflow you create an IAM user (with an AWS Security Token Service (AWS STS) policy attached) that assumes an IAM role that has permissions to call the Selling Partner API.

Step 1. Create an Amazon Web Services (AWS) account

You must have an AWS account because the Selling Partner API security model uses AWS authentication credentials. If you're not already an AWS customer, you can create a free AWS account. For more information, refer to AWS Free Tier.

Step 2. Create an IAM user

Create an IAM user to get AWS keys to authenticate calls to the Selling Partner API. We recommend creating a new IAM user exclusively for this purpose. Use the IAM user to assume the IAM role that you create in Step 4. Create an IAM role.

Sign in to the AWS Management Console, and then open the IAM console.
From the left navigation pane, choose Users and then select Add users.
On the Specify user details page, enter a user name.
Choose Next.
On the Set permissions page, accept the defaults and then choose Next. You will set permissions when you create an IAM role.
On the Review and create page, add any desired tags under the tags section.
Choose Create user.
In the User name column, select your new IAM user and navigate to the Security Credentials tab.
Under the Access keys section, choose Create access key.
On the Access key best practices & alternatives page, choose Other, then choose Next.
On the Set description tag (optional) page, add any desired description tag and then choose Create access key.
On the Retrieve access keys page, choose Download .csv file to save the AWS access key and secret access key and then choose Done.

🚧
Important!
This is your only opportunity to view or download your AWS secret access key, which you must use to authenticate your calls to the Selling Partner API. Save the AWS access key ID and AWS secret access key in a safe and secure place.
You will not have access to the AWS access key again after this step.
If you lose your AWS secret access key you must create a new access key. You can have a maximum of two access keys (active or inactive) at a time. For more information about managing access keys, refer to Managing access keys (console).

In the User name column, choose your new IAM user again and record the User ARN. You will use the ARN in Step 4. Create an IAM role.

For more information about creating IAM users, refer to Creating an IAM user in Your AWS account.

Step 3. Create an IAM policy

This IAM policy defines the permissions required to make calls to the Selling Partner API. Attach this policy to the IAM role that you create in Step 4. Create an IAM role.

Note: If you use AWS Organizations to manage your AWS accounts, make sure your Organization level policy allows access to Selling Partner API. For more information, refer to Managing AWS Organizations policies.

Sign in to the AWS Management Console, and then open the IAM console.
From the left navigation pane, choose Policies.

If this is your first time choosing Policies, choose Get Started.
Choose Create policy.
Choose the JSON tab.
Paste this code into the text box (replacing the existing code), and then choose Next: Tags.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "execute-api:Invoke",
      "Resource": "arn:aws:execute-api:*:*:*"
    }
  ]
}

On the Add tags (Optional) page, add any desired tags, then choose Next: Review.
On the Review policy page, name your policy SellingPartnerAPI and add an optional description.
Review the policy Summary, then choose Create policy.

For more information, refer to Creating IAM Policies.

Step 4. Create an IAM role

Create an IAM role that trusts the IAM user that you created in Step 2. Create an IAM user and has permissions to call the Selling Partner API.

Sign in to the AWS Management Console, and then open the IAM console.
From the left navigation pane, choose Roles and then choose Create role.
On the Select trusted entity page, choose AWS account, and select one of the following depending on the account used to create your IAM user in Step 2. Create an IAM user:

If you created your IAM user in this same account, choose This account.
If you created your IAM user in a different account, choose Another AWS account. In the Account ID box, enter the account identifier for the AWS account where you created your IAM user in Step 2. Create an IAM user. The account identifier is the 12 digit number in the User ARN.

Choose Next.
On the Add permissions page, in the filter box, type 'SellingPartnerAPI', choose the policy, and then choose Next.
On the Name, review, and create page, enter a role name in the Role name box, an optional role description in the Role description box, and then choose Create role.
Under Role name, select the name of your new role.

On the Summary page, save your role ARN. You must have the role ARN for the following tasks:
a. Add an AWS Security Token Service policy to your IAM user.
b. Registering your Application.

For more information, refer to Creating a role to delegate permissions to an IAM user.

Step 5. Add an AWS STS policy to your IAM user

Adding an AWS STS policy to your IAM user allows you to request temporary AWS access keys that you can use to authenticate your requests to the Selling Partner API. These credentials expire after a set period of time, which helps you to control access to your AWS resources.

Sign in to the AWS Management Console, and then open the IAM console.
From the left navigation pane, select Users and then choose the user that requires the AWS STS policy. In this tutorial, choose the user you created in Step 2. Create an IAM user.
On the Permissions tab, choose the Add permissions drop-down and choose Add inline policy.
On the Create policy page, select Choose a service.
Choose the STS service.

Tip: Enter STS in the search box to filter your results.
Under Actions, select the arrow next to Write.
Choose AssumeRole.
Select the arrow next to Resources, and then choose Add ARN.
In the Add ARN(s) dialog box, enter the role ARN from Step 4. Create an IAM role, choose Add, and then choose Review policy.
On the Review policy page, enter a name for your policy. Review your setting, then choose Create policy.

Step 6. (Optional) Verify that the STS policy is attached to your IAM user or role

Sign in to the AWS Management Console, and then open the IAM console.
Choose Users, then select your IAM user.
Choose the Permissions tab, choose Add permissions, and then choose Add inline policy.
On the Create policy page, select the JSON tab and paste the following code into the text box. This policy grants access for IAM to read any information related to IAM services.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:GenerateCredentialReport",
        "iam:GenerateServiceLastAccessedDetails",
        "iam:Get*",
        "iam:List*",
        "iam:SimulateCustomPolicy",
        "iam:SimulatePrincipalPolicy"
      ],
      "Resource": "*"
    }
  ]
}

Choose Review policy, give a name for the policy (For example, PolicyNew), and choose Create policy.
Open AWS CloudShell and run the following commands to verify that the policy is attached to your IAM user or role:

Retrieve the inline policy document embedded in the specified IAM user:

aws iam get-user-policy --user-name Bob --policy-name ExamplePolicy
List all managed policies attached to the specified IAM user:

aws iam list-attached-user-policies --user-name Bob
Retrieve information about the specified managed policy:

aws iam get-policy --policy-arn {{ARN of the policy}}
Retrieve policy details for the managed policy (use the version number obtained from previous step):

aws iam get-policy-version --policy-arn {{ARN of the policy}} --version-id version number