Amazon Web Services Marketplace Private Marketplace and Amazon Organizations
Amazon Web Services Marketplace is a curated digital catalog that you can use to find, buy, deploy, and manage third-party software, data, and services that you need to build solutions and run your businesses. A private marketplace provides you with a broad catalog of products available in Amazon Web Services Marketplace, along with fine-grained control of those products.
Amazon Web Services Marketplace Private Marketplace enables you to create multiple private marketplace experiences that are associated with your entire organization, one or more OUs, or one or more accounts in your organization, each with its own set of approved products. Your Amazon administrators can also apply company branding to each private marketplace experience with your company or team’s logo, messaging, and color scheme.
For more information, see Using roles to configure Private Marketplace in Amazon Web Services Marketplace in the Amazon Web Services Marketplace Buyer Guide.
Use the following information to help you integrate Amazon Web Services Marketplace Private Marketplace with Amazon Organizations.
Service-linked roles created when you enable integration
The following service-linked role is automatically created in your organization's management account when you enable trusted access using the Amazon Web Services Marketplace Private Marketplace console. This role allows Private Marketplace to perform supported operations within your organization's accounts in your organization. You can delete or modify this role only if you disable trusted access between Amazon Web Services Marketplace Private Marketplace and Organizations and disassociate all private marketplace experiences in your organization.
If you enable trusted access directly from the Organizations console, CLI or SDK, the service-linked role is not created automatically.
-
AWSServiceRoleForPrivateMarketplaceAdmin
Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Private Marketplace grant access to the following service principals:
-
private-marketplace.marketplace.amazonaws.com
Enabling trusted access with Private Marketplace
For information about the permissions needed to enable trusted access, see Permissions required to enable trusted access.
You can enable trusted access using either the Amazon Web Services Marketplace Private Marketplace console or the Amazon Organizations console.
Important
We strongly recommend that whenever possible, you use the Amazon Web Services Marketplace Private Marketplace console or tools to enable integration with Organizations. This lets Amazon Web Services Marketplace Private Marketplace perform any configuration that it requires, such as creating resources needed by the service. Proceed with these steps only if you can’t enable integration using the tools provided by Amazon Web Services Marketplace Private Marketplace. For more information, see this note.
If you enable trusted access by using the Amazon Web Services Marketplace Private Marketplace console or tools then you don’t need to complete these steps.
To enable trusted access using the Private Marketplace console
See Getting started with Private Marketplace in the Amazon Web Services Marketplace Buyer Guide.
You can enable trusted access by using either the Amazon Organizations console, by running a Amazon CLI command, or by calling an API operation in one of the Amazon SDKs.
Disabling trusted access with Private Marketplace
For information about the permissions needed to enable trusted access, see Permissions required to enable trusted access.
You can disable trusted access using only the Organizations tools.
You can disable trusted access by running a Organizations Amazon CLI command, or by calling an Organizations API operation in one of the Amazon SDKs.
Enabling a delegated administrator account for Private Marketplace
The management account administrator can delegate Private Marketplace administrative permissions to a designated member account known as delegated administrator. To register an account as a delegated administrator for the private marketplace, the management account administrator must ensure that trusted access and the service-linked role are enabled, choose Register a new administrator, provide the 12-digit Amazon account number, and choose Submit.
Management accounts and delegated administrator accounts can perform Private Marketplace administrative tasks, such as creating experiences, updating branding settings, associating or disassociating audiences, adding or removing products, and approving or declining pending requests.
To configure a delegated administrator using the Private Marketplace console, see Creating and managing a private marketplace in the Amazon Web Services Marketplace Buyer Guide.
You can also configure a delegated administrator by using
the Organizations RegisterDelegatedAdministrator API. For more information, see
RegisterDelegatedAdministrator in the Organizations
Command Reference.
Disabling a delegated administrator for Private Marketplace
Only an administrator in the organization management account can configure a delegated administrator for Private Marketplace.
You can remove the delegated administrator using either the Private Marketplace console or API, or
by using the Organizations DeregisterDelegatedAdministrator CLI or SDK
operation.
To disable the delegated admin Private Marketplace account using the Private Marketplace console, see Creating and managing a private marketplace in the Amazon Web Services Marketplace Buyer Guide