teddy-codes
commented
3 years ago Are you sure that you're using the tokens provided by sts to sign your request?
Closed paulabirocchi closed 2 years ago
teddy-codes
commented
3 years ago Are you sure that you're using the tokens provided by sts to sign your request?
paulabirocchi
commented
3 years ago Hi @teddy-codes , yes I used boto3:
client = boto3.client('sts') client.assume_role(RoleArn= roleARN,RoleSessionName=rolename)
I found this other issue https://github.com/amzn/selling-partner-api-models/issues/699 @rogersv used both x_amz_security_token and x_amz_access_token , but I'm not sure how to use it. Should I include it when I call get_orders? For example: res = orders_obj.get_orders( LastUpdatedAfter=(datetime.utcnow() - timedelta(days=7)).isoformat(), MarketplaceIds=','.join(marketplaces),x_amz_security_token ='YYY',x_amz_access_token='XXX')
teddy-codes
commented
3 years ago https://stackoverflow.com/questions/44171849/aws-boto3-assumerole-example-which-includes-role-usage
The client won't actually assume the role for you. New credentials are provided. You should then use the signer provided by AWS to sign the request. This is what I did and have had great success.
paulabirocchi
commented
3 years ago I'm using the following commands in order to access Amazon Orders:
This is what I received from assume_role:
{'Credentials': {'AccessKeyId': 'XXX', 'SecretAccessKey': 'XXX', 'SessionToken': 'XXX', 'Expiration': datetime.datetime(2021, 9, 27, 14, 51, 58, tzinfo=tzutc())}, 'AssumedRoleUser': {'AssumedRoleId': 'XXXAPI', 'Arn': 'XXX'}, 'ResponseMetadata': {'RequestId': 'XXX', 'HTTPStatusCode': 200, 'HTTPHeaders': {'XXX', 'content-type': 'text/xml', 'content-length': '1070', 'date': 'Mon, 27 Sep 2021 13:51:57 GMT'}, 'RetryAttempts': 0}}
This is my code to access the API: credentials=dict( refresh_token='XXX', # provided by the App lwa_app_id='XXX', lwa_client_secret='XXX', aws_secret_key='XXX', # at this moment , I'm using it from assume role (secretaccesskey) aws_access_key='XXX', # I'm using it from assume role (accesskeyid) role_arn='XXX', )# from application
marketplaces = ['XXXX'] orders_obj = Orders(marketplace=Marketplaces.GB, credentials=credentials) # In my case i'm signed up in UK Marketplace res = orders_obj.get_orders( LastUpdatedAfter=(datetime.utcnow() - timedelta(days=7)).isoformat(), MarketplaceIds=','.join(marketplaces), x_amz_security_token ='XXX', x_amz_access_token='XXX' )
I've tested using the refresh_token as x_amz_access_token and x_amz_security_token, and also the 'SessionToken' as x_amz_access_token and x_amz_security_token. I don't know what I'm doing wrong here.
avvarga
commented
3 years ago Hello @paulabirocchi ,
We will need to work with you via a support case to resolve this issue. Please open a support case so we can pursue the investigation.
Thanks, Alejandro C Selling Partner API Developer Support
paulabirocchi
commented
3 years ago Thank you. I've opened a support case, I'm waiting for assistance. I will copy my python script here for any assistance:
import boto3 from sp_api.api import Orders from sp_api.api import Reports from sp_api.api import Feeds from sp_api.base import SellingApiException from sp_api.base.reportTypes import ReportType from datetime import datetime, timedelta from sp_api.base.marketplaces import Marketplaces
client = boto3.client('sts')
roleARN='arn:aws:iam::XXX:role/NameAPI' rolename='NameAPI' client.assume_role(RoleArn= roleARN,RoleSessionName=rolename)
{'Credentials': {'AccessKeyId': 'XXX', 'SecretAccessKey': 'XXX', 'SessionToken': 'XXXXXXX, 'Expiration': datetime.datetime(2021, 9, 27, 16, 33, 29, tzinfo=tzutc())}, 'AssumedRoleUser': {'AssumedRoleId': 'XXX', 'Arn': 'arn:aws:sts::XXX:assumed-role/nameAPI/nameAPI'}, 'ResponseMetadata': {'RequestId': 'XX', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amzn-requestid': 'XXX', 'content-type': 'text/xml', 'content-length': '1070', 'date': 'Mon, 27 Sep 2021 15:33:29 GMT'}, 'RetryAttempts': 0}}
credentials=dict( refresh_token='XXX', # from application lwa_app_id='XXX', lwa_client_secret='XXX', aws_secret_key='XXX', # from assume role (secretaccesskey) aws_access_key='XXX', # from assume role (accesskeyid) role_arn='arn:aws:iam::XXX:role/XXX', )# from application
marketplaces = ['XXX'] orders_obj = Orders(marketplace=Marketplaces.DE, credentials=credentials) # In my case i'm signed up in DE Marketplace res = orders_obj.get_orders( LastUpdatedAfter=(datetime.utcnow() - timedelta(days=7)).isoformat(), MarketplaceIds=','.join(marketplaces), x_amz_security_token ='XXXX', x_amz_access_token='XXX')
tokens = Tokens(marketplace= Marketplaces.DE, credentials=credentials) tokens.create_restricted_data_token()
bpyzikvc
commented
3 years ago Looks to me like you are still missing the get access token call. I am not using python so I'll try my best to recreate what it would look like but you need to do the sts call to assume the role then get a new access token and then make an actual api call. Here are the things I would note:
refresh_token='XXX', # I did not need this I am not sure if you do with python aws_secret_key='XXX', # from assume role (secretaccesskey) aws_access_key='XXX', # from assume role (accesskeyid) x_amz_security_token ='XXXX', # from assume role (SesssionToken) x_amz_access_token='XXX') # from get access token (access_token); you will use a refresh token to generate a short lived access token
Once you do this you will most likely get a signature error because I do not see you generating one. I am using a very different platform from python so I will not be able to give notes for that but Amazon will provide what the signature should look like when you get the error.
paulabirocchi
commented
3 years ago Thank you @bpyzikvc this was helpful. I found this other issue: https://github.com/saleweaver/python-amazon-sp-api/issues/225 and I've tried to generate the access token through these commands:
from sp_api.api import Tokens
tokens_api = Tokens(credentials=credentials) response = tokens_api.create_restricted_data_token( restrictedResources=[ { "method": "GET", "path": "/orders/v0/orders", "dataElements": ["buyerInfo", "shippingAddress"] } ] )
But I've got the same error from Python: AuthorizationError: ('unauthorized_client', 'Not authorized for requested operation', 400)
Any advice in what I'm doing wrong?
bpyzikvc
commented
3 years ago you are attempting to create a restricted data token here. To do so you would use an access token which you have not generated yet. To generate one you have to make another api call. It'd be 1 STS 2 generate access token 3 (optional) get RDT 4 get orders
bpyzikvc
commented
3 years ago The issue you linked would be solved if they put the RDT that they generate into the x_amz_access_token. So if you have an RDT you insert it there, if not you just use your access token that you MUST generate
paulabirocchi
commented
3 years ago Thank you. I believe there is a way to do this in Python , something similar to: https://stackoverflow.com/questions/54410850/python-requests-login-to-login-with-amazon-to-get-access-token-for-amazon-advert I will test this now: https://developer.amazon.com/docs/app-submission-api/python-example.html#obtain-access-token
paulabirocchi
commented
3 years ago @bpyzikvc So I followed the steps from the this link: https://developer.amazon.com/docs/app-submission-api/python-example.html#obtain-access-token
I'm using the root user access ID and key (I've tested using other not-primary user as well). I tried also to incluse the refresh_token but the same error appears.
Python script: import requests
client_id = 'XXX' client_secret = 'XXX'
BASE_URL = 'https://developer.amazon.com/api/appstore'
scope = "appstore::apps:readwrite" grant_type = "client_credentials" data = { "grant_type": grant_type, "client_id": client_id, "client_secret": client_secret, "scope": scope } amazon_auth_url = "https://api.amazon.com/auth/o2/token" auth_response = requests.post(amazon_auth_url, data=data)
auth_response_json = auth_response.json() auth_token = auth_response_json["access_token"]
auth_token_header_value = "Bearer %s" % auth_token
auth_token_header = {"Authorization": auth_token_header_value}
Unfortunately, there is no access token, I received the error: {'error_description': 'Client authentication failed', 'error': 'invalid_client'} when I look to auth_response_json. Any advices?
ManikandanUV
commented
3 years ago @paulabirocchi Try using the lwa client identifier in place of lwa_app_id. That worked for me. @avvarga please rename this field in the credentials. It's causing confusion.
paulabirocchi
commented
3 years ago @ManikandanUV it didn't work for me :( I got this error: AuthorizationError: ('invalid_client', 'Client authentication failed', 401) I am stuck in the part to get the access token.
bpyzikvc
commented
3 years ago For this specific call you will not need scope in the data. Grant_type will be "refresh_token" and you must include the actual refresh token with the header of refresh_token.
Here's what I send in Postman to get one so maybe you can follow this in python..
https://api.amazon.com/auth/o2/token?Content-Type=application/x-www-form-urlencode
{
"grant_type": "refresh_token",
"client_id": "XXXXXX",
"client_secret": "XXXXX",
"refresh_token": "XXXXXX"
}
paulabirocchi
commented
3 years ago Thanks @bpyzikvc. I followed your recommendation and I got the same error again: {'error_description': 'Client authentication failed', 'error': 'invalid_client'}
I couldn't open the link you provided.
paulabirocchi
commented
3 years ago @bpyzikvc I tried to get the access token through Postman. I received the same error: { "error_description": "Client authentication failed", "error": "invalid_client" } I found this tutorial : https://www.youtube.com/watch?v=CtTP7JN3oRk , it seems that I need to configure something in Amazon cognito before getting the access token (through Postman and I guess through Python would be the same).
I just created an app because I want to have access to the Orders, Returns and Reports from Amazon in an automated way (that is why I would like to use Python). It has been difficult to figure out how to do that.
paulabirocchi
commented
3 years ago I was able to get the access token!
I applied all the steps mentioned here to get the Orders and I got this error message:
ClientError: An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid.
I used the same REFRESH_TOKEN used to access_token. I don't know what is wrong here.
I have created two applications in Seller Central and now it is getting confused. Where can I double check the LWA_CLIENT_ID and LWA_CLIENT_SECRET for both apps?
paulabirocchi
commented
2 years ago @ManikandanUV where can I find the lwa client identifier? Maybe I have used the wrong information.
sinancetinkaya
commented
2 years ago The issue you linked would be solved if they put the RDT that they generate into the x_amz_access_token. So if you have an RDT you insert it there, if not you just use your access token that you MUST generate
I already posted the solution in the following comments https://github.com/saleweaver/python-amazon-sp-api/issues/225#issuecomment-901468054
python-amazon-sp-api library has no way to set x-amz-access-token in the request header.
paulabirocchi
commented
2 years ago Thank you @sinancetinkaya, could you please describe how did you set up the credentials?
Javadebi
commented
2 years ago Thank you @sinancetinkaya, could you please describe how did you set up the credentials?
Lwa credentials are in the page where you have added your application. There is a view button beside the edit app button. You can find it there.
paulabirocchi
commented
2 years ago So should I use it in this way and use the assume role?
credentials=dict( refresh_token='XXX', # from application lwa_app_id='XXX', # from application lwa_client_secret='XXX', # from application aws_secret_key='XXX', # from assume role (secretaccesskey) aws_access_key='XXX', # from assume role (accesskeyid) role_arn='arn:aws:iam::XXX:role/XXX', )# from application
Javadebi
commented
2 years ago So should I use it in this way and use the assume role?
credentials=dict( refresh_token='XXX', # from application lwa_app_id='XXX', # from application lwa_client_secret='XXX', # from application aws_secret_key='XXX', # from assume role (secretaccesskey) aws_access_key='XXX', # from assume role (accesskeyid) role_arn='arn:aws:iam::XXX:role/XXX', )# from application
Yes.
paulabirocchi
commented
2 years ago Thank you @Javadebi. I used these credentials and obtained this error when I typed this command:
response = tokens_api.create_restricted_data_token(
restrictedResources=[
{
"method": "GET",
"path": "/orders/v0/orders",
"dataElements": ["buyerInfo", "shippingAddress"]
}
]
)
ClientError: An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid.
Javadebi
commented
2 years ago Thank you @Javadebi. I used these credentials and obtained this error when I typed this command:
response = tokens_api.create_restricted_data_token( restrictedResources=[ { "method": "GET", "path": "/orders/v0/orders", "dataElements": ["buyerInfo", "shippingAddress"] } ] )
ClientError: An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid.
are you using correct aws credentials?
paulabirocchi
commented
2 years ago Yes @Javadebi, I corrected the LWA credentials (using client identifiier and secret from app). The AWS credentials should be the ones from assume_role, right? I'm using these commands:
# Getting temporary credentials in assume role:
client = boto3.client('sts')
roleARN='arn:aws:iam::XXX:role/XXX'
rolename='XXX'
client.assume_role(RoleArn= roleARN,RoleSessionName=rolename)I could get the access token through:
import requests
client_id= 'XXX'
client_secret = 'XXX'
refresh_token = 'XXX'
BASE_URL = 'https://developer.amazon.com/api/appstore'
scope = "appstore::apps:readwrite"
grant_type = "refresh_token"
data = {
"grant_type": grant_type,
"client_id": client_id,
"client_secret": client_secret,
"refresh_token": refresh_token
}
amazon_auth_url = "https://api.amazon.com/auth/o2/token?Content-Type=application/x-www-form-urlencode"
auth_response = requests.post(amazon_auth_url, data=data)
# Read token from auth response
auth_response_json = auth_response.json()
auth_token = auth_response_json["access_token"]
But I couldn't get the RDT (restricted data token) using these commands:
credentials=dict(
refresh_token=refresh_token,
lwa_app_id=app_id,
lwa_client_secret=client_secret,
aws_secret_key='XXX', # from assume role (secretaccesskey)
aws_access_key='XXX', # from assume role (accesskeyid)
role_arn='arn:aws:iam::XXX:role/XXX' )# from application
tokens_api = Tokens(credentials=credentials)
response = tokens_api.create_restricted_data_token(
restrictedResources=[
{
"method": "GET",
"path": "/orders/v0/orders",
"dataElements": ["buyerInfo", "shippingAddress"]
}
]
)
When I run the last line, I got:
ClientError: An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid.
Other times I got:
SellingApiForbiddenException: [{'message': 'Access to requested resource is denied.', 'code': 'Unauthorized', 'details': ''}]
I tried using aws_secret_key and aws_access_key is the IAM_USER_ACCESS_KEY and IAM_USER_SECRET_KEY and I got:
SellingApiForbiddenException: [{'message': 'Access to requested resource is denied.', 'code': 'Unauthorized', 'details': ''}]
I don't know what is happening. Amazon didn't answer my support case :(
paulabirocchi
commented
2 years ago @bpyzikvc How do I use access_token to get the RDT (restricted data token)?
I couldn't get the RDT yet... When I used these commands:
tokens_api = Tokens(credentials=credentials)
response = tokens_api.create_restricted_data_token(
restrictedResources=[
{
"method": "GET",
"path": "/orders/v0/orders",
"dataElements": ["buyerInfo", "shippingAddress"]
}
]
) I got this error: SellingApiForbiddenException: [{'message': 'Access to requested resource is denied.', 'code': 'Unauthorized', 'details': ''}]
Maybe I'm using the credentials in the wrong way?
sinancetinkaya
commented
2 years ago @bpyzikvc How do I use access_token to get the RDT (restricted data token)?
I couldn't get the RDT yet... When I used these commands:
tokens_api = Tokens(credentials=credentials) response = tokens_api.create_restricted_data_token( restrictedResources=[ { "method": "GET", "path": "/orders/v0/orders", "dataElements": ["buyerInfo", "shippingAddress"] } ] )I got this error: SellingApiForbiddenException: [{'message': 'Access to requested resource is denied.', 'code': 'Unauthorized', 'details': ''}]
Maybe I'm using the credentials in the wrong way?
Ensure you are using the correct credentials:
aws_access_key = AWS Access key
aws_secret_key = AWS Secret access key
role_arn = IAM Role ARN
lwa_app_id = LWA credentials Client identifier
lwa_client_secret = LWA credentials Client secret
refresh_token = Refresh Token
jhocce
commented
2 years ago someone managed to solve?
paulabirocchi
commented
2 years ago @jhocce not yet. I was informed by Amazon that I need permissions in my Developer Profile to get the Restricted Data Token (RDT). Is that correct? Some weeks ago I filled the form available in the Developer Profile to obtain the RDT and Amazon rejected my permission and asked more details. I answered all the open questions and sent it again to Amazon. Now I'm waiting for an answer. I hope this time I will get this permission.
Did you need to get this permission with Amazon too in order to access the RDT?
bpyzikvc
commented
2 years ago @paulabirocchi I am not sure if you need RDT permission, my developer profile was set up for me years before RDT existed and was not adjusted since then so I do not think you should need some sort of access for it. You may need to be granted order management access that way though because mine definitely has that set up.
My first thought here is to confirm that your app has the correct order role. Roles are found here: https://github.com/amzn/selling-partner-api-docs/blob/main/guides/en-US/roles/Roles-in-the-Selling-Partner-API.md
When you edit the app you should be able to see that the Inventory and Order tracking role is selected.
Side note, are you able to get orders without PII using just a regular access token?
paulabirocchi
commented
2 years ago Amazon finally granted me access to the Restricted Data Token (RDT). Now, when I'm using: credentials=dict( refresh_token=refresh_token_from_app, lwa_app_id=clientid_from_app, lwa_client_secret=clientsecret_from_app, aws_secret_key=accesskeyid, # from assume role (secretaccesskey) aws_access_key=secretaccesskey, # from assume role (accesskeyid) role_arn='arn:aws:iam::XXXX:role/XX' )# from application
I continue receiving: SellingApiForbiddenException: [{'message': 'Access to requested resource is denied.', 'code': 'Unauthorized', 'details': ''}]
I already updated the refresh_token. Do I need to create a new application from zero with this new permission from Amazon?
paulabirocchi
commented
2 years ago @paulabirocchi I am not sure if you need RDT permission, my developer profile was set up for me years before RDT existed and was not adjusted since then so I do not think you should need some sort of access for it. You may need to be granted order management access that way though because mine definitely has that set up.
My first thought here is to confirm that your app has the correct order role. Roles are found here: https://github.com/amzn/selling-partner-api-docs/blob/main/guides/en-US/roles/Roles-in-the-Selling-Partner-API.md
When you edit the app you should be able to see that the Inventory and Order tracking role is selected.
Side note, are you able to get orders without PII using just a regular access token?
I'm not sure how to access the orders without PII using just a regular access token. I couldn't do that until now.
paulabirocchi
commented
2 years ago Amazon finally granted me access to the Restricted Data Token (RDT). Now, when I'm using: credentials=dict( refresh_token=refresh_token_from_app, lwa_app_id=clientid_from_app, lwa_client_secret=clientsecret_from_app, aws_secret_key=accesskeyid, # from assume role (secretaccesskey) aws_access_key=secretaccesskey, # from assume role (accesskeyid) role_arn='arn:aws:iam::XXXX:role/XX' )# from application
I continue receiving: SellingApiForbiddenException: [{'message': 'Access to requested resource is denied.', 'code': 'Unauthorized', 'details': ''}]
I already updated the refresh_token. Do I need to create a new application from zero with this new permission from Amazon?
I also tried to use credentials like this:
credentials=dict( refresh_token=refresh_token_from_app, lwa_app_id=clientid_from_app, lwa_client_secret=clientsecret_fromapp, aws_secret_key=aws_secret_key, # from AWS account aws_access_key=aws_access_key, # from AWS account role_arn='arn:aws:iam::XXXXX:role/XXX' )# from application
I've got the same error: SellingApiForbiddenException: [{'message': 'Access to requested resource is denied.', 'code': 'Unauthorized', 'details': ''}]
bpyzikvc
commented
2 years ago @paulabirocchi I believe your issue now is you are attempting to provide a refresh token to the RDT api. The refresh token is ONLY used to generate an access token which would then be used on all other apis. So you should be providing the access token to the RDT api.
The reason I am asking if you are able to get orders (without pii) using just the regular access token is to confirm you are signing your calls correctly. You should sign the orders (without pii) and get RDT calls the exact same way, using an access token. I suggest confirming the orders api call works and then doing the RDT while following the same signing procedure.
Once you receive an RDT you can use the same orders api in a different way to get pii information.
paulabirocchi
commented
2 years ago @paulabirocchi I believe your issue now is you are attempting to provide a refresh token to the RDT api. The refresh token is ONLY used to generate an access token which would then be used on all other apis. So you should be providing the access token to the RDT api.
The reason I am asking if you are able to get orders (without pii) using just the regular access token is to confirm you are signing your calls correctly. You should sign the orders (without pii) and get RDT calls the exact same way, using an access token. I suggest confirming the orders api call works and then doing the RDT while following the same signing procedure.
Once you receive an RDT you can use the same orders api in a different way to get pii information.
@bpyzikvc thank you.
So I was able to get the Orders without PII using these credentials and following commands:
credentials=dict( refresh_token=refresh_token_from_app, lwa_app_id=clientid_from_app, lwa_client_secret=clientsecret_from_app, aws_secret_key=aws_secret_key, aws_access_key=aws_access_key, role_arn='arn:aws:iam::XXX:role/XXX' )# from application
marketplaces = ['XXXXXX'] orders_obj = Orders(marketplace=Marketplaces.DE, credentials=credentials) # res = orders_obj.get_orders( LastUpdatedAfter=(datetime.utcnow() - timedelta(days=7)).isoformat(), MarketplaceIds=','.join(marketplaces))
It worked and returned the Orders in res.payload(). However, I didn't use the access token in this case.
How should I apply to get Orders with PII (using the access token/RDT)?
Thank you.
paulabirocchi
commented
2 years ago @bpyzikvc I was able to get Orders with the access_token too, using these credentials and commands:
credentials=dict( refresh_token=refresh_token, lwa_app_id=clientid_fromapp, lwa_client_secret=clientsecret_fromapp, aws_secret_key=secretacces, # from assume role (secretaccesskey) aws_access_key=accesskey, # from assume role (accesskeyid) role_arn='arn:aws:iam::XXXXXXX:role/XXXX' )# from application
marketplaces = ['XXXXX'] orders_obj = Orders(marketplace=Marketplaces.DE, credentials=credentials) # res2 = orders_obj.get_orders( LastUpdatedAfter=(datetime.utcnow() - timedelta(days=7)).isoformat(), MarketplaceIds=','.join(marketplaces), x_amz_security_token = access_token)
How could I use the access token/RDT to get the Orders with PII?
paulabirocchi
commented
2 years ago I tried to generate the RDT using these commands:
response = tokens.create_restricted_data_token( restrictedResources=[ { "method": "GET", "path": "/orders/v0/orders", "dataElements": ["buyerInfo", "shippingAddress"] } ] )
OR tokens.create_restricted_data_token()
I've got this error: SellingApiForbiddenException: [{'message': 'Access to requested resource is denied.', 'code': 'Unauthorized', 'details': ''}]
sinancetinkaya
commented
2 years ago @paulabirocchi I think you should improve your developer logic. Previously RDT wasn't working because Amazon didn't authorize it. Then you said it was solved. Now you are trying to obtain RDT in a new wrong way different than you previously tried. Why? Why are you not going to back to previously tried step? https://github.com/amzn/selling-partner-api-models/issues/1891
(quoted from your post)
credentials=dict(
refresh_token=refresh_token,
lwa_app_id=app_id,
lwa_client_secret=client_secret,
aws_secret_key='XXX', # from assume role (secretaccesskey)
aws_access_key='XXX', # from assume role (accesskeyid)
role_arn='arn:aws:iam::XXX:role/XXX' )# from application
tokens_api = Tokens(credentials=credentials)
response = tokens_api.create_restricted_data_token(
restrictedResources=[
{
"method": "GET",
"path": "/orders/v0/orders",
"dataElements": ["buyerInfo", "shippingAddress"]
}
]
)
Does this look the same what you are trying now?
paulabirocchi
commented
2 years ago @paulabirocchi I think you should improve your developer logic. Previously RDT wasn't working because Amazon didn't authorize it. Then you said it was solved. Now you are trying to obtain RDT in a new wrong way different than you previously tried. Why? Why are you not going to back to previously tried step? #1447 (comment)
(quoted from your post)
credentials=dict( refresh_token=refresh_token, lwa_app_id=app_id, lwa_client_secret=client_secret, aws_secret_key='XXX', # from assume role (secretaccesskey) aws_access_key='XXX', # from assume role (accesskeyid) role_arn='arn:aws:iam::XXX:role/XXX' )# from application tokens_api = Tokens(credentials=credentials) response = tokens_api.create_restricted_data_token( restrictedResources=[ { "method": "GET", "path": "/orders/v0/orders", "dataElements": ["buyerInfo", "shippingAddress"] } ] )Does this look the same what you are trying now?
Well, this is exactly what I tried to do and then it shows this error: SellingApiForbiddenException: [{'message': 'Access to requested resource is denied.', 'code': 'Unauthorized', 'details': ''}]
sinancetinkaya
commented
2 years ago As far as I remember I had a problem with lwa_app_id
On Amazon dashboard I thought lwa_app_id was referring to something different.
But it turned out that lwa_app_id was referring to LWA credentials Client identifier
Which is similar to amzn1.application-oa2-client.xxxxxxxxxxxxxxxxxxxxxx
Ensure that you didn't make the same mistake.
paulabirocchi
commented
2 years ago Yes, I'm using the LWA credentials Client Identifier. I can access the Orders normally, but I couldn't generate the RDT.
sinancetinkaya
commented
2 years ago Then you still have a problem with your account. You need to reach out to Amazon
On Fri, Nov 26, 2021, 15:55 Paula Birocchi @.***> wrote:
Yes, I'm using the LWA credentials Client Identifier. I can access the Orders normally, but I couldn't generate the RDT.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/amzn/selling-partner-api-models/issues/1891, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAUNHRYRWSCMPBUELINE2MTUN57TJANCNFSM5E2RJPHA .
github-actions[bot]
commented
2 years ago This is a very old issue that is probably not getting as much attention as it deserves. We encourage you to check if this is still an issue after the latest release and if you find that this is still a problem, please feel free to open a new issue and make a reference to this one.
Hi, I'm trying to access the Selling Partner API through Python. I followed the recommendations from this issue: https://github.com/amzn/selling-partner-api-models/issues/713 I have all the credentials, I used assume role and I used the token provided in assume role as x_amz_security_token to call Orders.get_orders() like this:
orders_obj = Orders(marketplace=Marketplaces.GB, credentials=credentials) # In my case i'm signed up in UK Marketplace res = orders_obj.get_orders(LastUpdatedAfter=(datetime.utcnow() - timedelta(days=7)).isoformat(), MarketplaceIds=','.join(marketplaces),x_amz_security_token='XXXX')
But I got AuthorizationError: ('unauthorized_client', 'Not authorized for requested operation', 400)
I also tried to use a Restricted Data Token (RDT), using these commands:
tokens = Tokens(marketplace= Marketplaces.GB, credentials=credentials) tokens.create_restricted_data_token()
But I've also got: AuthorizationError: ('unauthorized_client', 'Not authorized for requested operation', 400)
Could anyone help me?