search

amzn / selling-partner-api-models

This repository contains OpenAPI models for developers to use when developing software to call Selling Partner APIs.
Apache License 2.0
585 stars 730 forks source link

"Security Token Invalid" after access token and secturity token success #973

Closed whoiswayne closed 2 years ago

whoiswayne commented 3 years ago
  1. Using https://github.com/amzn/selling-partner-api-models/tree/main/clients/sellingpartner-api-aa-csharp I successfully got an access token.
  2. Also got the x-amz-security-token from AmazonSecurityTokenServiceClient this.
  3. and sign successed by AWSSigV4Signer
  4. BUT reponse shows "Security Token Invalid". What is the error.

Any one can help me to find out the issue.

    private const string MARKETPLACE_ID = "ATVPDKIKX0DER";
    private const string ACCESS_KEY = "AKIAY********LHQ";
    private const string SECRET_KEY = "HL5xnZ*************DhJD16Q";
    private const string REGION = "us-east-1";
    private const string CLIENTID = "amzn1.application-oa2-client.66********6355f1";
    private const string CLIENTSCERET = "b467b034*********bdf26b";
    private const string REFRESHTOKEN = "Atzr|IwEBIHAakkj***********0ZbsA";

    public void foo()
    {
        AssumeRoleResponse assumeRoleResponse = null;
        Task.Run(async () =>
        {
            assumeRoleResponse = await GetAssumeRoleTokenDetail();
        }).GetAwaiter().GetResult();

        var resource = $"/orders/v0/orders";
        var client = new RestClient("https://sellingpartnerapi-na.amazon.com");

        IRestRequest restRequest = new RestRequest(resource, Method.GET);
        restRequest.AddParameter("CreatedAfter", DateTime.UtcNow.AddDays(-2), ParameterType.QueryString); // DateTime.UtcNow.AddDays(-5)
        restRequest.AddParameter("MarketplaceIds", MARKETPLACE_ID, ParameterType.QueryString);

        var awsAuthenticationCredentials = new AWSAuthenticationCredentials
        {
            AccessKeyId = ACCESS_KEY,
            SecretKey = SECRET_KEY,
            Region = "us-east-1"
        };
        var lwaAuthorizationCredentials = new LWAAuthorizationCredentials
        {
            ClientId = CLIENTID,
            ClientSecret = CLIENTSCERET,
            RefreshToken = REFRESHTOKEN,
            Endpoint = new Uri("https://api.amazon.com/auth/o2/token")
        };
        restRequest = new LWAAuthorizationSigner(lwaAuthorizationCredentials).Sign(restRequest);

        restRequest.AddHeader("X-Amz-Security-Token", assumeRoleResponse.Credentials.SessionToken);

        restRequest = new AWSSigV4Signer(awsAuthenticationCredentials).Sign(restRequest, client.BaseUrl.Host);

        var response = client.Execute(restRequest);
    }

    private static async Task<AssumeRoleResponse> GetAssumeRoleTokenDetail()
    {
        // AWS IAM user data, NOT seller central dev data
        var accessKey = ACCESS_KEY;
        var secretKey = SECRET_KEY;

        var credentials = new BasicAWSCredentials(accessKey, secretKey);

        var client = new AmazonSecurityTokenServiceClient(credentials);

        var assumeRoleRequest = new AssumeRoleRequest()
        {
            DurationSeconds = 3600,
            // role ARN you create here: 
            // https://github.com/amzn/selling-partner-api-docs/blob/main/guides/developer-guide/SellingPartnerApiDeveloperGuide.md#step-4-create-an-iam-role
            RoleArn = "arn:aws:*****873:role/FzoneDev_Role",
            RoleSessionName = DateTime.Now.Ticks.ToString()
        };
        var assumeRoleResponse = await client.AssumeRoleAsync(assumeRoleRequest);
        return assumeRoleResponse;
    }
whoiswayne commented 3 years ago

I read amzn/selling-partner-api-models#730 , seems no result,

ShivikaK commented 3 years ago

Hello @whoiswayne

We will need to work with you via a support case to resolve this issue. Please open a support case so we can pursue the investigation.

The error mainly refers to AWS credentials not being correct. When you use AssumeRole to request temporary credentials, you are required to use those temporary AWS credentials along with the STS token for the request.

But feel free to open a support case with us and we will further assist you with troubleshooting the issue.

Thanks, Shivika Khare Selling Partner API Developer Support

abuzuhri commented 3 years ago
  1. Using https://github.com/amzn/selling-partner-api-models/tree/main/clients/sellingpartner-api-aa-csharp I successfully got an access token.
  2. Also got the x-amz-security-token from AmazonSecurityTokenServiceClient this.
  3. and sign successed by AWSSigV4Signer
  4. BUT reponse shows "Security Token Invalid". What is the error.

Any one can help me to find out the issue.

    private const string MARKETPLACE_ID = "ATVPDKIKX0DER";
    private const string ACCESS_KEY = "AKIAY********LHQ";
    private const string SECRET_KEY = "HL5xnZ*************DhJD16Q";
    private const string REGION = "us-east-1";
    private const string CLIENTID = "amzn1.application-oa2-client.66********6355f1";
    private const string CLIENTSCERET = "b467b034*********bdf26b";
    private const string REFRESHTOKEN = "Atzr|IwEBIHAakkj***********0ZbsA";

    public void foo()
    {
        AssumeRoleResponse assumeRoleResponse = null;
        Task.Run(async () =>
        {
            assumeRoleResponse = await GetAssumeRoleTokenDetail();
        }).GetAwaiter().GetResult();

        var resource = $"/orders/v0/orders";
        var client = new RestClient("https://sellingpartnerapi-na.amazon.com");

        IRestRequest restRequest = new RestRequest(resource, Method.GET);
        restRequest.AddParameter("CreatedAfter", DateTime.UtcNow.AddDays(-2), ParameterType.QueryString); // DateTime.UtcNow.AddDays(-5)
        restRequest.AddParameter("MarketplaceIds", MARKETPLACE_ID, ParameterType.QueryString);

        var awsAuthenticationCredentials = new AWSAuthenticationCredentials
        {
            AccessKeyId = ACCESS_KEY,
            SecretKey = SECRET_KEY,
            Region = "us-east-1"
        };
        var lwaAuthorizationCredentials = new LWAAuthorizationCredentials
        {
            ClientId = CLIENTID,
            ClientSecret = CLIENTSCERET,
            RefreshToken = REFRESHTOKEN,
            Endpoint = new Uri("https://api.amazon.com/auth/o2/token")
        };
        restRequest = new LWAAuthorizationSigner(lwaAuthorizationCredentials).Sign(restRequest);

        restRequest.AddHeader("X-Amz-Security-Token", assumeRoleResponse.Credentials.SessionToken);

        restRequest = new AWSSigV4Signer(awsAuthenticationCredentials).Sign(restRequest, client.BaseUrl.Host);

        var response = client.Execute(restRequest);
    }

    private static async Task<AssumeRoleResponse> GetAssumeRoleTokenDetail()
    {
        // AWS IAM user data, NOT seller central dev data
        var accessKey = ACCESS_KEY;
        var secretKey = SECRET_KEY;

        var credentials = new BasicAWSCredentials(accessKey, secretKey);

        var client = new AmazonSecurityTokenServiceClient(credentials);

        var assumeRoleRequest = new AssumeRoleRequest()
        {
            DurationSeconds = 3600,
            // role ARN you create here: 
            // https://github.com/amzn/selling-partner-api-docs/blob/main/guides/developer-guide/SellingPartnerApiDeveloperGuide.md#step-4-create-an-iam-role
            RoleArn = "arn:aws:*****873:role/FzoneDev_Role",
            RoleSessionName = DateTime.Now.Ticks.ToString()
        };
        var assumeRoleResponse = await client.AssumeRoleAsync(assumeRoleRequest);
        return assumeRoleResponse;
    }

Try to Use my library handle most of requirement https://github.com/abuzuhri/Amazon-SP-API-CSharp

github-actions[bot] commented 2 years ago

This is a very old issue that is probably not getting as much attention as it deserves. We encourage you to check if this is still an issue after the latest release and if you find that this is still a problem, please feel free to open a new issue and make a reference to this one.