search

amzn / selling-partner-api-models

This repository contains OpenAPI models for developers to use when developing software to call Selling Partner APIs.
Apache License 2.0
580 stars 730 forks source link

Access to requested resource is denied #699

Closed phamanh195 closed 3 years ago

phamanh195 commented 3 years ago

Hi, I am trying the new SP-API and I met the issue about authorization when call request. Step I did:

  1. Create IAM user, role, permission.. etc and get access key, secret access key.
  2. Use IAM, access key, secret access key to create app and get access token as well as refresh token.
  3. Use this access token to sign the API request.

Headers included: host;user-agent;x-amz-access-token;x-amz-date Canonical request: """ GET /feeds/2020-09-04/feeds

host:sellingpartnerapi-na.amazon.com user-agent: { user-agent } x-amz-access-token: { my-access-token } x-amz-date:20201013T024957Z

host;user-agent;x-amz-access-token;x-amz-date e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 """

Authorize header: """ AWS4-HMAC-SHA256 Credential={ access-key-when-create-IAM }/20201013/us-east-1/execute-api/aws4_request, SignedHeaders=host;user-agent;x-amz-access-token;x-amz-date, Signature={ signature } """

And I always meet authorize issue: Response: """ { "errors": [ { "message": "Access to requested resource is denied.", "code": "Unauthorized", "details": "" } ] } """ There is no detail information. Is this a server side errors or I missed out something when submit the request? Could you please help me to address this issue?

iamsr commented 3 years ago

In my case, step 5 was missing with creating the policy for the user providing arn role path

https://github.com/amzn/selling-partner-api-docs/blob/main/guides/en-US/developer-guide/SellingPartnerApiDeveloperGuide.md#step-1.-the-seller-initiates-authorization-from-the-marketplace-appstore

Step 5. Add an AWS Security Token Service policy to your IAM user

harvetech commented 2 years ago

It looks like the guidance on the docs around adding a role doesnt seem to work (or I have messed it up somehow). The work around is to add the policy directly the user as per phamanh195 suggestion: IAM Management Console => users => select user => add inline policy => click on JSON tab => add the following: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "execute-api:Invoke", "Resource": "arn:aws:execute-api:::*" } ] } Appreciate it is not best practices, but i've got access now. p.s. i have removed the policy and it has defaulted back to the authorization error above/ hey @krybbio @cdragon1116 I tried same thing ... but it's not working ..... Do I have to create new app again after updating policy ? Stuck on this for days ...

Tried this all but none of the solutions available on this thread helped. Still getting the following error: [{'message': 'Access to requested resource is denied.', 'code': 'Unauthorized', 'details': ''}]

soseki-angfa commented 1 year ago

I am having the exactly the same error.

I have following policy, but, it did not work. The bad thing is it dose not state what is wrong with it....

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:*:*:*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "*"
        }
    ]
}