search

amzn / selling-partner-api-models

This repository contains OpenAPI models for developers to use when developing software to call Selling Partner APIs.
Apache License 2.0
611 stars 733 forks source link

[BUG] Access to requested resource is denied. #1330

Closed bluce-clj closed 2 years ago

bluce-clj commented 3 years ago

Hi, I am trying the new SP-API and I met the issue about authorization when call request. Step I did:

Create IAM user, role, permission.. etc and get access key, secret access key. Use IAM, access key, secret access key to create app and get access token as well as refresh token. Use this access token to sign the API request. Headers included: host;user-agent;x-amz-access-token;x-amz-date Canonical request: """ GET /sellers/v1/marketplaceParticipations HTTP/1.1 Accept application/json Content-Type application/json User-Agent Swagger-Codegen/1.0.0/java x-amz-access-token Atc|M**** X-Amz-Security-Token Host sellingpartnerapi-eu.amazon.com X-Amz-Date 20210510T075429Z Authorization AWS4-HMAC-SHA256 Credential=ASIA5XIT6BZ2YBFMML4F/20210510/eu-west-1/execute-api/aws4_request, SignedHeaders=accept;content-type;host;user-agent;x-amz-access-token;x-amz-date;x-amz-security-token, Signature= Connection Keep-Alive Accept-Encoding gzip """

And I always meet authorize issue: Response: """ { "errors": [ { "message": "Access to requested resource is denied.", "code": "Unauthorized", "details": "" } ] } """ There is no detail information. Is this a server side errors or I missed out something when submit the request?

And my create a case id 8320854741 ,but quickly close,because send me message: """ We have closed this case because Amazon has deactivated your account. Refer to your Account Health Dashboard to learn more about the status of your account. """

Could you please help me to address this issue? Whether the developer account must experience the store?

bluce-clj commented 3 years ago

我这边没有用 X-Amz-Security-Token

我用的是官方java 的sdk,请求参数是封装好的,所以关键问题在于:1aws sts配置是否有问题(已经检查和其他人对比了,未发现),2是否账号问题引起,3需要支持

bluce-clj commented 3 years ago

近期群里出现这个问题的人还比较多,估计都是新手...

那你提个排查方案额,不然新手和老手,还是一样残手...

bluce-clj commented 3 years ago

1,你能取到access_token,授权方面应该没有问题.考虑token是否过期? 2,IAM 有关权限的检查,复制那个json配置. 3,站点对就的URL是否正确?不要搞个US帐号然后使用 EU的URL. 4,你调用其他的API是否存在问题? 5,我这边调用 getMarketplaceParticipations 这个API是正常的,返回了数据.

1.token无问题 2.sts接口获取access token,也成功了 3.站点url正确,切换us测试过了,也一样错误 4.刷token和sts接口都正常,但是getMarketplaceParticipations就这错误,订单接口等也是相同错误.

bluce-clj commented 3 years ago

image

error detail info.

joseph74a commented 3 years ago

Hi, I have the same error and I have followed the step by step guide: https://github.com/amzn/selling-partner-api-docs/blob/main/guides/en-US/developer-guide/SellingPartnerApiDeveloperGuide.md { "errors": [ { "message": "Access to requested resource is denied.", "code": "Unauthorized", "details": "" } ] }

AWS REGION=eu-west-1 ENDPOINT=https://sellingpartnerapi-eu.amazon.com

I'm stuck and don't know what to do. Any help or suggestions are appreciated. Thanks

marconline commented 3 years ago

This is happening to me as well even on sandbox endpoint. The only call is working is GET sellers/v1/marketplaceParticipations.

Does it work this call on your side? @joseph74a and @bluce-clj

marconline commented 3 years ago

Ok so I found and had the enlightment!

If you use the sandbox, there are two things to be aware of:

  1. you must use the same request that Amazon express in its documentation (check in the model swagger file the x-amazon-spds-sandbox-behaviors)
  2. you must use the endpoint linked to the token you are using. If it's a token generated for the EU marketplace, you have to use the sandbox EU endpoint even if the body of the request references a NA marketplace.
bluce-clj commented 3 years ago

This is happening to me as well even on sandbox endpoint. The only call is working is GET sellers/v1/marketplaceParticipations.

Does it work this call on your side? @joseph74a and @bluce-clj

Yes,That's it.I can't tell what went wrong.

joseph74a commented 3 years ago

Hi, I have always used GET sellers/v1/marketplaceParticipations

aidensgithub commented 3 years ago

This is happening to me as well even on sandbox endpoint. The only call is working is GET sellers/v1/marketplaceParticipations. Does it work this call on your side? @joseph74a and @bluce-clj

Yes,That's it.I can't tell what went wrong.

Hello! Have you resolved the issue? I'm getting the same error for all calls except of marketplaceParticipation.

bluce-clj commented 3 years ago

1,登录 https://console.aws.amazon.com/iam 2,使用以下json,添加一个 policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "execute-api:Invoke", "Resource": "arn:aws:execute-api:::*" } ] }

3,把这个新添加的 policy 加给你的 User. 这样这个IRN 才有权限访问SPAPI.

配置了,无效...

aidensgithub commented 3 years ago

image I tried to add the STS Policy to my USER as suggested here Still getting the same error

aidensgithub commented 3 years ago

你在配置 application 时,使用的是不是 User 的 ARN ?

这个配置是对指定的用户权限, 要使用 User 的ARN 配置到 应用程序.

@nodisk8800 I use ROLE ARN as AWS_ROLE_ARN in Java SDK

aidensgithub commented 3 years ago

你可以搜一下我们的QQ群

So should I use my User ARN? But Java SDK requires to use only ROLE ARN. image

github-actions[bot] commented 2 years ago

This is a very old issue that is probably not getting as much attention as it deserves. We encourage you to check if this is still an issue after the latest release and if you find that this is still a problem, please feel free to open a new issue and make a reference to this one.