IAM temporary delegation for Amazon Partners - Amazon Identity and Access Management
OverviewHow it worksPartner qualificationOnboarding processPartner questionnaire
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

IAM temporary delegation for Amazon Partners

Overview

IAM temporary delegation enables Amazon customers to seamlessly onboard and/or integrate Amazon Partner products into their Amazon environment through interactive, guided workflows. Customers can grant Amazon Partners limited, temporary access to configure required Amazon services, reducing onboarding friction and accelerating time to value.

IAM temporary delegation enables partners to:

  • Streamline customer onboarding with automated resource provisioning

  • Reduce integration complexity by eliminating manual configuration steps

  • Build trust through transparent, customer-approved permissions

  • Enable ongoing operations with long-term access patterns using permission boundaries

How it works

  1. Partner creates a delegation request - Partners create a request specifying what permissions they need and for how long

  2. Customer reviews in Amazon Console - Customer sees exactly what permissions partner is requesting and why

  3. Customer approves - Customer approves the request and releases an exchange token. The token is sent to partner on this specified SNS topic.

  4. Partner receives temporary credentials - Partners exchange the token for temporary Amazon credentials

  5. Partner configures resources - Partners use the credentials to set up required resources in the customer's account

Partner qualification

To qualify for temporary delegation integration, a partner must meet the following requirements:

  • ISV Accelerate participation – You must be enrolled in the ISV Accelerate (ISVA) program.

  • Amazon Marketplace listing – Your product must be listed in the Amazon Marketplace with a "Deployed on Amazon" badge.

Onboarding process

Complete the following steps to integrate temporary delegation into your product:

  1. Step 1: Review requirements

    Review this documentation to understand the qualification requirements and complete the partner questionnaire below.

  2. Step 2: Submit your onboarding request

    Send an email to aws-iam-partner-onboarding@amazon.com or contact your Amazon representative. Include your completed partner questionnaire with all required fields from the table below.

  3. Step 3: Amazon validation and review

    Amazon will:

    • Validate that you meet the qualification criteria

    • Review your policy templates and permission boundaries

    • Provide feedback on your submitted artifacts

  4. Step 4: Refine your policies

    Respond to Amazon feedback and submit updated policy templates or permission boundaries as needed.

  5. Step 5: Complete registration

    Once approved, Amazon will:

    • Enable API access for your specified accounts

    • Share ARNs for your policy template and permissions boundary (if applicable)

    You will receive confirmation when onboarding is complete. You can then access temporary delegation APIs, CreateDelegationRequest and GetDelegatedAccessToken from your registered accounts and begin integrating delegation request workflows into your product.

Partner questionnaire

The following table lists the information required for partner onboarding:

Information Description Required
Partner Central AccountID Account ID of your registered Amazon account on Amazon Partner Central. Yes
PartnerId Partner ID provided by Amazon Partner Central. No
Amazon Marketplace Product Id Product ID for your product provided by Amazon Partner Central. Yes
Amazon accountIDs The list of your Amazon Account IDs that you want to use to call temporary delegation APIs. This should include both your production and non-production/test accounts. Yes
Partner name This name is displayed to customers in the Amazon Management Console when they review your temporary delegation request. Yes
Contact email(s) One or more email addresses that we can use to contact you about your integration. Yes
Requestor Domain Your domain (for example, www.example.com) Yes
Integration description Brief description of the use case that you want to address using this feature. You can include reference links to your documentation or other public material. Yes
Architecture diagram Architecture diagram illustrating your integration use case(s). No
Policy template You must register at least one policy template for this feature. The policy template defines the temporary permissions you want to request in customers' Amazon accounts. For more information, see Policy template section. Yes
Policy template name Name of the policy template you want to register. Yes
Permissions Boundary If you want to create IAM roles in customers' accounts using temporary permissions, you must register a permission boundary with IAM. Permission boundaries will be attached to the IAM roles that you create to limit the maximum permissions on the role. You can use selected Amazon managed policies as a permission boundary or register a new custom permission boundary (JSON). For more information, see Permissions Boundary section. No
Permission Boundary Name The name of your permission boundary. The format is: arn:aws:iam::partner:policy/permission_boundary/<partner_domain>/<policy_name>_<date> The policy name must include the creation date as a suffix. The name cannot be updated once the permission boundary is created. If you are using an existing Amazon managed policy, provide the managed policy ARN instead. No
Permission Boundary Description Description for the permission boundary. This description cannot be updated once the permission boundary is created. No