IAM Permissions Reference

A complete audit of every IAM permission used by Vell Cloud Connectors, whether each is required or optional, which Vell features depend on it, and what happens if it's missing.

Who is this for?

This page is designed to be shared between the partner listing administrator (the person using Vell) and the IAM/security administrator (the person managing AWS permissions). When disagreements arise about what permissions are needed, this page is the single source of truth.

---

Quick Reference

Required vs Optional Summary

Permission Group	Actions	Required	Vell Features
Marketplace Catalog Read	4	Yes	Listing sync, AI generation, change tracking
Marketplace Catalog Write	2	No	Publish listings, cancel changes
Marketplace Agreement Read	3	Yes	Pipeline dashboard, revenue metrics
Partner Central Selling Read	6	No	ACE opportunities, co-sell attribution
Partner Central Benefits Read	5	No	Funding program visibility
Partner Central Benefits Write	6	No	AI-assisted funding applications

Minimum Viable Policy (Required Only)

If your security team wants the absolute minimum, deploy only these permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VellMinimumRequired",
      "Effect": "Allow",
      "Action": [
        "aws-marketplace:DescribeEntity",
        "aws-marketplace:ListEntities",
        "aws-marketplace:DescribeChangeSet",
        "aws-marketplace:ListChangeSets",
        "aws-marketplace:SearchAgreements",
        "aws-marketplace:DescribeAgreement",
        "aws-marketplace:GetAgreementTerms"
      ],
      "Resource": "*"
    },
    {
      "Sid": "DenyDangerousOperations",
      "Effect": "Deny",
      "Action": [
        "aws-marketplace:DeleteEntity",
        "iam:*",
        "organizations:*",
        "account:*"
      ],
      "Resource": "*"
    }
  ]
}

Minimum policy limitations

With only required permissions, Vell operates in read-only mode: listing sync and pipeline dashboards work, but publishing AI-generated listings to AWS Marketplace and all Partner Central features are disabled.

---

Detailed Permission Breakdown

AWS Marketplace Catalog API (Read)

Required: Yes IAM Policy SID: MarketplaceCatalogReadAccess Risk Level: Low (read-only)

IAM Action	Purpose in Vell	What Breaks If Missing
aws-marketplace:DescribeEntity	Read individual listing details (product, offer, resale authorization)	Cannot view or sync any listing data
aws-marketplace:ListEntities	Enumerate all listings in the account	Cannot discover listings for AI generation
aws-marketplace:DescribeChangeSet	Read details of a specific change request	Cannot track change history or status
aws-marketplace:ListChangeSets	List all pending and completed changes	Cannot show change tracking in dashboard

Vell Features:

• Listing sync from AWS Marketplace
• AI-powered listing content generation
• Change tracking and history
• Listing analytics dashboard

---

AWS Marketplace Catalog API (Write)

Required: No IAM Policy SID: MarketplaceCatalogWriteAccess Risk Level: Medium (creates change requests, but all changes go through AWS Marketplace review before going live)

IAM Action	Purpose in Vell	What Breaks If Missing
aws-marketplace:StartChangeSet	Submit AI-optimized listing updates to AWS Marketplace	Cannot publish from Vell (manual copy-paste still works)
aws-marketplace:CancelChangeSet	Cancel a pending change request	Cannot cancel pending changes from Vell dashboard

Vell Features:

• One-click publish AI-generated listings
• Cancel pending changes from dashboard

Safety note

Even with write permissions, Vell cannot make listings go live immediately. All changes submitted via StartChangeSet go through AWS Marketplace's review process before publication.

---

AWS Marketplace Agreement API

Required: Yes IAM Policy SID: MarketplaceAgreementReadAccess Risk Level: Low (read-only)

IAM Action	Purpose in Vell	What Breaks If Missing
aws-marketplace:SearchAgreements	Search customer agreements/subscriptions	Pipeline dashboard shows no data
aws-marketplace:DescribeAgreement	Read agreement details	Cannot view individual agreement details
aws-marketplace:GetAgreementTerms	Read pricing and term details	Revenue metrics and term analysis unavailable

Vell Features:

• Pipeline dashboard
• Revenue and conversion metrics
• Agreement analytics
• Customer subscription tracking

---

Partner Central Selling (ACE)

Required: No (enabled via EnablePartnerCentral=true in CloudFormation) IAM Policy SID: PartnerCentralSellingRead Risk Level: Low (read-only) Region: us-east-1 only Condition: partnercentral:Catalog must be AWS or Sandbox

IAM Action	Purpose in Vell	What Breaks If Missing
partnercentral:ListOpportunities	List ACE co-sell opportunities	No opportunity data in Vell
partnercentral:GetOpportunity	Read opportunity details	Cannot view opportunity details
partnercentral:ListSolutions	List registered partner solutions	Cannot associate solutions with opportunities
partnercentral:GetAwsOpportunitySummary	Read AWS-side opportunity summary	Missing AWS context on opportunities
partnercentral:ListEngagementInvitations	List AWS-initiated referrals	Cannot track inbound referrals
partnercentral:GetEngagementInvitation	Read referral invitation details	Cannot view referral details

Vell Features:

• ACE opportunity sync and dashboard
• Co-sell attribution analytics
• Lead funnel metrics
• AWS referral tracking
• Partner Central integration in Marketing Dashboard

Account linking required

Even with correct IAM permissions, the AWS account must be linked to Partner Central at partnercentral.awspartner.com. If permissions pass but you see "account not linked" errors, this is the fix.

Explicit Deny (Safety):

The CloudFormation template also includes explicit denies for Partner Central write operations:

Denied Action	Reason
partnercentral:CreateOpportunity	Vell is read-only for ACE selling
partnercentral:UpdateOpportunity	Prevents accidental modifications
partnercentral:AssignOpportunity	Prevents ownership changes
partnercentral:AssociateOpportunity	Prevents association changes
partnercentral:DisassociateOpportunity	Prevents disassociation
partnercentral:StartEngagementByAcceptingInvitation	Prevents auto-accepting referrals
partnercentral:RejectEngagementInvitation	Prevents auto-rejecting referrals

---

Partner Central Benefits / Funding (Read)

Required: No (enabled via EnablePartnerCentral=true) IAM Policy SID: PartnerCentralBenefitsRead Risk Level: Low (read-only) Condition: partnercentral:Catalog must be AWS or Sandbox

IAM Action	Purpose in Vell	What Breaks If Missing
partnercentral:ListBenefits	List available funding programs	Cannot browse funding programs
partnercentral:GetBenefit	Read funding program details	Cannot view program details
partnercentral:ListBenefitApplications	List submitted funding applications	Cannot track application status
partnercentral:GetBenefitApplication	Read application details	Cannot view application details
partnercentral:ListBenefitAllocations	List approved funding allocations	Cannot view approved funding

Vell Features:

• Funding program discovery
• Application status tracking
• Funding Wizard read support

---

Partner Central Benefits / Funding (Write)

Required: No (enabled via EnablePartnerCentral=true) IAM Policy SID: PartnerCentralBenefitsWrite Risk Level: Medium (creates/modifies funding applications) Condition: partnercentral:Catalog must be AWS or Sandbox

IAM Action	Purpose in Vell	What Breaks If Missing
partnercentral:CreateBenefitApplication	Create new funding applications	Must create applications manually in Partner Central
partnercentral:UpdateBenefitApplication	Update draft applications	Must update manually
partnercentral:SubmitBenefitApplication	Submit applications for review	Must submit manually
partnercentral:AmendBenefitApplication	Amend returned applications	Must amend manually
partnercentral:RecallBenefitApplication	Recall submitted applications	Must recall manually
partnercentral:CancelBenefitApplication	Cancel pending applications	Must cancel manually

Vell Features:

• AI-assisted funding application generation
• One-click application submission
• Application lifecycle management

---

Safety Rails (Explicit Denies)

The CloudFormation template includes explicit deny statements that cannot be overridden by other policies. These prevent Vell from performing dangerous operations even if broader permissions are granted elsewhere in the account.

Denied Action	Reason
aws-marketplace:DeleteEntity	Prevents listing deletion
iam:*	Prevents any IAM changes
organizations:*	Prevents organization modifications
account:*	Prevents account-level changes

---

Trust Relationship

The IAM role uses a cross-account trust policy with External ID validation:

AssumeRolePolicyDocument:
  Version: '2012-10-17'
  Statement:
    - Effect: Allow
      Principal:
        AWS: 'arn:aws:iam::253265132499:root'
      Action: 'sts:AssumeRole'
      Condition:
        StringEquals:
          'sts:ExternalId': <your-unique-external-id>

Security Property	Value
Trusted Account	253265132499 (Vell)
External ID	Unique per connection (vell- + 32 random chars)
Max Session Duration	3600 seconds (1 hour)
Confused Deputy Protection	Yes (External ID required)

---

Connection Testing

Vell provides a built-in Connection Test feature that validates each permission individually. After connecting, navigate to:

Cloud Connectors → Your Connection → Test Connection

The test will:

1. Attempt to AssumeRole with your External ID
2. Test each permission group individually
3. Report pass/fail per permission with error details
4. Show which Vell features are affected by any failures
5. Provide specific fix recommendations for your IAM administrator

This eliminates the back-and-forth between listing administrators and security teams when diagnosing permission issues.

---

Deployment Options

Full Permissions (Recommended)

Deploy the standard CloudFormation template with EnablePartnerCentral=true:

aws cloudformation create-stack \
  --stack-name vell-marketplace-role \
  --template-url https://templates.vell.ai/templates/vell-aws-marketplace-role.yaml \
  --parameters \
    ParameterKey=ExternalId,ParameterValue=<your-external-id> \
    ParameterKey=EnablePartnerCentral,ParameterValue=true \
  --capabilities CAPABILITY_NAMED_IAM \
  --region us-east-1

Marketplace Only (No Partner Central)

Deploy with EnablePartnerCentral=false to exclude all Partner Central permissions:

aws cloudformation create-stack \
  --stack-name vell-marketplace-role \
  --template-url https://templates.vell.ai/templates/vell-aws-marketplace-role.yaml \
  --parameters \
    ParameterKey=ExternalId,ParameterValue=<your-external-id> \
    ParameterKey=EnablePartnerCentral,ParameterValue=false \
  --capabilities CAPABILITY_NAMED_IAM \
  --region us-east-1

Custom Minimum (Read-Only)

Use the Minimum Viable Policy above to create a custom IAM policy with only required read permissions.

---

FAQ

Can I grant only some of the optional permissions?

Yes. The optional permission groups are independent. For example, you can enable Partner Central Selling (ACE) without Benefits (Funding), or vice versa. Each group is a separate IAM policy statement.

What if my security team won't approve write permissions?

Vell works in read-only mode without write permissions. You can sync listings, view pipeline data, and track metrics. To publish AI-generated listings, you'd need to copy the content manually to AWS Marketplace console.

How do I add permissions later?

Update the CloudFormation stack with a new parameter value:

aws cloudformation update-stack \
  --stack-name vell-marketplace-role \
  --use-previous-template \
  --parameters \
    ParameterKey=ExternalId,UsePreviousValue=true \
    ParameterKey=EnablePartnerCentral,ParameterValue=true \
  --capabilities CAPABILITY_NAMED_IAM

Can Vell escalate its own permissions?

No. The explicit deny on iam:* prevents Vell from modifying any IAM resources, including its own role. This is enforced at the AWS level and cannot be overridden by Vell.

How do I audit what Vell actually does?

Enable AWS CloudTrail in your account. All API calls made by the assumed role will be logged with the session name vell-connection-validation-* or vell-*.