Selling Partner API Launch

[seanevan]

Hi all,

We have launched the ability for all developers to register for Selling Partner API!

You can get started by logging in to Seller Central and going to the App &Services -> Develop Apps menu. Once there, you will need to complete your Developer Profile if you have not done so previously, and you can then add a new application.

We're all excited to see what innovations you'll build using SP-API. Our support teams stand ready to assist you with this process - please don't hesitate to ask if you have any questions or concerns.

Best regards, Sean Evans Manager, Support Engineering

[hpehpe]

Struggling with the "Login with Amazon for iOS Apps" ... guys, Objective C is last years news. Many developers only know Swift these days... really annoying to have to translate the old Objective C code...

[hpehpe]

Ok, perhaps I need to ask this question: Is it worth it to use the "Login with Amazon SDK for iOS APIs"... will I get the access token I need in order to connect to the Selling Partner API?

[ionafan2]

For all PHP folks Selling Partner Api PHP Sandbox Just clone it, modify .env and you ready to go! @wanghuoling @tharrington @noor-mohmmad @zhanfjunjun and rest

[wanghuoling]

@ionafan2 Thanks .I'll try.

[aspence07]

I followed the 'Create an IAM Role' step here meticulously:

https://github.com/amzn/selling-partner-api-docs/blob/main/guides/developer-guide/SellingPartnerApiDeveloperGuide.md#step-4-create-an-iam-role

I'm getting this error when I try to do the AssumeRole step:

'Roles may not be assumed by root accounts'

[ionafan2]

@aspence07 So do what it says. Create NOT Root user Get it's credentials and assumeRole for it. Just follow these sections of documentation carefully:

• Step 2. Create an IAM user
• Step 3. Create an IAM policy
• Step 4. Create an IAM role Step
• Step 5. Add an AWS Security Token Service policy to your IAM user

[aspence07]

here's a complete working .NET implementation minus actual credentials

I had to manually add the selling partner api project from here to my solution:

https://github.com/amzn/selling-partner-api-models

`using Amazon.Runtime; using Amazon.SecurityToken; using Amazon.SecurityToken.Model; using Amazon.SellingPartnerAPIAA; using RestSharp; using System; using System.Threading.Tasks;

namespace amazon_sp_api_test { class Program { static void Main(string[] args) { AssumeRoleResponse assumeRoleResponse = null;

        Task.Run(async () =>
        {
            assumeRoleResponse = await GetAssumeRoleTokenDetail();
        }).GetAwaiter().GetResult();

        var baseUrl = "https://sellingpartnerapi-na.amazon.com";

        string resource = "/reports/2020-09-04/reports";
        RestClient restClient = new RestClient(baseUrl);
        IRestRequest restRequest = new RestRequest(resource, Method.GET);

        restRequest.AddQueryParameter("reportTypes", "GET_FLAT_FILE_OPEN_LISTINGS_DATA");

        // LWA credentials for app in amazon seller central
        var clientId = "foo";
        var clientSecret = "foo";
        // generate refresh token with 'Authorize' action for app in amazon seller central
        var refreshToken = "foo";

        var lwaAuthCreds = new LWAAuthorizationCredentials
        {
            ClientId = clientId,
            ClientSecret = clientSecret,
            RefreshToken = refreshToken,
            Endpoint = new Uri("https://api.amazon.com/auth/o2/token")
        };

        restRequest = new LWAAuthorizationSigner(lwaAuthCreds).Sign(restRequest);

        var awsAuthCreds = new AWSAuthenticationCredentials
        {
            AccessKeyId = assumeRoleResponse.Credentials.AccessKeyId,
            SecretKey = assumeRoleResponse.Credentials.SecretAccessKey,
            Region = "us-east-1"
        };

        restRequest.AddHeader("X-Amz-Security-Token", assumeRoleResponse.Credentials.SessionToken);

        restRequest = new AWSSigV4Signer(awsAuthCreds)
            .Sign(restRequest, restClient.BaseUrl.Host);

        var response = restClient.Execute(restRequest);

        Console.WriteLine(response.StatusCode);
        Console.WriteLine(response.Content);
    }
    // END method def Main()

    private static async Task<AssumeRoleResponse> GetAssumeRoleTokenDetail()
    {
        // AWS IAM user data, NOT seller central dev data
        var accessKey = "foo";
        var secretKey = "foo";

        var credentials = new BasicAWSCredentials(accessKey, secretKey);

        var client = new AmazonSecurityTokenServiceClient(credentials);

        var assumeRoleRequest = new AssumeRoleRequest()
        {
            DurationSeconds = 3600,
            // role ARN you create here: 
            // https://github.com/amzn/selling-partner-api-docs/blob/main/guides/developer-guide/SellingPartnerApiDeveloperGuide.md#step-4-create-an-iam-role
            RoleArn = "foo",
            RoleSessionName = DateTime.Now.Ticks.ToString()
        };

        var assumeRoleResponse = await client.AssumeRoleAsync(assumeRoleRequest);

        Console.WriteLine(assumeRoleResponse.HttpStatusCode);

        return assumeRoleResponse;
    }
}

}`

[ramieblatt]

Hi @rogersv and thanks for fast reply. You right. It's working now! Here is fully working solution. I also tested it in Postman. BTW x-amz-access-token IS case-sensitive. I spent about 2 hours before I figured that out. It was funny, the server responded Access token is missing in the request header. anyway. Hopes this is saved someone's time.

FWIW, after spending a long time on this the kicker was that, yes, the 'x-amz-access-token' header must appear in lowercase, which of course is not in keeping with RFC 7230! See below.

Amazon can you save a lot of developers from headaches due to this inadequacy in your web service? You should accept any case for 'x-amz-access-token' and other headers, per RFC 7230.

RFC 7230 See: https://tools.ietf.org/html/rfc7230#appendix-A.2 (Each header field consists of a case-insensitive field name followed by a colon (":"), optional leading whitespace, the field value, and optional trailing whitespace.)

[rogersv]

@ramieblatt it is in the documentation see https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html

To create the signed headers list, convert all header names to lowercase, sort them by character code, and use a semicolon to separate the header names

I do not think header names in the actual headers must be lowercase but they have to be lowercase in the signing process.

EDIT: @ramieblatt if header names have to be lowercase then I also think the documentation is missing this information (or it is a bug).

[ionafan2]

Hi folks! Here is another sandbox with Postman Selling Partner API Postman Sandbox Enjoy!

[rcalv002]

For c#

Has anyone actually been able to just download the repo, generate for example orders project via swagger codegen, build, reference these in a simple console app, and actually pull back data? It seems the SellingPartnerAPIAA is set to .netstandard 2.0 and the models you build via codegen end up on 1.3 and theres some mismatch between restsharp and restsharp portable ( some port from 2016?)

[aspence07]

@rcalv002 i have a working c# example above, although i didn't use swagger codegen

i think i had a similar issue with restsharp, you have to use the older version that the Amazon.SellingPartnerAPIAA project uses

[ramieblatt]

@ramieblatt it is in the documentation see https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html

To create the signed headers list, convert all header names to lowercase, sort them by character code, and use a semicolon to separate the header names

I do not think header names in the actual headers must be lowercase but they have to be lowercase in the signing process.

Well, I do the signing via the AWS ADK, so that lowercasing was automatically being done for the canonical url, signature etc, but what I'm talking about is that I couldn't get any SP-API call to work/be authorized unless the actual 'x-amz-access-token' header was all in lowercase. And when the call succeeded, the web service returned inconsistently mixed case header names... see an actual redacted production call, below:

_> GET https://sellingpartnerapi-na.amazon.com/vendor/directFulfillment/orders/v1/purchaseOrders?shipFromPartyId=XXXX&limit=N&createdAfter=2020-12-02&createdBefore=2020-12-05&sortOrder=DESC&includeDetails=true
Content-Type: application/json
Cache-Control: no-cache
Host: sellingpartnerapi-na.amazon.com
**x-amz-access-token: Atza|IwEBI...**
x-amz-date: 20201206T015109Z
User-Agent: ....
x-amz-content-sha256: e3b0c44298f....
Authorization: AWS4-HMAC-SHA256 Credential=AKI...../20201206/us-east-1/execute-api/aws4_request, SignedHeaders=cache-control;content-type;host;user-agent;x-amz-access-token;x-amz-content-sha256;x-amz-date, Signature=86c21....
Connection: close

< 200 OK
Date: Sun, 06 Dec 2020 01:51:10 GMT
Content-Type: application/json
Content-Length: 4018
Connection: close
**x-amzn-RequestId: 4a8c6f....
x-amzn-RateLimit-Limit: 10.0
x-amz-apigw-id: XG3aMH....
X-Amzn-Trace-Id: Root=1-5fcc3.....**

{"payload":{"pagination":{"nextToken":"WyJUV2d...."},"orders":[{"purchaseOrderNumber":"Tt....","orderDetails":{"customerOrderN....._

[winterstefan]

Thank you very much @ionafan2 for providing details on your implementation with PHP! With that, I was finally able to get pass my InvalidSignatureException (cause: I didn't use the AWS STS service to retrieve e.g. session token).

Now I'm stuck at this well-known Access to requested resource is denied. error (when calling SP-API for creating inventory report as example). Your code, and none of the commented solutions in this thread got it working for me. Running your provided Postman Collection resulted in the very same error.

Do you @ionafan2 or any other kind person have any hint on what in the universe of Amazon could be wrong or mis-configured on my side? I followed the SP-API docs to the point but I'm quiet confused about the overall prerequisites of my account. Currently my application is brand new (so never used MWS API), it's in draft state and I try it with my own developer account on the Sandbox API. Do I - for example - need to get the application out of draft state (but how, if it's not production-ready)?

Thank you!

[rcalv002]

Hi All!

Finally got a C# solution using the swagger generated libraries, however although we can retrieve order data, the reports API still returns a forbidden response, is that endpoint working for anyone else?

[aspence07]

@rcalv002 reports endpoint works for me:

` public static void GetReports() { AssumeRoleResponse assumeRoleResponse = null;

        Task.Run(async () =>
        {
            assumeRoleResponse = await GetAssumeRoleTokenDetail();
        }).GetAwaiter().GetResult();

        string resource = "/reports/2020-09-04/reports";

        RestClient restClient = new RestClient(baseUrl);
        IRestRequest restRequest = new RestRequest(resource, Method.GET);

        restRequest.AddQueryParameter("reportTypes", "GET_FLAT_FILE_OPEN_LISTINGS_DATA");

        restRequest = new LWAAuthorizationSigner(lwaAuthCreds).Sign(restRequest);

        var awsAuthCreds = new AWSAuthenticationCredentials
        {
            AccessKeyId = assumeRoleResponse.Credentials.AccessKeyId,
            SecretKey = assumeRoleResponse.Credentials.SecretAccessKey,
            Region = "us-east-1"
        };

        restRequest.AddHeader("X-Amz-Security-Token", assumeRoleResponse.Credentials.SessionToken);

        restRequest = new AWSSigV4Signer(awsAuthCreds)
            .Sign(restRequest, restClient.BaseUrl.Host);

        var response = restClient.Execute(restRequest);

        Console.WriteLine("api call response status : " + response.StatusCode);
        Console.WriteLine(response.Content);
    }
    // END method def GetReports()`

[zimba85]

@wanghuoling

I was able to get rid of the 403 by creating a new app and using the AIM ARN of the Role as per documentation

In this workflow, that IAM entity is the IAM role from Step 4. Create an IAM role.

Hope this help you fix it

[parvathm]

For all PHP folks Selling Partner Api PHP Sandbox Just clone it, modify .env and you ready to go! @wanghuoling @tharrington @noor-mohmmad @zhanfjunjun and rest

@ionafan2 Will you be interested in submitting a PR for your PHP Authentication library?

Thanks, Pavathm Selling Partner Developer Support.

[ionafan2]

Hi @parvathm I'm interested! Let me know what exactly you need, and I'll be happy to contribute. Just create an issue in the project you want me to contribute. Send me a link to that issue and let’s continue discussion there.

[pradeepKsrvastva]

@ionafan2 Followed as mentioned below and below is my Guzzle log but somehow i am still getting Access to requested resource is denied @ionafan2 It would be great if you can help it will help me and alot of other PHP folks like me who will come here in desperately to find a solution Few notes

1.AssumeRole is returning key and tokens 2.Access key is also getting returned

I am stucked at last step dont understand what i am doing wrong i followed SP-api guide and have compared it 50 times now to make sure its exactly same.

Guzzle Log GET /orders/v0/orders?MarketplaceIds=A1F83G8C2ARO7P&CreatedAfter=2020-11-01 HTTP/1.1 Host: sellingpartnerapi-eu.amazon.com User-Agent: GuzzleHttp/6.5.5 curl/7.47.0 PHP/7.0.33-20+ubuntu16.04.1+deb.sury.org+1 x-amz-access-token: Atza|IwEBIGV6d6dSw9s3xxsYvjFVInTZ9iqVUJ11nR3w2Yvojo6_CWrwCZTuAA6gQCmwjEW3BNZpx2ie1kfuJVTPAk6l1Y97dizhHZjfoa7ayQ4L5GYmLKziPW9jy4pGZSe9Ez50S8Alj0zr2osa5Q0Sv_bR-RDnvm9fn_5c0RXCHyQkkEQQ2DYz7sgoqsz1UsQU5tiHX5VWF22a87xteNXLVEiaMeYHrXQ86pNo6LzW07cRMymkhGHe_AS2UAtYhtUgHFu5JXbHuZwReWyMXSl7iyr91FYRAQeJLTjZFoUUpdLDQ2c3Ux0nFxF5F* X-Amz-Date: 20201218T104736Z X-Amz-Security-Token: FwoGZXIvYXdzEKz//////////wEaDMIJBxKjEBSiPQhg4iKvAQP3QRkTYXpZajtDgq/RpaWYeoUemM3tnZQwkqdOu8YtKaIrXZ2ifU+0sonuJhf5cgbBSkPHH3VqZ+43u1xwH4sUEuWeNbZG9DUiqxii04oktwdX0mq6BhnEVn3kc5ULUts0HxzbKeCHDd7f4+wKhIE0hupgB+dUtSK0qkPn4swd7HcXVUPpN29Rk4JxjA8eMR3ltDMlopV0G3IAX/uEkXUfzBZgEpXlGa4tDb7** Authorization: AWS4-HMAC-SHA256 Credential=ASIA5PDDPQHDN7DYN7OF/20201218/eu-west-1/execute-api/aws4_request, SignedHeaders=host;x-amz-access-token;x-amz-date;x-amz-security-token, Signature=*

< HTTP/1.1 403 Forbidden < Date: Fri, 18 Dec 2020 10:47:37 GMT < Content-Type: application/json < Content-Length: 141 < Connection: keep-alive < x-amzn-RequestId: 7c76cf11-833b-4b89-ada8-cb62a5afecf2 < x-amzn-ErrorType: AccessDeniedException < x-amz-apigw-id: XvpPaHP2joEFsmA= <

• Connection amzn/selling-partner-api-models#670 to host sellingpartnerapi-eu.amazon.com left intact

Fatal error: Uncaught GuzzleHttp\Exception\ClientException: Client error: GET https://sellingpartnerapi-eu.amazon.com/orders/v0/orders?MarketplaceIds=A1F83G8C2ARO7P&CreatedAfter=2020-11-01 resulted in a 403 Forbidden response: { "errors": [ { "message": "Access to requested resource is denied.", "code": "Unauthorized", "det (truncated...) } ] }

@wanghuoling

1. Setup AWS User/Role, and you got these: aws_user_key, aws_user_secret, RoleArn
2. Setup SP Application, and you got these: app_client_id, app_client_secret
3. Authorize your Application by Website workflow or Self Authorization
4. Assume role with RoleArn, and you got CredentialsForSignature
5. Setup Request Signing using CredentialsForSignature (Each time you sign you need to assume role first.)
6. (sign it) Request access_token using refresf_token from Self Authorization or authorization_code from Website workflow
7. (sign it) Do API Call using access_token

But run your code ,it is not include user-agent.

It does by GuzzleHttp eventually. I don’t why you don’t see it

x-amz-access-token: Atza|Ixxxxxxxxx

Make sure your access token from step 4 in my list

[pradeepKsrvastva]

@ionafan2 Finally made it to work after two days of continuous struggle!!! for me issue was while registering app in seller central in IAM ARN i added User ARN whereas it needs ARN of Step 4. Create an IAM role as detailed over here https://github.com/amzn/selling-partner-api-docs/blob/main/guides/developer-guide/SellingPartnerApiDeveloperGuide.md#step-4-create-an-iam-role

Also one more tip make sure you have defined trust relationship in Role create new Role attach the policy: AmazonS3FullAccess, (copy the role ARN, use in code below)

Select Trust relationships tab - Edit Trust Relationship { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "",//the roleARN need to be granted, use for all "Service": "s3.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } update Trust relationships

[parvathm]

Hi @parvathm I'm interested! Let me know what exactly you need, and I'll be happy to contribute. Just create an issue in the project you want me to contribute. Send me a link to that issue and let’s continue discussion there.

Hi @ionafan2 , Please navigate to the folder where client code is added https://github.com/amzn/selling-partner-api-models/tree/main/clients . You can add your php code to a branch and from there I think you can submit a PR.

Thanks, Parvathm, Selling partner API Developer Support.

[vdanyliv]

I published the second part of my story on how to integrate with SPAPI. In this story, I shared how to correctly generate an LWA access token, sign the request using sts / aws4, and finally make the request to the selling partner API.

Amazon selling partner API (SPAPI) — how to quickly and simply integrate with new API (Part 2)

[Bensonhai]

1.AssumeRole is returning key and tokens 2.Access key is also getting returned 3.The vendor center registry uses the IAM role

{"errors": [ { "message":"Access to requested resource is denied.", "code":"Unauthorized", "details": "" } ] }

Thanks

case ID: 7718181351

[ionafan2]

@parvathm PR submitted! See https://github.com/amzn/selling-partner-api-models/pull/47

[kulbir]

@seanevan I am trying to integrate the new SP-API. But I am getting below error response.

Note: I am able to generate refresh token.

{
    "errors": [
        {
            "message": "Access to requested resource is denied.",
            "code": "Unauthorized",
            "details": "The access token you provided has expired."
        }
    ]
}

I am trying to test with PostMan and using the AWS Authentication feature from it.

I have also a case open 6675110012.

Thanks

[parvathm]

@parvathm PR submitted! See amzn/selling-partner-api-models#47

Thank you @ionafan2 . We will work on it and get back to you as soon as possible.

Thanks, Parvathm, Selling Partner API Developer support.

[jainjayesh]

@ionafan2 Finally made it to work after two days of continuous struggle!!! for me issue was while registering app in seller central in IAM ARN i added User ARN whereas it needs ARN of Step 4. Create an IAM role as detailed over here https://github.com/amzn/selling-partner-api-docs/blob/main/guides/developer-guide/SellingPartnerApiDeveloperGuide.md#step-4-create-an-iam-role

Also one more tip make sure you have defined trust relationship in Role create new Role attach the policy: AmazonS3FullAccess, (copy the role ARN, use in code below)

Select Trust relationships tab - Edit Trust Relationship { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "",//the roleARN need to be granted, use for all "Service": "s3.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } update Trust relationships

Hi Pradeep, I a getting the same issue when calling the GET_FLAT_FILE_ACTIONABLE_ORDER_DATA_SHIPPING report. It works fine when calling the GET_MERCHANT_LISTINGS_ALL_DATA report. Can you help me with the issue?

[aniketkachan]

Hi,

I want one report in xml format. I am using "getReports" API.

I am able to fetch report using "GET_V2_SETTLEMENT_REPORT_DATA_FLAT_FILE" but not able fetch it using "GET_V2_SETTLEMENT_REPORT_DATA_XML" report type using same input parameter. What could be the issue.

[mottadelli-smeup]

I obtain the same issue when calling the GET_FLAT_FILE_ACTIONABLE_ORDER_DATA_SHIPPING report. I test it with java ReportsApi code and c# ReportsApi code

Forbidden { "errors": [ { "code": "Unauthorized", "message": "Access to the resource is forbidden", "details": "" } ] }

It works fine when calling the GET_MERCHANT_LISTINGS_ALL_DATA or GET_XML_ALL_ORDERS_DATA_BY_LAST_UPDATE_GENERAL report type

Can you help me with the issue? I'm struggling but without success! Why reply Unauthorized ? I'm try on my European marketplace.

[discover59]

Is it possible to get authorization to access both advertising API and selling partner API with one click sign in? I have created issue on https://github.com/amzn/selling-partner-api-models/issues/952

[mrkph]

I use the generated SDK to call sellersApi but it shows AWSSecurityTokenServiceException: User is not authorized to perform: sts:AssumeRole on resource, how can I solve this problem? Can someone help me? Status Code: 403 Request ID: 7057136e-b0ab-42fe-9f7f-ac2cfc5983cf)

[FranciscoVi]

Hi, We have the next problem with SP-API. The aplication is HIPER_CALZADO (draft state) I follow having the ERROR with the SP-API: Access to Orders.ListOrders is denied

We have opened in Amazon the case 6560068722 from 16th December without reply. After that we have opened other case where Amazon asked me:

Operation:Orders: ListOrders MarketplaceId:mws.amazonservices.es RequestId:71887a1d-f6ac-4937-9806-c2da4b0eb9a3 TimeStamp:2021-01-07T09%3A27%3A40Z

After I reply this Amazon don't reply. We are on a dead end with the problem: Access to Orders.ListOrders is denied

Can someone help us? Please.

[seek78]

HI, I have a problem invoking AssumeRole with @ionafan2 sandbox. Here the call with error:

GET /?Version=2011-06-15&Action=AssumeRole&RoleSessionName=postmanSpApi&RoleArn=arn:aws:iam::MY_VALID_ID:user/MY_VALID_USERNAME HTTP/1.1
Host: sts.amazonaws.com
X-Amz-Date: 20210202T224609Z
Authorization: AWS4-HMAC-SHA256 Credential=MY_VALID_ACCESS_KEY_ID/20210202/eu-west-1/sts/aws4_request, SignedHeaders=host;x-amz-date, Signature=30a4ec85519f1d8126939235fd59602ebc3e7e8b2f7b178ce17027748d10931c
User-Agent: PostmanRuntime/7.26.10
Accept: */*
Cache-Control: no-cache
Postman-Token: b3aa2091-5d68-4119-97b6-fc23440e57eb
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
HTTP/1.1 403 Forbidden
x-amzn-RequestId: 870403a0-9b26-4039-aace-c4e5d10e3264
Content-Type: text/xml
Content-Length: 317
Date: Tue, 02 Feb 2021 22:46:10 GMT

<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>SignatureDoesNotMatch</Code>
    <Message>Credential should be scoped to a valid region, not 'eu-west-1'. </Message>
  </Error>
  <RequestId>870403a0-9b26-4039-aace-c4e5d10e3264</RequestId>
</ErrorResponse>

Any advice about what could be wrong? Thanks

[ionafan2]

Hi @seek78, The error message is self-explanatory: "Credential should be scoped to a valid region, not 'eu-west-1'." Make sure you use correct value in .env file AWS_REGION= or make sure your user/role/permissions set up in correct region in AWS console. They should match. If you need more assistance, open an issue in the sandbox repository.

[noor-mohmmad]

This is a regional error i think you have not set the proper region. Please check endpoints with region.

On Wed, Feb 3, 2021 at 4:41 AM Pavlo Cherniavsyi notifications@github.com wrote:

Hi @seek78 https://github.com/seek78, The error message is self-explanatory: "Credential should be scoped to a valid region, not 'eu-west-1'." Make sure you use correct value in .env file AWS_REGION= or make sure your user/role/permissions set up in correct region in AWS console. They should match. If you need more assistance, open an issue in the sandbox repository.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/amzn/selling-partner-api-models/issues/690, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGFUENA46VVJQV3DKCJ5INTS5CBDRANCNFSM4SAY7DBQ .

[testniaccunt]

Hi, I created an user, role, policy and registered a new app (it's in status draft). I am trying to create a feed in c#. I am using a combination from solution "SellingPartnerAPIAuthAndAuthCSharp" and swagger feeds-api-model client.

CallApi in Apiclient.cs looks like this:

• So, i am signing the request here

My header configuration and CreateFeedDocumentSpecification call is here:

And a the end, my response: What could be the problem?

[noor-mohmmad]

This may be a permission issue of the developer keys.

On Wed, Feb 3, 2021 at 4:25 PM testniaccunt notifications@github.com wrote:

Hi, I created an user, role, policy and registered a new app (it's in status draft). I am trying to create a feed in c#. I am using a combination from solution "SellingPartnerAPIAuthAndAuthCSharp" and swagger feeds-api-model client.

CallApi in Apiclient.cs looks like this: [image: image] https://user-images.githubusercontent.com/78367861/106736828-3d60cd80-6616-11eb-841c-8c408a68fb18.png

• So, i am signing the request here My header configuration and CreateFeedDocumentSpecification call is here: [image: image] https://user-images.githubusercontent.com/78367861/106737140-9df00a80-6616-11eb-9470-54c8180ee07e.png

And a the end, my response: [image: image] https://user-images.githubusercontent.com/78367861/106737197-ae07ea00-6616-11eb-877a-38c90a534127.png What could be the problem?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/amzn/selling-partner-api-models/issues/690, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGFUENEXHXPJTLTJLJJ5I2LS5ETTBANCNFSM4SAY7DBQ .

[testniaccunt]

Can you please explain a little bit more?

[esoler91]

Good afternoon. I am developing a connector for our ERP Navision and I am encountering the following problem. When I make the request to Selling api the response is the following: And if I look at the string to sign that I have generated, it is the same as the one in the response: My signature and the one that the system is calculating is the same. From Postman I have managed to make the request successfully. Anyway, I have one more question:

• Is it necessary to convert the hashes to hex? In some codes they do and in others they don't.

[Web2021]

@ionafan2 Finally made it to work after two days of continuous struggle!!! for me issue was while registering app in seller central in IAM ARN i added User ARN whereas it needs ARN of Step 4. Create an IAM role as detailed over here https://github.com/amzn/selling-partner-api-docs/blob/main/guides/developer-guide/SellingPartnerApiDeveloperGuide.md#step-4-create-an-iam-role

Also one more tip make sure you have defined trust relationship in Role create new Role attach the policy: AmazonS3FullAccess, (copy the role ARN, use in code below)

Select Trust relationships tab - Edit Trust Relationship { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "",//the roleARN need to be granted, use for all "Service": "s3.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } update Trust relationships

Hi, I have the same issue. My response is:

Client error: GET https://sellingpartnerapi-eu.amazon.com/catalog/v0/items/B0002ZFTJA?MarketplaceId=A1PA6795UKMFR9 resulted in a 403 Forbidden response: { "errors": [ { "message": "Access to requested resource is denied.", "code": "Unauthorized", "det (truncated...)

I registered the role arn in seller central: arn:aws:iam::100000000:role/SellingPartnerRole instead of the user arn as described in the post above. Unfortunately i still get the same error.

I used the clousale amazon-sp-api-php code (https://github.com/clousale/amazon-sp-api-php)

The accessToken was generated correctly. The created app has the "draft" status. Is it possible to test with this status?

[MariusProf]

I am getting the same error response in C#.. { "errors": [ { "message": "Access to requested resource is denied.", "code": "Unauthorized", "details": "" } ] }

` string resource = "/orders/v0/orders";

            RestClient restClient = new RestClient(_url);

            IRestRequest restRequest = new RestRequest(resource, Method.GET);

            LWAAuthorizationCredentials lwaAuthorizationCredentials = new LWAAuthorizationCredentials
            {

                ClientId = _clientId,
                ClientSecret = _clientSecret,
                RefreshToken = _refreshToken,
                Endpoint = new Uri("https://api.amazon.com/auth/o2/token"),

            };

            restRequest.AddQueryParameter("MarketplaceIds", "A1PA6795UKMFR9");

            restRequest = new LWAAuthorizationSigner(lwaAuthorizationCredentials).Sign(restRequest);

            AWSAuthenticationCredentials aws = new AWSAuthenticationCredentials();
            aws.AccessKeyId = _accessKeyId;
            aws.SecretKey = _secretKey;
            aws.Region = _region;
            AWSSigV4Signer signer = new AWSSigV4Signer(aws);
            signer.Sign(restRequest, restClient.BaseUrl.Host);

            var response = restClient.Execute(restRequest);

            if (response.StatusCode == System.Net.HttpStatusCode.OK)
            {
                Console.WriteLine(response.Content);
            }
            else
            {
                Console.WriteLine(response.StatusCode);
                Console.WriteLine(response.Content);

            }`

I read that you need to add IAM Role ARN but how?

[seanevan]

Hi all, for any "access denied" errors, please open a support case with us so we can pursue an investigation, which may require exchanging sensitive info: https://developer.amazonservices.com/support.

Best regards, Sean Evans Manager, Support Engineering