Permissions required to track seller issued license usage in License Manager - Amazon License Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Permissions required to track seller issued license usage in License Manager

To get started with this feature, you need permission to call the following License Manager API actions.

{ 
    "Version": "2012-10-17",     
    "Statement": [ 
      { 
        "Effect": "Allow",
        "Action": [
            "license-manager:CreateLicense",
            "license-manager:CreateLicenseVersion",
            "license-manager:ListLicenses",
            "license-manager:ListLicenseVersions",
            "license-manager:GetLicense",
            "license-manager:DeleteLicense",
            "license-manager:CheckoutLicense",
            "license-manager:CheckInLicense",
            "license-manager:ExtendLicenseConsumption",
            "license-manager:GetLicenseUsage",
            "license-manager:CreateGrant",
            "license-manager:CreateGrantVersion",
            "license-manager:DeleteGrant",
            "license-manager:GetGrant",
            "license-manager:ListDistributedGrants"
        ], 
        "Resource": "*"
      } 
    ] 
}

If you will integrate with License Manager so customers without an Amazon account can consume licenses sold outside of Amazon Web Services Marketplace, you must create an IAM role that enables your software application to call the License Manager API.

If you use the Amazon Web Services Management Console to distribute temporary credentials for customers without an Amazon Web Services account, License Manager will automatically create the AWSLicenseManagerConsumptionRole on your behalf. For more information, see Get temporary credentials for ISV customers without an Amazon account. To create this role from the Amazon CLI, use the Amazon IAM create-role command, as shown in the following example.

aws iam create-role 
    --role-name AWSLicenseManagerConsumptionRole 
    --description "Role used to consume licenses using Amazon License Manager" 
    --max-session-duration 3600 
    --assume-role-policy-document file://trust-policy-document.json

The provided trust-policy-document.json file should look like the following example, with your own Amazon Web Services account ID substituted as the token issuer account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "openid-license-manager.amazonaws.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "ForAnyValue:StringLike": {
                    "openid-license-manager.amazonaws.com:amr": "aws:license-manager:token-issuer-account-id:123456789012"
                }
            }
        }
    ]
}

Next, use the attach-role-policy command to add the AWSLicenseManagerConsumptionPolicy Amazon managed policy to the AWSLicenseManagerConsumptionRole role.

aws iam attach-role-policy 
    --policy-arn arn:aws-cn:iam::aws:policy/service-role/AWSLicenseManagerConsumptionPolicy
    --role-name AWSLicenseManagerConsumptionRole