Closed cdragon1116 closed 3 years ago
Update Question: is it because my app is still in draft state?
Hi,
Was this happening because your app was in the draft state? If so, how do we get an approval? I don't see any options in the seller platform...
Thank you!
Have you found the answer , I had the same problem , And I need your help.
I had the error because of a stupid mistake, a typo in the URL. Instead of returning a 404, it returns an access denied error. You can check if your URL is correctly structured.
@weiliguo15634145 Do you have more details on your request & response?
I fix the this by
@weiliguo15634145 Do you have more details on your request & response?
I fix the this by
- use the role ARN to create application instead of user ARN
- Test the application by linking the same seller center account instead of other account in other region
我就是用的角色ARN创建的App,关于第二条 ,我用的区域是us-east-1, 而我本身的卖家账号在对应区域是开通的 . 这是我的request : curl --location --request GET 'https://sellingpartnerapi-na.amazon.com/sellers/v1/marketplaceParticipations' \ --header 'x-amz-date: 20210302T034036Z' \ --header 'x-amz-access-token: Atza|IwEBIKDHkgVx0iYCw8Dtvh81ODjR_ZFY0xtfQS6N85teK2yakGnv6h06SyzUrJP5gAq0wEDLn03TdmIMmqL4rubUaDl-2V_lmVzOSs_AzRiNA59YSiZf36l0KHaduQUmpb56mwXUYjbNiIs7-JPG86e5NXfeVjRHlVa-P3zU8FLBuADwmgQaoFhuEaDu7I6VYzKeocvnNcr-dqnWgtrVbdCwuyc5qRBfvjTjVJLU38RBD0aNG2hzkIgzUdQbhz1z_hROvwap-odYlkkkXJXv3-Ow4ghg1FO6yRGEoDw-ol3srtx2GOJ6ZFelpPpQe2IJDGykAjbZSkguyF7zy00B_lvn6k' \ --header 'Authorization: AWS4-HMAC-SHA256 Credential=AKIA3FDOEBBUMNP6NPFX/20210302/us-east-1/execute-api/aws4_request, SignedHeaders=host;x-amz-date, Signature=360ec326b5291d2838c8877877ba1a28e972a200db78909cdc7f8f323de08414' \ --header 'Cookie: session-id=135-2764850-4378362; ubid-main=130-6552660-4645255; session-token=RJVECBmGp7ajtUn5CFpRdh4uoS1+lyDIMpKJybaa5tmDtSTW5MSnMj215VdZvoHWTD+tgzyYPfXDjbHgoXgkrKbh4MTSWoJufu084ne4xh4lgdsj5GNXTSWGsE8KxYzr5l56MqIJ2PKPswRzIIbkGgmwU6ON3FaaXHyjYjn4jflCuYlN2oJsflhQ1QzomtKOwCNQ2p1JmPSYx8aWCbgOCDa0hWe7d0YB; session-id-time=2244707947l' 这是response : { "errors": [ { "message": "Access to requested resource is denied.", "code": "Unauthorized", "details": "" } ] }
@weiliguo15634145
我就是用的角色ARN创建的App,关于第二条 ,我用的区域是us-east-1, 而我本身的卖家账号在对应区域是开通的 .
Then the setup should be fine.
Your Authorization looks a little weird to me, How did you sign your request?
--header 'Authorization: AWS4-HMAC-SHA256 Credential=AKIA3FDOEBBUMNP6NPFX/20210302/us-east-1/execute-api/aws4_request, SignedHeaders=host;x-amz-date, Signature=360ec326b5291d2838c8877877ba1a28e972a200db78909cdc7f8f323de08414'
Looks like you only signed host;x-amz-date
in your request.
You should sign your request along with access token and AssumRole
credentials:
access_key_id
& secret_access_key
& session_token
( this is a missing step in Doc )
https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.htmlYou can find some code REF here: https://github.com/amzn/selling-partner-api-models/issues/713
An example of an signed header might be like this
AWS4-HMAC-SHA256 Credential=ASIAUDJT3KUQPEL3DLG4/20210302/eu-west-1/execute-api/aws4_request, SignedHeaders=content-type;host;x-amz-access-token;x-amz-date;x-amz-security-token, Signature=f71f5f0c12b006ac4ad812949bffce6d73e37480d7ee5c489c144ab7147850b5
@weiliguo15634145
我就是用的角色ARN创建的App,关于第二条 ,我用的区域是us-east-1, 而我本身的卖家账号在对应区域是开通的 .
Then the setup should be fine.
Your Authorization looks a little weird to me, How did you sign your request?
--header 'Authorization: AWS4-HMAC-SHA256 Credential=AKIA3FDOEBBUMNP6NPFX/20210302/us-east-1/execute-api/aws4_request, SignedHeaders=host;x-amz-date, Signature=360ec326b5291d2838c8877877ba1a28e972a200db78909cdc7f8f323de08414'
Looks like you only signed
host;x-amz-date
in your request.You should sign your request along with access token and
AssumRole
credentials:
- Call assumeRole to get
access_key_id
&secret_access_key
&session_token
( this is a missing step in Doc ) https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.htmlYou can find some code REF here: amzn/selling-partner-api-models#713
- Use the above 3 credentials and the other required info (access_token, date) to sign your request https://github.com/amzn/selling-partner-api-docs/blob/main/guides/developer-guide/SellingPartnerApiDeveloperGuide.md#step-4-create-and-sign-your-request
An example of an signed header might be like this
AWS4-HMAC-SHA256 Credential=ASIAUDJT3KUQPEL3DLG4/20210302/eu-west-1/execute-api/aws4_request, SignedHeaders=content-type;host;x-amz-access-token;x-amz-date;x-amz-security-token, Signature=f71f5f0c12b006ac4ad812949bffce6d73e37480d7ee5c489c144ab7147850b5
根据你的回复 , 我修改了我的请求 :
首先我获取到 AccessKeyId , SecretAccessKey,SessionToken , 用以下命令 :
aws sts assume-role --role-arn arn:aws:iam::*******:role/sp-api-role --role-session-name sp-api-role
然后根据自我授权的refreshToken 获取access_token 最后计算出的签名 是
AWS4-HMAC-SHA256 Credential=ASIA3FDOEBBUCRXBFX4Z/20210302/us-east-1/execute-api/aws4_request, SignedHeaders=host;x-amz-access-token;x-amz-date;x-amz-security-token, Signature=5ebee393e0f789efde7c40d7959c0492fff091cdb51b5b15612370badd607bb9
但是我还是得到同样的结果 :
request :
curl --location --request GET 'https://sellingpartnerapi-na.amazon.com/sellers/v1/marketplaceParticipations' \
--header 'x-amz-date: 20210302T074701Z' \
--header 'x-amz-access-token: Atza|IwEBILnncYBxvGI8M7nGSFTG2YwUU8tbHXkYt4w_wcIa8jWkRtF9IEZfsWA7ZLnCVXM1phfJtDMP-T1qIVMa254dEBfpG8BD-NQHFE2IBYuWvAv15rwz45Aj5o4L1PNFPo9KCyLqNBqU3ClyNTH7LidbgXA-3_jkxSn1WXJWtwQ8i0-AwRjrI2a2MGlcriwHCqFpB8DUxo3WUP23WOTiWGrorUDs39yWDTB12isaCGFCapSKNY8JV5mauAwoH1R8iLPZBONOxGbgSK1MvwEZsZm-cHw1K9ywOiXaa8bmrcROG6aoh_rHcKDCJFjIbPwcmt9G9Xif_NFBCJJCAINpQ9nrR9dZ' \
--header 'Authorization: AWS4-HMAC-SHA256 Credential=ASIA3FDOEBBUCRXBFX4Z/20210302/us-east-1/execute-api/aws4_request, SignedHeaders=host;x-amz-access-token;x-amz-date;x-amz-security-token, Signature=5ebee393e0f789efde7c40d7959c0492fff091cdb51b5b15612370badd607bb9' \
--header 'x-amz-security-token: IQoJb3JpZ2luX2VjEIj//////////wEaCXVzLWVhc3QtMSJGMEQCICmvk+Zcw+XBKn9EecTlfzzFRmQlRgQ07B1fMx8ekigVAiAd438TFuH50prjyIdkIunrElJz93VIvbZg8z1ZI48WySqhAgih//////////8BEAAaDDc2Njg4MjYxMzM1MiIMboZN7+pzPfqxFnD8KvUBqfgAA2l6NLMUnRPfL2RvWFpNB2xAyVmQbiceCbeoCPxMRTY+w1fso31yMeYroSkMKvnjexlhdtVRlqmkm5nw5pXzTDN4VGX9Bg57r0eWphZC5t9C+nOVQahINLC45qElzNru3stJbTysBkrU46BGjcJYgCfdiU9a9kYomfBOfUIxdavZgJXB9p/rowk6pbWgdkucY/IqDeljweK8f5e/Go50+858ZpUpymBpantWvNRBeM+x7JyHth90Mxv1JGFSVgmQi3KPV7TAHQQ24q8XW8EfkzDVjzpcdh8aoTxuaGXOjNKU8QPgRahhD+abtMKMuYRJs/4w8NX3gQY6ngFKNpxLadA52f6ppMxHgJMfm0Yhl7M2VdP3owBRffFPPCT0xjveGGUaT01sgfy9klYUpUkM/nEvom5Kvq4HufsXjMCsTXFfD5BeC/UJiv1W8uVlIWj18+6UHfisn26zUy5M6zsPxEBlVIYT7bbRhPdkkg4pIkLkRpYvmmjdcONOOTh7KKNUKQxRycXXbp24udVUX4qLt2Iy0/HUQa6f+A==' \
--header 'Cookie: session-id=135-2764850-4378362; ubid-main=130-6552660-4645255; session-token=RJVECBmGp7ajtUn5CFpRdh4uoS1+lyDIMpKJybaa5tmDtSTW5MSnMj215VdZvoHWTD+tgzyYPfXDjbHgoXgkrKbh4MTSWoJufu084ne4xh4lgdsj5GNXTSWGsE8KxYzr5l56MqIJ2PKPswRzIIbkGgmwU6ON3FaaXHyjYjn4jflCuYlN2oJsflhQ1QzomtKOwCNQ2p1JmPSYx8aWCbgOCDa0hWe7d0YB; session-id-time=2244707947l'
response : { "errors": [ { "message": "Access to requested resource is denied.", "code": "Unauthorized", "details": "" } ] }
Same issue.... :(
@alfredone270895 All you need to do is to omit the STS Policy and attach the policy that has been created from Step 3. Create an IAM policy into IAM user's permissions directly if using User ARN.
@khanakia
following your solution and receiving :
in a 403 Forbidden
response: {
"Error": {
"Code": "AccessDenied",
"Message":"User: arn:aws:iam::***** is not authorized to perform: sts (truncated...)
}
thanks anyway for answer me any other suggestions?
@khanakia i also try to remove function for getting AssumeRole receiving
{ "errors": [ { "message": "Access to requested resource is denied.", "code": "Unauthorized", "details": "" } ] }
@alfredone270895
@khanakia i fix the issue , now i receiving another error running on php8 for order list i have open an issue on the repository. so many thanks for kind of help. Hope you success , Best regards
Another possible solution: do nothing and wait a bit.
I don't know how, or why, but the issue magically fixed itself for me over my lunch break. See if waiting an hour helps. Your mileage may vary.
After days of struggling, I solved the problem. but there is still a problem that i don't understand.
solution: In order to send a request to the API, you must add ARN to the Role you defined in the IAM ARN field in your application(picture 1). it must be role/example, not user/example Click on the "Authorise" tab under the "action" column of the application in "Developer Central". then click the "generate refresh token" button. get access_token with "refresh_token" you copied(picture 2). You can call the API with the access_token you receive and ofcourse sts credentials. but the refresh_token you get as grant_type => refresh_token can't send any request to any API. Does anyone have knowledge about this?
Picture 1
Picture 2
@rctann There are 2 types of authentication amazon uses
I do not quite understand your question what exactly the issue are you facing ? Secondly, what programming language are you using ?
FYI: I have implemented the api using both USER ARN and ROLE ARN in Golang, PHP successfully
@rctann There are 2 types of authentication amazon uses
- Role Based (This is useful when you want to distribute your app to the world and want better control over permissions)
- User Based (This is useful when you want to developer app for your use only)
I do not quite understand your question what exactly the issue are you facing ? Secondly, what programming language are you using ?
FYI: I have implemented the api using both USER ARN and ROLE ARN in Golang, PHP successfully
im using role based and my app status is DRAFT. so I haven't published yet and I am using website authorization. When I receive a refresh token with the spapi_oauth_code sent to me, I cannot send a request to the API. However, I can send requests with the refresh token I received from the application section that I mentioned in the comment above. is it because the app is in DRAFT status?
and im using PHP, https://github.com/double-break/spapi-php
@rctann No my application is also in draft state and i was able to send the request using SAPI successfully both ways as using ROLE ARN and also using USER ARN
You should read AMAZON docs again to correctly generate the ARN and set the permissions properly
@khanakia yeah you're right. my problem is fixed. I have a question for you. Whether I access the orders/{orderId}/buyerInfo API with RDT or with the normal access_token, I get the same data and there is only BuyerEmail in the response. Shouldn't I be able to get the recipient's name, phone etc(AddressLine1, AddressLine2, AddressLine3) values?
@rctann
orders/{orderId}/buyerInfo
response has only this fields available"application/json": {
"payload": {
"AmazonOrderId": "902-3159896-1390916",
"BuyerEmail": "user@amz.com",
"BuyerName": "John Smith",
"BuyerTaxInfo": {
"CompanyLegalName": "Company Name"
},
"PurchaseOrderNumber": "2234345435345"
}
}
@khanakia I tryed what you suggest (User based) but I have the same response: { "errors": [ { "message": "Access to requested resource is denied.", "code": "Unauthorized", "details": "" } ] } I attached the policy directly to the user and In the Application (in the SellerCentral) I reference the User ARN instead of the Role ARN. Is it correct? I'm calling the /vendor/directFulfillment/orders/v1/purchaseOrders API and my developer account is enabled to all this topics: Product Listing Pricing Amazon Fulfilment Buyer Communication Buyer Solicitation Selling Partner Insights Finance and Accounting generate tax invoices. Inventory and Order Tracking Direct-to-Consumer Delivery(Restricted)
I'm using C# programming language. Many thanks in advice
@bertonce Did you try following these steps ?
@khanakia I solved. It was my mistake. I was calling another sp-api and the address was wrong. Many thanks for the support
@khanakia i am using role arn and trying to hit the api using golang sp-api sdk still facing the same problem { "errors": [ { "message": "Access to requested resource is denied.", "code": "Unauthorized", "details": "" } ] } panic: 403 Forbidden
any suggestions on how you implemented using golang?
@abhi-112 Check the attached golang
sample files file you will get an idea of how I did this
api.zip
@khanakia I had created the two apps one using the User ARN and the other using the Role ARN. Both the application are in draft state.
Here is the ruby code which we are using
access_token = "AtzaXXX" sts_response = Aws::STS::Client.new( access_key_id: 'AKXXX', secret_access_key: 'LZXXX', region: 'us-east-1' ).assume_role( role_arn: 'arn:XXX', role_session_name: "sp-api" ).credentials
signer = Aws::Sigv4::Signer.new( access_key_id: sts_response.access_key_id, region: 'us-east-1', secret_access_key: sts_response.secret_access_key, service: 'execute-api', )
signature = signer.sign_request( http_method: 'GET', url: 'https://sandbox.sellingpartnerapi-na.amazon.com/orders/v0/orders?marketplaceIds=A13V1IB3VIYZZH', headers: { 'host' => 'sandbox.sellingpartnerapi-na.amazon.com', 'user_agent' => 'test', 'x-amz-access-token' => access_token, 'x-amz-security-token' => sts_response.session_token, 'content-type' => 'application/x-www-form-urlencoded' })
headers = { 'host' => signature.headers['host'], 'user_agent' => 'test', 'x-amz-access-token' => access_token, 'x-amz-content-sha256' => signature.headers['x-amz-content-sha256'], 'x-amz-date' => signature.headers['x-amz-date'], 'Authorization' => signature.headers['authorization'], 'x-amz-security-token' => sts_response.session_token, 'content-type' => 'application/x-www-form-urlencoded' }
request = Typhoeus::Request.new('https://sandbox.sellingpartnerapi-na.amazon.com/orders/v0/orders?marketplaceIds=A13V1IB3VIYZZH', method: :get, headers: headers)
request.run
Here is the error which we are getting
response_body=>"{\n \"errors\": [\n {\n \"message\": \"Access to requested resource is denied.\",\n \"code\": \"Unauthorized\",\n \"details\": \"\"\n }\n ]\n}
I have been stuck for so long time Can you help me in resolving it?
@stiwari1998 refer to this comment https://github.com/amzn/selling-partner-api-models/issues/943
Hii @khanakia Here is the policy section of IAM users https://prnt.sc/26w7aip Here is the list of roles which is attached to the developer profile https://prnt.sc/26w7rlx I have two developer apps below you can find the permission which is included in the apps 1) App with role ARN:- https://prnt.sc/26w7sgk 2) App with user ARN:- https://prnt.sc/26w7tdt
After doing the changes from the comment in which you had specified the following code has stopped working
access_token = "AtzaXXX" sts_response = Aws::STS::Client.new( access_key_id: 'AKXXX', secret_access_key: 'LZXXX', region: 'us-east-1' ).assume_role( role_arn: 'arn:XXX', role_session_name: "sp-api" ).credentials
signer = Aws::Sigv4::Signer.new( access_key_id: sts_response.access_key_id, region: 'us-east-1', secret_access_key: sts_response.secret_access_key, service: 'execute-api', )
signature = signer.sign_request( http_method: 'GET', url: 'https://sandbox.sellingpartnerapi-na.amazon.com/orders/v0/orders?marketplaceIds=A13V1IB3VIYZZH', headers: { 'host' => 'sandbox.sellingpartnerapi-na.amazon.com', 'user_agent' => 'test', 'x-amz-access-token' => access_token, 'x-amz-security-token' => sts_response.session_token, 'content-type' => 'application/x-www-form-urlencoded' })
headers = { 'host' => signature.headers['host'], 'user_agent' => 'test', 'x-amz-access-token' => access_token, 'x-amz-content-sha256' => signature.headers['x-amz-content-sha256'], 'x-amz-date' => signature.headers['x-amz-date'], 'Authorization' => signature.headers['authorization'], 'x-amz-security-token' => sts_response.session_token, 'content-type' => 'application/x-www-form-urlencoded' }
request = Typhoeus::Request.new('https://sandbox.sellingpartnerapi-na.amazon.com/orders/v0/orders?marketplaceIds=A13V1IB3VIYZZH', method: :get, headers: headers) request.run
So I had tried to execute API using the postman below you can find the code which I had used for generating the signature access_key_id = 'AKXXX' secret_access_key = 'LZXXX' token = 'Atza|XXX' tsz = Time.now.utc.strftime("%Y%m%dT%H%M%SZ") host = 'sandbox.sellingpartnerapi-na.amazon.com' uri = 'https://sandbox.sellingpartnerapi-na.amazon.com/orders/v0/orders?marketplaceIds=A13V1IB3VIYZZH' headers = { 'host' => host, 'user-agent' => 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36', 'x-amz-access-token' => token, 'x-amz-date' => tsz }
signer = Aws::Sigv4::Signer.new( service: 'execute-api', region: 'us-east-1', access_key_id: access_key_id, secret_access_key: secret_access_key ) signature = signer.sign_request( http_method: 'GET', url: uri, headers: headers ) signature.headers['x-amz-date'] signature.headers['x-amz-content-sha256'] signature.headers['authorization']
Here is the screenshot of the postman using which I had executed the API. https://prnt.sc/26w834t
Again got the same error { "errors": [ { "message": "Access to requested resource is denied.", "code": "Unauthorized", "details": "" } ] }
My issue is not resolved. Can you suggest another solution?
@stiwari1998 above code does not seem to be working you are still running it as ROLE ARN. The steps I gave above is to make the work with User ARN.
I have no other solution and it seems to be working almost for everybody. You just need to follow the documentation.
You can contact me on skype if you want @khanakia and then we can check together. It's up to you
@khanakia I have managed to use your sample for IAMUSER and the calls to selling partner in prod for get orders is working now. But for sandbox I'm getting internal server error.
I'm sending in the required parameters from sandbox json model
@coder771 There sandbox code does seem to be in sync with Production Code which could be one of the reasons.
@khanakia Thank you for your time which you have given us on skype to resolve the SP-API AWS-related configurations.
Once again thank you for the help
@rctann
How did you fix your problem with the token? It seems that I'm going through the same steps as you were
@diegocamy just follow the above steps given or read the document again. It will be fixed
@khanakia Fixed it! Thank you guys
@khanakia thanks for the help, actually I need some help from anyone who knows how the authorization works if i want to publically list the app.
@abhi-112 what authorization has to do with publishing the app? You can simply change your app draft mode and list it publically.
@khanakia Thanks a lot for the help! Without you answering my questions and guiding me through the process I would not have been able to solve the issue! Much appreciation
@khanakia after listing i want to know how the seller can authorize the app
@khanakia maybe you can help me here : https://github.com/amzn/selling-partner-api-models/issues/414
@khanakia after listing i want to know how the seller can authorize the app
You need to send the sellers your developers ID and users can go to Partner Networks > Manage Apps and there they will find a button Authorize Developer and all they have to do is enter the Developers Name and the Developer ID provided by you
@khanakia maybe you can help me here: amzn/selling-partner-api-models#414
This is a known issue. All you can do is wait or keep using MWS until it's resolved.
@khanakia no ,suppose i listed the app without any oauth what will happen then?
@abhi-112 then other users will not be able to install your app. You will be able to use your app only for your seller account.
@khanakia can we connect sometime?
@khanakia can we connect sometime?
You can contact me on skype given above.
@khanakia I have been trying to use Amazon SP-API recently but somehow I am getting an Unauthorized message. Could you please help me to run the SP API? If possible can we connect somewhere - Zoom, Google meet, Skype?
@Pab660 You can follow these steps and it will work 100%
1. Create a new Policy name 'SellingPartnerAPI_Policy'
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:*:*:*"
}
]
}
2. Create a new role name 'SellingPartner_Role'
3. Attach the above policy to the role you created
4. Create a new user 'SellingPartner_User'
5. Attached the SellingPartnerAPI_Policy to the current user
6. Create a new Inline Policy `STS_SellingPartnerRole`
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::961637079591:role/SellingPartnerRole"
}
]
}
@khanakia Hello, I'm want to integrate API with amazon vendor central. And I followed all the neccessary steps on the github pages. And I can get my access token, but when I call the api, always get the { "errors": [ { "message": "Access to requested resource is denied.", "code": "Unauthorized", "details": "" } ] } error. I really don't have any idea. I'm using C# language. And using the code template in https://github.com/cafeasp/Selling-Partner-API Can I ask you for help? thank you very much.
I have been trying to use Amazon SP-API recently but somehow I am getting Unauthorized message.
Confirmed that
execute-api
x-amz-access-token
from token endpointid/secret/session_token
fromassumeRole
and attach asx-amz-security-token
I tried on the postman using
AWS Signature
Auth and still getting same error: