CustomError: Access to requested resource is denied.

[jamesaq12wsx]

I'm trying to migrate our application from MWS to SP-API hybrid. We are using "fe" region and Japan marketplace id "A1VC38T7YXB528" I saw issue #34 and I check the setting on seller central, I changed existing application to a hybrid type and assign IAM to get LWA client ID and Secret.

I use this endpoint

let res = await sellingPartner.callAPI({ operation:'getMarketplaceParticipations', endpoint:'sellers' }); console.log(res);

This is what I get from response.

CustomError: Access to requested resource is denied. at SellingPartner.callAPI (C:\Users\James Lin\Workspace\amz-sp-api-demo\node_modules\amazon-sp-api\lib\SellingPartner.js:572:13) at processTicksAndRejections (internal/process/task_queues.js:93:5) at async C:\Users\James Lin\Workspace\amz-sp-api-demo\index.js:19:19 { code: 'Unauthorized', details: '', type: 'error' }

I check my Access Key on AWS, it shows Last Usage is "2021-06-11 10:30 PDT with sts in us-east-1", but base on the document region fareast "fe" host region should be us-west-2. Is this the reason causing this issue? Where should I change? My understanding is that IAM doesn't have the region.

Thanks for your help.

[amz-tools]

Hi @jamesaq12wsx,

the aws region is set correct for the API requests (see Signer.js, lines 8 - 12). For the sts call which is used for fetching the security token it might be the problem. We are using "us-east-1" as default for all three regions (eu, na and fe).

Reason behind it was that, when we developed the first version of the client, "us-east-1" was working for "eu" region as well, while "eu-west-1" was not. So we don't fill that in dynamically and to be honest we never rechecked on that as no issues occurred yet.

You can try changing it in the signRoleCredentialsRequest function starting in line 135 in Signer.js. But of course it can have numerous other reasons while access is denied.

[jamesaq12wsx]

@amz-tools Thank you for the prompt response, I modify signRoleCredentialsRequest in Signer.js, and can't even get the access_code from sts. Do you have any idea what may cause this issue? I follow the step on amazon documents to create those credentials.

[amz-tools]

@jamesaq12wsx

Have you tried setting auto_request_tokens to false and calling the refreshRoleCredentials function manually? If you can confirm that doesn't work then I would suggest you doublecheck that you set the right enviroment vars. If you did then I would suggest you start the whole creation of the IAM user and role all over and retry.

[jamesaq12wsx]

@amz-tools Thanks for the suggestion. I tried requesting access token and role credentials manually. It works, I could get those credentials. Do I still have to recreate the whole IAM user and role setting?

[amz-tools]

@jamesaq12wsx Thats great! But the endpoint and operation calls (i.e. getMarketplaceParticipations) are still not working? Then you should make sure that you really have the right IAM role/user assigned to the app and if its correct and still not working you could try to restart again with the whole IAM user/policy/role setup to make sure it is really correct.

[jamesaq12wsx]

@amz-tools I found out this message on the sp-api docs.

But I miss register the application with IAM user, Now I attached the policy to IAM user, I hope this could work out. Or is it possible to change IAM of seller central's application?

[amz-tools]

@jamesaq12wsx It seems as if you can't. The IAM field is unclickable when trying to edit it. Maybe you could open a support ticket with Amazon and ask them about it. Or you just create a new app, even if its still in draft mode: If you set up everything correct it should be working with you own refresh_token.

[Bowserlord]

Hello together, im getting the same error:

{"message":"Access to requested resource is denied.","code":"Unauthorized","details":"","type":"error"}

We registered our app with the role ARN (according to amazon documentation). We are using the "eu" region. Could error occur, because our amazon developer account is not active "Your account has been deactivated"? Im getting STS-Tokens when calling sts.amazonaws.com with the role ARN.

Any idea what could be the problem here?

Thanks for help.

[amz-tools]

@Bowserlord Yes, this will definitely be a problem. You would need an active professional seller account to be able to use the SP-API, see the first question and answer here in the SP FAQs.

[Bowserlord]

@amz-tools Thank u very much for answering. After using an active account, it worked.

[jamesaq12wsx]

Hi everyone and @amz-tools Why we have to use refresh_token for the instance which using CallAPI? Couldn't find any place using refresh_token. Is it using for auto retrieve access_token?

[amz-tools]

Hi @jamesaq12wsx,

not sure if I understand the question correct, the refresh_token is used in the refreshAccessToken function, which can be called manually or will be called automatically when the client notices that the access_token is expired or invalid and auto_request_tokens option is set to true.

[amz-tools]

@jamesaq12wsx Any issues left or can we close this issue?

[jamesaq12wsx]

@amz-tools No thanks. I found that I got the wrong setting.