Beta
The AWS Marketplace integration is currently in beta. We are still testing it and behavior may change. Please share any feedback with Torii Support.
Overview
Torii integrates with AWS Marketplace and analyzes SaaS expenses:
| Default synced transaction types | Fields used for expense matching |
|---|---|
| AWS Marketplace charges (daily, grouped per AWS Marketplace service) | Service name |
- Torii will automatically match transactions to the correct application, summarize expenses and provide insights.
- Torii supports syncing multiple AWS Marketplace accounts.
- Torii syncs transaction data up to one year prior to first connection date.
- You can constantly stay updated with application information from our Integrations Page
>> Integration Capabilities button >> Integration Capabilities table.
Requirements
Accounts & Permissions
- An AWS account where you receive AWS Marketplace charges, with admin access to create IAM Policies and Roles.
- AWS Cost Explorer must be enabled in that account (it may take ~24 hours for the first data to appear after enabling).
Required keys
- To connect this integration, we require the following:
- Role ARN (Required)
How to Generate the Required Values
Step 1: Enable AWS Cost Explorer
- Open the AWS Billing console and go to Cost Explorer.
- Click Enable Cost Explorer. Initial data may take up to ~24 hours to populate.
Step 2: Create the IAM Policy
- Navigate to the IAM page in your AWS Console.
- Click Policies → Create Policy.
- In the JSON tab, paste the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ce:GetCostAndUsage"
],
"Resource": "*"
}
]
}- Click Next, name the policy (for example, torii-marketplace-policy), and click Create Policy.
Step 3: Create the IAM Role
- Go to Roles → Create Role.
- Choose AWS Account → Custom trust policy.
- Paste the JSON below and replace sts:ExternalId with your Torii organization ID.
- (You can find your Org ID in the Torii URL: e.g., from https://app.toriihq.com/team/123456, the Org ID is 123456.)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::458158785647:role/torii-integration-delegator"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<Enter Your Torii Organization Id Here>"
}
}
}
]
}- Click Next. Search for the policy you created in Step 2, select it, and click Next.
- Name the role (for example, torii-marketplace-role) and click Create Role.
- After creation, search for the role and copy its ARN.
This trust policy adds two security protections:
- Least-privilege access: only Torii’s dedicated integration role (
torii-integration-delegator) is allowed to assume this role. - External ID validation: Torii must present your unique Torii organization ID when assuming the role, adding protection against unauthorized access and the confused-deputy problem.
How to Connect the Integration
- Go to the Integrations page in Torii.
- Search for AWS Marketplace and click Connect.
- Enter the required values:
- Role ARN (required)
- Click Connect to finalize the integration.
Additional Notes
Important
AWS Marketplace data is sourced via the AWS Cost Explorer API. Cost Explorer must remain enabled in your AWS account for syncs to succeed. If you see “AWS account is not subscribed to Cost Explorer,” enable it in the AWS Billing console and try again.
- Transactions are synced once daily. On each sync, the most recent 30 days are re-fetched to capture any back-dated charges from AWS.
- Coverage is limited to charges where
BILLING_ENTITY = AWS Marketplace— direct AWS service usage (e.g., EC2, S3) is not included.
For any further questions, please contact Torii Support.