AWS Marketplace Setup
Connect your AWS Marketplace seller account to Automatum for seamless integration.
Prerequisites
Before connecting your AWS account, ensure you have:
- An active AWS Marketplace seller account
- IAM permissions to create roles and policies
- Your AWS Account ID
- Automatum organization created
Integration Overview
Automatum uses AWS IAM role assumption to securely access your AWS Marketplace data. This approach:
- ✅ Follows AWS security best practices
- ✅ Grants only necessary permissions
- ✅ Can be revoked at any time
- ✅ Provides audit trails
Step 1: Create IAM Role
The easiest way to set up the IAM role is using our CloudFormation template:
Option A: CloudFormation Template (Recommended)
- Download the CloudFormation template from your Automatum dashboard
- Navigate to AWS Console > CloudFormation > Create Stack
- Upload the template
- Enter the required parameters:
- ExternalId: Copy from Automatum dashboard (Settings > Integrations > AWS Marketplace)
- S3BucketName: Name for analytics data (e.g.,
your-company-aws-marketplace-analytics) - SetupAnalytics: Choose
trueto enable analytics
- Click Create Stack
Option B: Manual Setup
Create an IAM role named AutomatumCrossAccount with this trust policy:
json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::909302513239:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "YOUR_EXTERNAL_ID"
}
}
}
]
}External ID
The External ID is auto-generated and provided in the Automatum platform under Settings > Integrations > AWS Marketplace. Copy it exactly as shown.
Step 2: Attach Required Policies
CloudFormation Template
If you used the CloudFormation template, these policies are automatically attached. Skip to Step 3.
Managed Policy (Required)
Attach this AWS managed policy to the role:
AWSMarketplaceFullAccess- Required for syncing listings, creating private offers, and managing marketplace entities
Required for Core Features
This managed policy provides access to the AWS Marketplace Catalog API, which is essential for:
- Syncing products from AWS Marketplace
- Creating and managing private offers
- Updating product information
- Managing changesets
Custom Policies (Required)
Add these two inline policies to the role:
Policy 1: AWSMarketplaceActions
Enables customer entitlement synchronization and usage metering:
json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:GetEntitlements",
"aws-marketplace:BatchMeterUsage",
"aws-marketplace:ResolveCustomer"
],
"Resource": "*"
}
]
}Policy 2: AWSMarketplaceAutomatumIntegration
Enables real-time event notifications from AWS Marketplace:
json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStacks",
"cloudformation:GetTemplate",
"cloudformation:ListStackResources",
"cloudformation:CreateChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"sns:Subscribe",
"sns:Unsubscribe",
"sqs:CreateQueue",
"sqs:SetQueueAttributes",
"sqs:GetQueueAttributes",
"sqs:DeleteMessage",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"iam:CreatePolicy",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy"
],
"Resource": "*"
}
]
}What Each Policy Does
| Policy | Purpose | Used For |
|---|---|---|
| AWSMarketplaceFullAccess | Marketplace Catalog API access | Syncing listings, creating private offers, updating products |
| AWSMarketplaceActions | Customer & metering operations | Fetching customer entitlements, submitting usage data |
| AWSMarketplaceAutomatumIntegration | Event notification infrastructure | Setting up SNS/SQS for real-time marketplace events |
Step 3: Configure in Automatum
Connect Your AWS Account
- Navigate to Settings > Integrations > AWS Marketplace
- Note the External ID displayed (you used this in Step 1)
- Enter your AWS Account ID
- Click Test Connection
- If successful, click Save
The connection test verifies:
- IAM role exists with name
AutomatumCrossAccount - Trust policy is configured correctly
- External ID matches
- Required permissions are attached
Step 4: Sync Products
After connecting your account:
- Go to Listings
- Click Sync from AWS
- Select the products you want to manage in Automatum
- Click Import Selected
Initial Sync
The first sync may take several minutes depending on the number of products and offers in your AWS Marketplace account.
Verification
Verify your integration is working:
- Check that your products appear in the Listings page
- Verify that existing private offers are visible
- Try creating a test private offer
- Check that metrics are updating
Troubleshooting
Connection Failed
Error: Access Denied
- Verify the IAM role trust relationship includes Automatum's account
- Check that the External ID matches exactly
- Ensure the role has the required policies attached
Error: Invalid Role Name
- Ensure the role is named exactly
AutomatumCrossAccount - Verify the role exists in your AWS account
- Check the ARN format:
arn:aws:iam::ACCOUNT_ID:role/AutomatumCrossAccount
Products Not Syncing
- Ensure your AWS Marketplace seller account has published products
- Check that the IAM role has marketplace:ListEntities permission
- Try manually triggering a sync from Listings > Sync from AWS
Offers Not Creating
- Verify the IAM role has marketplace:StartChangeSet permission
- Check that the product is published and active
- Ensure pricing information is complete
Security Best Practices
- Enable CloudTrail to audit all API calls made by Automatum
- Use Service Control Policies to restrict role usage if needed
- Review IAM policies regularly to ensure least privilege
- Rotate External IDs periodically (regenerate in Automatum dashboard)
- Monitor Role Usage through CloudWatch and IAM Access Analyzer
Next Steps
Need Help?
Contact support@automatum.io or use the in-app chat for assistance with AWS integration.