Closed DomoES closed 3 years ago
Welp - figured it out.....
For posterity's sake : when following the instructions in AWS to create a role and what not (https://github.com/amzn/selling-partner-api-docs/blob/main/guides/en-US/developer-guide/SellingPartnerApiDeveloperGuide.md#creating-and-configuring-iam-policies-and-entities) you can either put in the user ARN or the roleARN.
If you do the role you HAVE to get temp credentials via STS (https://github.com/amzn/selling-partner-api-docs/blob/main/guides/en-US/developer-guide/SellingPartnerApiDeveloperGuide.md#step-4-create-and-sign-your-request) and use those as your ID (creating the authorization Header) and Secret (creating the signature key).
Then at the very end when you make your API call pass in "X-Amz-Security-Token" as a header with the session token you got back from your STS call.
Welp - figured it out.....
For posterity's sake : when following the instructions in AWS to create a role and what not (https://github.com/amzn/selling-partner-api-docs/blob/main/guides/en-US/developer-guide/SellingPartnerApiDeveloperGuide.md#creating-and-configuring-iam-policies-and-entities) you can either put in the user ARN or the roleARN.
If you do the role you HAVE to get temp credentials via STS (https://github.com/amzn/selling-partner-api-docs/blob/main/guides/en-US/developer-guide/SellingPartnerApiDeveloperGuide.md#step-4-create-and-sign-your-request) and use those as your ID (creating the authorization Header) and Secret (creating the signature key).
Then at the very end when you make your API call pass in "X-Amz-Security-Token" as a header with the session token you got back from your STS call.
Is there a specific API to call to get temp credentials via https://sts.amazonaws.com ?
@phpandrew
By default, AWS Security Token Service (AWS STS) is available as a global service, and all AWS STS requests go to a single endpoint at https://sts.amazonaws.com
https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html
I had found an example some where of doing it manually - but for whatever reason couldn't get it to work. So I ended up using Amazon's SDK "com.amazonaws:aws-java-sdk-sts:1.11.+" (JAVA)
BasicAWSCredentials basicAWSCredentials = new BasicAWSCredentials(
"Key from the role you made in IAM",
"Secret from the role you made in IAM"
);
AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(new AWSStaticCredentialsProvider(basicAWSCredentials))
.withRegion("REGION")
.build();
AssumeRoleRequest roleRequest = new AssumeRoleRequest()
.withRoleArn("ARN to your Selling Partner account you made")
.withDurationSeconds(DURATION)
.withRoleSessionName("SESSION NAME");
AssumeRoleResult roleResult = stsClient.assumeRole(roleRequest);
stsGeneratedId = roleResult.getCredentials().getAccessKeyId();
stsGeneratedSecret = roleResult.getCredentials().getSecretAccessKey();
stsGeneratedSessionToken = roleResult.getCredentials().getSessionToken();
You use the stsGeneratedSecret when you create the signature in Task 3(https://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html) and the stsGeneratedId when you create the authorization header in Task 4(https://docs.aws.amazon.com/general/latest/gr/sigv4-add-signature-to-request.html).
Then take the stsGeneratedSessionToken and use it in your API call with the "X-Amz-Security-Token" header. I didn't have to add this in the canonical parts or the signature or anything. I just tacked it on right before I made the api call.
Error :
I have verified that my Canonical String and String-To-Sign are identical to these (include the case). So my issue must be in the Secret Access Key or Signing Method.
I went ahead and regenerated the access key and I am using the Java Example to get the Signature Key -> https://docs.aws.amazon.com/general/latest/gr/signature-v4-examples.html#signature-v4-examples-java
String-to-Sign and SignatureKey are then HmacSHA256'd together and hexEncoded to lower case.
Thus my final call ends up being :
Which looks exactly like what you find in their example here -> https://github.com/amzn/selling-partner-api-docs/blob/main/guides/en-US/developer-guide/SellingPartnerApiDeveloperGuide.md#step-4-create-and-sign-your-request
I've gone over the other issues reported and they haven't fixed my problem : https://github.com/amzn/selling-partner-api-models/issues/1272 (capitalization of query parameter)' https://github.com/amzn/selling-partner-api-models/issues/1154 (regenerated my keys) https://github.com/amzn/selling-partner-api-models/issues/1101 (no resolution) https://github.com/amzn/selling-partner-api-models/issues/1098 (no resolution) https://github.com/amzn/selling-partner-api-models/issues/774 (canonical_uri change, execute-api for service) https://github.com/amzn/selling-partner-api-models/issues/769 (content-type header and x-amz-content-sha256 header)
None of it worked.
So - anyone have some insight or idea as to what might be the issue?