Why Clazar Requests Access for Co-Sell Roles in Your AWS Environment

Last updated: June 25, 2025

To enable seamless co-sell workflows with AWS and support the APN CRM onboarding process, Clazar provisions a secure set of roles in your environment. This support article explains what access is requested by the Clazar Co-Sell Roles Stack why is it necessary, and how do we ensure security and control throughout the process?

🔍 What This Stack Does

The Clazar Co-Sell Roles Stack provisions roles and supporting infrastructure to automate co-sell data syncing between your AWS account and Clazar’s backend, particularly for use in AWS Partner Network (APN) CRM processes.

🚀 Key Components Deployed

1. IAM Roles for Co-Sell Environments

  • Roles Created:

    • SandboxRole

    • ProductionRole

  • Purpose: These roles allow Clazar to securely interact with your APN CRM data for sandbox and production usage.

  • Scoped Access: The roles are created using a secure external ID and are limited to predefined permissions relevant to APN CRM onboarding.

2. Reporter Lambda Function

  • Component: A Lambda function called ClazarCosellReporterFunction.

  • Purpose: Used to report co-sell resource creation and sync details between your AWS account and Clazar’s API.

  • Security: The function is deployed with a limited-role IAM execution policy to prevent over-privileged access.

3. Custom Resource Invocation

  • What It Does: After provisioning the above resources, this component calls Clazar’s backend API with metadata and resource identifiers to complete onboarding.

  • Secure Handshake: Uses a one-time secret key and AWS account metadata to authenticate the call.

🛡 Why This Access Is Required

Component

Need

What Clazar Does

IAM Roles (Sandbox & Production)

Required by AWS APN CRM to process co-sell records

Secure access for pushing CRM data to AWS

Reporter Function

Sync stack metadata with Clazar API

Triggers post-deployment configuration & validation

Clazar API Callback

Ensure successful onboarding with real-time validation

Receives stack metadata, role ARNs

🧩 Optional Role Reuse

If you already have existing IAM roles for sandbox and production:

  • You can pass their ARNs directly into the stack parameters.

  • Clazar will not create new roles and will instead reuse what’s provided.

🔐 Security & Compliance Highlights

  • Scoped Role Access: IAM permissions are limited to AWS co-sell workflows and never grant unnecessary access.

  • External ID: Prevents unauthorized cross-account access by enforcing AWS security best practices.

  • Ephemeral Secret: This ClazarSecretKey is a one-time, time-bound secret for authenticating the deployment.

  • Auditability: All CloudFormation resources and permissions are fully reviewable before deployment.

Configurable Parameters

Parameter Description

SandboxRole

ARN or name of the sandbox IAM role

ProductionRole

ARN or name of the production IAM role

ClazarExternalId

Secure ID used by Clazar to assume the roles

ClazarSecretKey

One-time secret used to authenticate the deployment

ClazarSellerId

Unique identifier for your Clazar account

💬 Need Assistance?

If you're unsure about the role permissions or how to tailor the stack for your environment, reach out to our support team. We're happy to assist with reviews or walkthroughs with your security team.