I like using IAM (Identity and Access Management) to create users/groups with specific permissions for specific purposes.
The Product Advertising API requires use of an access key (request param is AWSAccessKeyId) and IAM can generate access keys, but I don't see a way to give IAM users/groups access to only the Product Advertising API.
Anyone know if this can be done? Or do you know of a workaround?
Reading the mentioned thread IAM policies for Amazon Product API entirely reveals, that the questioner actually tried to to just that, i.e. use IAM access keys to access the Product Advertising API, but apparently to no avail. So I'm afraid the mentioned AWS team response has to be taken literally and your use case is not covered yet by IAM, unfortunately.
AWS Identity and Access Management (IAM) doesn't currently support the Product Advertising API (see the AWS team response to IAM policies for Amazon Product API), but assuming the IAM access keys as such do work there as well, you could deny your users/groups access to every other AWS service supporting IAM by means of a respective IAM policy at least (which should cover the majority of critical ones). The recommended AWS Policy Generator can help in crafting a respective policy, which might actually be as simple as this (I just selected Effect -> Deny and checked the AWS Service -> All Services checkbox):
{
"Statement": [
{
"Sid": "Stmt1331670627168",
"Action": "*",
"Effect": "Deny",
"Resource": "*"
}
]
}