Unauthorized, Access to requested resource is denied

[cdragon1116]

I have been trying to use Amazon SP-API recently but somehow I am getting Unauthorized message.

Confirmed that

• my AWS IAM role has access policy for execute-api
• I'm able to get the x-amz-access-token from token endpoint
• Able to generate id/secret/session_token from assumeRole and attach as x-amz-security-token

I tried on the postman using AWS Signature Auth and still getting same error:

{
    "errors": [
        {
            "message": "Access to requested resource is denied.",
            "code": "Unauthorized",
            "details": ""
        }
    ]
}

[khanakia]

@1a2babystar make sure that the clientId, clientSecret are correct. That's the most common mistake everybody seems to be making.

[1a2babystar]

@khanakia Thank you for your reply! I got some change by doing the remove of inline policy and add the permission directly. But now I got different error :( which is "[{"code":"InvalidInput","message":"Could not match input arguments"}]" I don't know what is the problem. Thank you

[khanakia]

@1a2babystar it's just you are sending the wrong arguments to the API. Double-check the arguments for the endpoint you are hitting.

[1a2babystar]

@khanakia Thanks for your help :) It helps me to solve my problem.

[newsandeep]

@khanakia I have been trying to use Amazon SP-API but I am getting an Unauthorized message. Could you please help me to integrate the SP API? Test Event Name Test-sp-api

Response { "errorMessage": "'payload'", "errorType": "KeyError", "stackTrace": [ " File \"/var/task/lambda_function.py\", line 67, in lambda_handler\n marketplaceId = sellersResponse.json()['payload'][0]['marketplace']['id']\n" ] }

Function Logs START RequestId: 287e1697-7949-43de-9b6b-668cf0c8b74a Version: $LATEST Seller participates in the following marketplaces: { "errors": [ { "message": "Access to requested resource is denied.", "code": "Unauthorized", "details": "" } ] } [ERROR] KeyError: 'payload' Traceback (most recent call last):   File "/var/task/lambda_function.py", line 67, in lambda_handler     marketplaceId = sellersResponse.json()['payload'][0]['marketplace']['id']END RequestId: 287e1697-7949-43de-9b6b-668cf0c8b74a REPORT RequestId: 287e1697-7949-43de-9b6b-668cf0c8b74a Duration: 1561.23 ms Billed Duration: 1562 ms Memory Size: 128 MB Max Memory Used: 65 MB Init Duration: 343.88 ms

Request ID 287e1697-7949-43de-9b6b-668cf0c8b74a

[khanakia]

@newsandeep Just follow the above steps i gave in previous comments. It will work 100%

[newsandeep]

@khanakia I have followed these step given bellow:

1. Create a new Policy name 'SellingPartnerAPI_Policy' { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "execute-api:Invoke", "Resource": "arn:aws:execute-api:::*" } ] }

2. Create a new role name 'SellingPartner_Role'

3. Attach the above policy to the role you created

4. Create a new user 'SellingPartner_User'

5. Attached the SellingPartnerAPI_Policy to the current user

6. Create a new Inline Policy STS_SellingPartnerRole { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::961637079591:role/SellingPartnerRole" } ] }

still getting error below: Error while trying to fetch marketplace participations: com.amazon.selling.partner.ApiException: Forbidden at com.amazon.selling.partner.ApiClient.handleResponse(ApiClient.java:974) at com.amazon.selling.partner.ApiClient.execute(ApiClient.java:890) at com.amazon.selling.partner.api.SellersApi.getMarketplaceParticipationsWithHttpInfo(SellersApi.java:144) at com.amazon.selling.partner.api.SellersApi.getMarketplaceParticipations(SellersApi.java:131) at com.tworobins.spapi.SPAPI.getMarketplaceParticipations(SPAPI.java:43) at com.tworobins.spapi.Main.main(Main.java:12)

[khanakia]

@khanakia I have followed these step given bellow:

still getting error below: Error while trying to fetch marketplace participations: com.amazon.selling.partner.ApiException: Forbidden at com.amazon.selling.partner.ApiClient.handleResponse(ApiClient.java:974) at com.amazon.selling.partner.ApiClient.execute(ApiClient.java:890) at com.amazon.selling.partner.api.SellersApi.getMarketplaceParticipationsWithHttpInfo(SellersApi.java:144) at com.amazon.selling.partner.api.SellersApi.getMarketplaceParticipations(SellersApi.java:131) at com.tworobins.spapi.SPAPI.getMarketplaceParticipations(SPAPI.java:43) at com.tworobins.spapi.Main.main(Main.java:12)

It's not the authorization error. It's just you do not have permission to access a particular endpoint. You should check what Permission you selected while creating an app in Sellercentral.

[newsandeep]

@khanakia Thanks for your help. It helps me.

[davhol86]

Just in case someone has the same issue as i. I allways got the same Unauthorized error until i realized i had to use the rigth aws region. I my case eu-west-1 and not us-east-1. Than it worked for me.

[Das5Anila]

@rctann Hi I have also done the same way as you used for creating refresh token(by clicking authorize button generated refresh token and used grant type refresh token to generate access token) I am using role arn and execute policy and generated assume role response successfully and my app is in draft state but when I tried to make call on https://sellingpartnerapi-na.amazon.com/sellers/v1/marketplaceParticipations "errors": [ { "message": "Access to requested resource is denied.", "code": "Unauthorized", "details": "" } ] it shows this error included session token sts access key secret key but still this error Anyone can help on this

@rctann are you able to make a successful api call by using the access token generated via grant type refresh token?
Anyone could help

[ozguraltuntas]

3. https://github.com/clousale/amazon-sp-api-php#iam-user

hi @khanakia

Could you give me Postman Curl for getting Security Token with User ARN

Thank you

[khanakia]

@ozguraltuntas there is no easy way to prepare the postman URL so you can generate the security token.

For this, you will have to use Amazon SP Library based on your preferred language PHP, java or go

You can use this in PHP https://github.com/clousale/amazon-sp-api-php

[ozguraltuntas]

@ozguraltuntas there is no easy way to prepare the postman URL so you can generate the security token.

For this, you will have to use Amazon SP Library based on your preferred language PHP, java or go

You can use this in PHP https://github.com/clousale/amazon-sp-api-php

Hi @khanakia

Could you verify those parameters are correct Should we use role arn, or user arn for session/security token generation

[khanakia]

@ozguraltuntas You can check this doc https://developer-docs.amazon.com/sp-api/docs/tokens-api-v2021-03-01-reference

[Muschke]

@khanakia , I have created the Iam-user,policy and role based on the guide of the developer docs. Afterwards I added the inline policy STS, my authentication should work with assumRole right? I linked the app in the seller account with the ARNrole. I get the accestoken, I get the credentials via assumeRole. Than I try this GETrequest: https://sellingpartnerapi-eu.amazon.com/sellers/v1/marketplaceParticipations and it is unauthorized. Are there other settings that can create this unauthorized acces?

[Muschke]

@Pab660 You can follow these steps and it will work 100%

1. Create a new Policy name 'SellingPartnerAPI_Policy'
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:*:*:*"
        }
    ]
}

2. Create a new role name 'SellingPartner_Role'
3. Attach the above policy to the role you created
4. Create a new user 'SellingPartner_User'
5. Attached the SellingPartnerAPI_Policy to the current user
6. Create a new Inline Policy `STS_SellingPartnerRole`
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::961637079591:role/SellingPartnerRole"
        }
    ]
}

@khanakia, I also tried to create a user like this and now I cannot perform the action to assumeRole anymore;

[khanakia]

@Muschke You can download the attached PHP script on this link and try to use the code from there and see if that works. https://khanakia.notion.site/Amazon-SP-API-44dd7a95e38142c4893b41b8b85519e6

[tigusigalpa]

@khanakia , I have created the Iam-user,policy and role based on the guide of the developer docs. Afterwards I added the inline policy STS, my authentication should work with assumRole right? I linked the app in the seller account with the ARNrole. I get the accestoken, I get the credentials via assumeRole. Than I try this GETrequest: https://sellingpartnerapi-eu.amazon.com/sellers/v1/marketplaceParticipations and it is unauthorized. Are there other settings that can create this unauthorized acces?

Hi, the same issue, we are tired about Understanding Amazon (second largest companies in the world) SP-API docs, that was on GitHub, now its transfered to their website, all of steps done for 100500 times, but again Access to requested resource is denied and Unauthorized. It seems that developers and API text writers are not the same people. For example, and im sure for 99% - developers from India and copywriters from Bangladesh. You wrote that you using STS - it means that you getting credentials via STS service?

[khanakia]

@tigusigalpa Yes i am using STS

[tigusigalpa]

Can you share the docs how to work with STS in that case? I mean how to get credentials from there

[khanakia]

@tigusigalpa check my previous comment i already shared the notion note

[gwilburn68]

I am also getting this error. Migrating from MWS, so I followed the setup process as outlined in dev guide (and above). In BOTH Postman and my code, I am able to

1. Get an LWA access token
2. Use the access token to assume selling partner role I use the Access Key, Secret Key, Session Token from the assumeRole and Access Token to hit the Restricted Data Token. Upon doing that, I get: { "errors": [ { "message": "Access to requested resource is denied.", "code": "Unauthorized", "details": "" } ] }

This is a Private Developer Application I can access PII using the MWS API I had to write my own signing software (I'm on an IBM i system and cannot use the SDKs) I had updated my profile to add "Tax" access and now my "Developer Registration is Under Review" My App ID is in Draft status and is associated with my user ARN

Any suggestions?

[newsandeep]

Hi @khanakia, I am able to create aws4 signature but when I execute https://sellingpartnerapi-eu.amazon.com/orders/v0/orders api getting below error: { "errors": [ { "message": "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

The Canonical String for this request should have been 'GET /orders/v0/orders CreatedAfter=2022-08-02T05%3A57%3A29.251405&MarketplaceIds=A21TJRUUN4KGV host:sellingpartnerapi-eu.amazon.com x-amz-date:20220804T090934Z

host;x-amz-date e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'

The String-to-Sign should have been 'AWS4-HMAC-SHA256 20220804T090934Z 20220804/eu-west-1/execute-api/aws4_request d138e3de1711350d91b063b531a4226b4e0c8702739eb8e73e7b47445401b5bb' ", "code": "InvalidSignature" } ] }

source code - TreeMap<String, String> awsHeaders = new TreeMap<String, String>(); awsHeaders.put("host", "sellingpartnerapi-eu.amazon.com");

    TreeMap<String, String> queryHeaders = new TreeMap<String, String>();
    queryHeaders.put("CreatedAfter", "2022-08-02T05:57:29.251405");
    queryHeaders.put("MarketplaceIds", "A21TJRUUN4KGV");

    AWSV4Auth aWSV4Auth = new AWSV4Auth.Builder("AKIARHGFMdddIR7YDTNJ75J", "wOgV9Bw6Nqdwi8ZA6eaIqWlypefpdTSxdddomugI+s7")
                                       .regionName("eu-west-1")
                                       .serviceName("execute-api") // es - elastic search. use your service name
                                       .httpMethodName("GET") //GET, PUT, POST, DELETE, etc...
                                       .canonicalURI("orders/v0/orders") //end point
                                       .queryParametes(queryHeaders) //query parameters if any
                                       .awsHeaders(awsHeaders) //aws header parameters
                                       .payload(null) // payload if any
                                       .debug() // turn on the debug mode
                                       .build();

I am using java programming language. Please help me asap

[khanakia]

@newsandeep You are calculating the secret wrong or it's been expired. Please regenerate the secret you can use any amazon sdk libraries to achieve the same.

[andolis]

Hi, fba/inventory/v1/summaries endpoint "Access to requested resource is denied." I've given some permissions in Amazon support, but I still can't access this area. I can access other orders endpoints.

[soseki-angfa]

@khanakia HI, I am having the exactly the same error as this issue. I have a question about SP-API. Do we have to make Role in order to access API?

[khanakia]

@soseki-angfa There are 2 ways of authentication via USER or ROLE. It's your call which method you choose. You can check more here https://developer-docs.amazon.com/sp-api/docs/tutorial-create-a-private-selling-partner-api-application

[soseki-angfa]

@khanakia Thanks for your link. I will check it out.

[soseki-angfa]

@khanakia So, if we create USER and set it to amazon seller central, we should be okay?

[khanakia]

You can use any of the method USER Based Authentication or Role Based Autentication

[soseki-angfa]

@khanakia Okay thank you. I guesss this makes many people confused since it is not written in the doc.

[Muschke]

Also, at Permissions, mark everything. You don't know which request are linked to which permissions and documentation is very unclear.

[soseki-angfa]

Yup, this is so annyoing because it dose not give us what is wrong with it. They sould provide some clear explination and example. Well...tomorrow we will start from the begining and hopefully can manage to access to it.

[Muschke]

Their is a youtube tutorial, which is correct, but just mark all permissions. The request afterwards is difficult cause you have to make a canonical request of your secret and headers etc.. I've written this in Java a few months ago. I lost several years of my life getting that right.

[soseki-angfa]

I see. I think they should also provide sample source code as well because lots of people having a troble with this sh〇t....

[haoxi911]

Another possible solution: do nothing and wait a bit.

I don't know how, or why, but the issue magically fixed itself for me over my lunch break. See if waiting an hour helps. Your mileage may vary.

I second on this. Of course, if you are using role authentication, and you've checked everything you can but still got the 'Unauthorized' error. Please take a break, for example, mine is also 1 hour lunch break, then it works magically.

[newsandeep]

Hi @khanakia,

I have tried to get catalog data using spapi with filter keywords and marketplaceId but we got some unknown catalog data and one more question- how to get all product listing data without asin and sku of specific seller account.

Regards, Sandeep Mishra

[Muschke]

@newsandeep Yes, I remember setting this api up that was a big problem. We had to work around major. What I did to get all products was:

• Ask all marketplaces where we sell products
• Get report for each marketplace (If you can, use separe threads for them cause it can take op to 5 minutes)
• Convert URL to document, than read all the documents.
• Put every product in list, don't add doubles. (You will have asin standard in the repport but you can not add it in your list)
• If you need ean to (like we did), we ran a separte request to get the ean from sku where we didn't have it from, we kept our results in a db to limit our requests.

Good luck, it is the worst api I ever met in my life :) .

[mylovefan]

When I access the /vendor/directFulfillment/orders/v1/purchaseOrders interface, I report 403 permission issues, but access to the report interface is also possible. Why is this? { "errors": [ { "message": "Access to requested resource is denied.", "code": "Unauthorized", "details": "" } ] }

[RubenMacapugay]

Can someone help me fix this error? I tried some solutions, but they didn't work. Where does the error come from?

Error: [{'code': 'Unauthorized', 'message': 'Access to requested resource is denied.', 'details': ''}]

[soseki-angfa]

@RubenMacapugay Hi there. I was struggling wih that error too. I guess you did not pass correct parameters.

[QasimMughal05]

@khanakia yeah you're right. my problem is fixed. I have a question for you. Whether I access the orders/{orderId}/buyerInfo API with RDT or with the normal access_token, I get the same data and there is only BuyerEmail in the response. Shouldn't I be able to get the recipient's name, phone etc(AddressLine1, AddressLine2, AddressLine3) values?

You need to get PII Access for that then you will have all the details of Buyer

[codecraftwt]

Hello @khanakia , @soseki-angfa I have developed an console application in .net core for integrating Amazon Seller shipping API. Till now I have successfully generated access token API, STS API. Now I am trying to integrate "get rates" API using endpoint "https://sellingpartnerapi-na.amazon.com/shipping/v2/shipments/rates". But getting this error from postman { "errors": [ { "code": "Unauthorized", "message": "Access to requested resource is denied.", "details": "" } ] }

Could you please help me out for this?

[QasimMughal05]

share your details about your credential

Hello @khanakia , @soseki-angfa I have developed an console application in .net core for integrating Amazon Seller shipping API. Till now I have successfully generated access token API, STS API. Now I am trying to integrate "get rates" API using endpoint "https://sellingpartnerapi-na.amazon.com/shipping/v2/shipments/rates". But getting this error from postman { "errors": [ { "code": "Unauthorized", "message": "Access to requested resource is denied.", "details": "" } ] }

Could you please help me out for this?

share your details about your credential

[soseki-angfa]

@codecraftwt I guess you should share your source code too. regards,

[codecraftwt]

@soseki-angfa Here is the code for get rates method -

var client = new HttpClient(); var request = new HttpRequestMessage(HttpMethod.Post, "https://sellingpartnerapi-eu.amazon.com/shipping/v2/shipments/rates");

request.Headers.Add("Authorization", "Bearer " + {{Access_token}}); var content = new StringContent("{{payload}}", null, "application/json"); request.Content = content; var response = await client.SendAsync(request); response.EnsureSuccessStatusCode(); var data = await response.Content.ReadAsStringAsync();

[soseki-angfa]

@codecraftwt You need to set more headers I guess.

I have following configuration.

    $config = new Configuration([
        "lwaClientId"           => getenv("lwaClientId"),
        "lwaClientSecret"       => getenv("lwaClientSecret"),
        "lwaRefreshToken"       => getenv("lwaRefreshToken"),
        "awsAccessKeyId"        => getenv("awsAccessKeyId"),
        "awsSecretAccessKey"    => getenv("awsSecretAccessKey"), 
        "endpoint" => Endpoint::FE,
      ]);

You have to change endpoint to your region. Regards,

[QasimMughal05]

there may be an issue in aws/region/marketplace. Need to check it clearly

[codecraftwt]

I've updated request accordingly but the issue persists. I think there might be issue related to permission. Share your thoughts.