# Permissions required to track seller issued license usage in License Manager To get started with this feature, you need permission to call the following License Manager API actions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "license-manager:CreateLicense", "license-manager:CreateLicenseVersion", "license-manager:ListLicenses", "license-manager:ListLicenseVersions", "license-manager:GetLicense", "license-manager:DeleteLicense", "license-manager:CheckoutLicense", "license-manager:CheckInLicense", "license-manager:ExtendLicenseConsumption", "license-manager:GetLicenseUsage", "license-manager:CreateGrant", "license-manager:CreateGrantVersion", "license-manager:DeleteGrant", "license-manager:GetGrant", "license-manager:ListDistributedGrants" ], "Resource": "*" } ] } ``` ------ If you will integrate with License Manager so customers without an Amazon account can consume licenses sold outside of Amazon Web Services Marketplace, you must create an IAM role that enables your software application to call the License Manager API. If you use the Amazon Web Services Management Console to distribute temporary credentials for customers without an Amazon Web Services account, License Manager will automatically create the `AWSLicenseManagerConsumptionRole` on your behalf. For more information, see [Get temporary credentials for ISV customers without an Amazon account](granting-temporary-credentials.md). To create this role from the Amazon CLI, use the Amazon IAM [create-role](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-role.html) command, as shown in the following example. ``` aws iam create-role --role-name AWSLicenseManagerConsumptionRole --description "Role used to consume licenses using Amazon License Manager" --max-session-duration 3600 --assume-role-policy-document file://trust-policy-document.json ``` The provided `trust-policy-document.json` file should look like the following example, with your own Amazon Web Services account ID substituted as the token issuer account. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "openid-license-manager.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "ForAnyValue:StringLike": { "openid-license-manager.amazonaws.com:amr": "aws:license-manager:token-issuer-123456789012:{{123456789012}}" } } } ] } ``` ------ Next, use the [attach-role-policy](https://docs.amazonaws.cn/cli/latest/reference/iam/attach-role-policy.html) command to add the **AWSLicenseManagerConsumptionPolicy** Amazon managed policy to the **AWSLicenseManagerConsumptionRole** role. ``` aws iam attach-role-policy --policy-arn arn:aws-cn:iam::aws:policy/service-role/AWSLicenseManagerConsumptionPolicy --role-name AWSLicenseManagerConsumptionRole ```