Skip to Content
IntegrationsVendor portalsAWS Partner Central

AWS Partner Central

Cotillion’s AWS integration ships registered deals into the AWS Partner Central — Customer Engagements (ACE) program. Once connected, every opportunity you mark for AWS in Cotillion is mapped to the ACE schema and created / updated through the AWS Partner Central Selling API on your behalf — no manual re-keying in the Partner Central UI.

Before you begin — you’ll create an IAM role in your AWS account that trusts Cotillion’s AWS account. Cotillion never holds long-lived AWS keys; it assumes the role with a per-tenant ExternalId at request time.

At a glance

ItemValue
AuthenticationAWS STS AssumeRole with ExternalId (no static keys)
API surfaceAWS Partner Central Selling API (partnercentral-selling)
CatalogsAWS (production) or Sandbox (validation)
DirectionWrite — Cotillion creates / updates ACE opportunities
CredentialsStored as roleArn only — KMS-encrypted at rest. The ExternalId is a unique identifier for your organization, held server-side and supplied to STS at AssumeRole time — never persisted on the integration row
Session lifetimeShort-lived STS credentials, refreshed automatically (2-minute skew before expiry)

How the connection works

Cotillion backend ──AssumeRole(roleArn, ExternalId=<tenant>)──▶ AWS STS │ │ │◀──── temporary AccessKey/SecretKey/SessionToken ─────────────┘ └──── PartnerCentralSellingClient(credentials, region) ──▶ AWS Partner Central

The trust policy you put on the IAM role pins two identities:

  1. Principal — Cotillion’s production AWS account (arn:aws:iam::<COTILLION_ACCOUNT_ID>:root), so only Cotillion can call sts:AssumeRole on your role.
  2. ExternalId — a unique identifier for your organization that Cotillion shows you on the connect screen and supplies to STS at every AssumeRole call. This binds the IAM role to your tenant — even another Cotillion tenant inside the same AWS account cannot assume your role by accident (defends against the confused-deputy problem ).

Setup

Step 1 — Get connection parameters from Cotillion

  1. Sign in to your Cotillion workspace at cotillion.indyrct.com .
  2. Open Vendor portals in the sidebar → pick AWS → switch to the Connection Information tab.
  3. The screen gives you everything for the next step:
    • Role name — create your role with exactly this name (CotillionPartnerCentralAccess). The name is not free-form: Cotillion builds the role ARN from your account id + this fixed name, so a differently-named role will not be found.
    • Trust policy — a ready-to-paste JSON block with Cotillion’s account id and your organization’s ExternalId already filled in. Copy the whole block; you don’t assemble it by hand.
    • AWS Partner Central catalog (Sandbox or AWS; just informational — tells you which Partner Central directory this Cotillion environment is wired against).

Copy the trust policy; you’ll paste it in the next step.

Step 2 — Create the IAM role in your AWS account

In your AWS Console, switch to the account that owns your AWS Partner Central registration and open IAM → Roles → Create role.

  1. Choose Custom trust policy and paste the trust policy from Step 1 — Cotillion already filled in its account id and your ExternalId, so you copy it as-is. It looks like this:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::COTILLION_ACCOUNT_ID:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "EXTERNAL_ID_FROM_COTILLION" } } } ] }
  2. Attach the AWS managed policies Cotillion needs. In the role’s permissions step, search for and attach:

    • AWSPartnerCentralOpportunityManagement — required. Grants the Partner Central Selling API surface Cotillion uses (ListOpportunities, GetOpportunity, CreateOpportunity, UpdateOpportunity, AssociateOpportunity, SubmitOpportunity, StartEngagementFromOpportunityTask, …).
    • AWSMcpServiceActionsFullAccess — required. Grants partnercentral:UseSession, which lets Cotillion’s in-product AI assistant talk to AWS’s hosted Partner Central agent on your behalf (read-only Q&A about funding eligibility, programs, AWS-side status).
    • PartnerCentralIncentiveBenefitManagement — optional. Required only if you intend to register opportunities for AWS incentive / funding benefit programs through Cotillion. Safe to attach proactively.

    We recommend AWS managed policies (above) over an inline policy with a hand-curated action list because AWS extends the managed policies as the Partner Central Selling API surface evolves — your role keeps working when new actions are added, with no IAM edits on your side.

  3. Name the role exactly CotillionPartnerCentralAccess and finish. This name is required — Cotillion builds the role ARN from your account id and this fixed name, so a renamed or differently-named role will not be found.

  4. Note your 12-digit AWS Account ID (the account you just created the role in) — that is the only value Cotillion needs from you.

Do not narrow Resource to a specific opportunity ARN. AWS Partner Central Selling APIs are account-level — the resource on every action is *. Tighter ARNs make the policy invalid; AWS will silently deny calls with a misleading “no permissions” error.

Step 3 — Provide your AWS Account ID to Cotillion

  1. Return to the Cotillion AWS Partner Central setup screen → Connect tab.
  2. Enter your 12-digit AWS Account ID (the account you created the role in) into the AWS Account ID field. That’s all — you do not paste a role ARN. Cotillion builds it for you as arn:aws:iam::<your-account-id>:role/CotillionPartnerCentralAccess.
  3. Click Test & Connect. The region is fixed to us-east-1 — AWS Partner Central is single-region, there is no region selector. The catalog (Sandbox or AWS) is set by Cotillion per environment and shown in the Connection Information tab — it is not a choice on the Connect form.

What happens automatically:

  • ✅ Cotillion builds the role ARN from your account id + the fixed role name and calls sts:AssumeRole with it and your ExternalId.
  • ✅ Calls ListOpportunities(MaxResults=1) to confirm the role’s partnercentral-selling permissions are correct.
  • ✅ Stores only the derived role ARN, KMS-encrypted at rest. The ExternalId stays server-side (resolved per tenant on every call) and is never persisted on the integration row. No AWS access keys are ever held.

How registration works

Once connected, the flow for shipping a deal from Cotillion to AWS is:

  1. Propose — AI maps your Cotillion deal (and selected AWS Products from the AWS Products catalog) into the ACE payload shape.
  2. Refine — you can edit fields directly or re-prompt the AI with a natural-language hint (e.g. “set sales involvement to co-sell”).
  3. Write — Cotillion calls CreateOpportunity (first time) or UpdateOpportunity (subsequent edits) under your assumed role, then AssociateOpportunity to attach the relevant AWS Products.
  4. Submit — when you press Submit in Cotillion, it calls SubmitOpportunity, which hands the opportunity off to AWS for AM review.
  5. Engagement — for opportunities that progress to an ACE engagement, Cotillion calls StartEngagementFromOpportunityTask and polls ListEngagementFromOpportunityTasks for the task state.

Mapping is informed by an AWS field-rules table (per-field allowed values, max lengths, state transitions) generated from the AWS Partner Central Selling SDK. AWS performs authoritative server-side validation on every submission; rejections are translated into typed errors in Cotillion with the field-level reason attached, so the opportunity stays in Draft until the offending field is corrected.

What you can verify

If you’re an auditor reviewing AWS access:

  • CloudTrail in your AWS account logs every AssumeRole call against this role, with the source account (Cotillion’s) and the ExternalId used. Filter by eventName = AssumeRole and requestParameters.roleArn.
  • Partner Central UI → Opportunities → Filter “Submitted by API” shows every opportunity Cotillion created on your behalf. The AssumeRole session name (vendor-service-<uuid>) appears in your CloudTrail audit trail alongside the call.
  • Cotillion’s operational dashboards count every Partner Central Selling API call per tenant — request via support if you need an export.

Reference

Troubleshooting

PRM_AUTH_FAILED — AWS access denied on Test & Connect

The IAM role’s trust policy doesn’t allow Cotillion’s account to assume it, OR the ExternalId is wrong. Re-check both — the ExternalId is case-sensitive.

PRM_AUTH_FAILED — AWS rejected identity token

The role’s trust policy is structurally invalid (wrong JSON shape, or references a non-existent principal). Validate the policy with aws iam validate-policy (or the IAM console’s policy validator) and re-create the role.

Opportunity rejected with a validation error

AWS Partner Central rejected one or more fields (typically a PrimaryNeedFromAws enum value outside the allowed set, or a TargetCloseDate more than 24 months out). The opportunity stays in Draft in Cotillion with the AWS validation reason attached; edit the offending field and re-submit.

STS session expires mid-batch

The role’s Max session duration is set to AWS’s default 1 hour. Bump it to 4–12 hours in IAM → Role → Edit. Cotillion refreshes credentials 2 minutes before expiry, but a single long-running submission run may exceed a 1-hour session.


For the AWS-side review process (Partner Central enrolment, sandbox access, OLAs), contact your AWS Partner Manager. For Cotillion-side issues, email [email protected].

Last updated on