search

amzn / selling-partner-api-models

This repository contains OpenAPI models for developers to use when developing software to call Selling Partner APIs.
Apache License 2.0
611 stars 733 forks source link

[BUG] 403 when calling NotificationApi::createSubscription or getSubscription #958

Closed jlevers closed 3 years ago

jlevers commented 3 years ago

I'm trying to set up REPORT_PROCESSING_FINISHED notifications, but since it isn't specified in the Notifications Use Case guide whether that notification is handled by SQS or EventBridge, I'm testing my SQS setup by trying to get FBA_OUTBOUND_SHIPMENT_STATUS notifications.

I'm able to create a destination with createDestination just fine, and can view/delete the destinations I create via getDestinations and deleteDestination. But when I go to create a subscription with createSubscription, I get a 403 Unauthorized error. I also get that error when I call getSubscription.

I've tried accessing the createSubscription/getSubscription endpoints with multiple different sets of credentials, and both via PHP and Java. I'm also pretty sure my SQS config is correct, but here it is, just in case:

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__owner_statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::************:root"
      },
      "Action": "SQS:*",
      "Resource": "arn:aws:sqs:us-west-2:************:spapi-report-notifications"
    },
    {
      "Sid": "Stmt1610965877618",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::437568002678:root"
      },
      "Action": [
        "sqs:GetQueueAttributes",
        "sqs:SendMessage"
      ],
      "Resource": "arn:aws:sqs:us-west-2:************:spapi-report-notifications"
    }
  ]
}

If anyone knows what might be causing this, I'd really appreciate the help. Thanks!

saleweaver commented 3 years ago

You're most likely using a grantless request when a granted request is required.

jlevers commented 3 years ago

You're absolutely right -- I incorrectly thought that all the Notifications actions were grantless, but createSubscription and getSubscription are not. Thank you!

bingdor commented 3 years ago

Where to authorize createSubscription and getSubscription ?

ayoubAnbara commented 1 year ago

Where to authorize createSubscription and getSubscription ?

Please read these doc to find the answer: https://developer-docs.amazon.com/sp-api/docs/grantless-operations https://developer-docs.amazon.com/sp-api/docs/connecting-to-the-selling-partner-api-using-a-generated-java-sdk#step-1-configure-your-lwa-credentials