'Access to requested resource is denied'

[The-Geology-Guy]

We have gone through the Documentation and set up everything as it should be -- double and triple checking everything. The main issue is that when we use the code (below), we run into the 'Unauthorized' error. Additionally, when we try to authorize the app (which has the status of 'draft') using the Self Authorization method, it does nothing.

Even while following the documentation exactly, we have not found a solution.

Code we are trying to use to connect to the SP-API:

• Using Python 3.8

  
  # ======== IMPORT PACKAGES ========
  from oauthlib.oauth2 import BackendApplicationClient
  from requests.auth import HTTPBasicAuth
  from requests_oauthlib import OAuth2Session
  import json
  from aws_requests_auth.aws_auth import AWSRequestsAuth
  from requests_auth_aws_sigv4 import AWSSigV4

sp_api is from https://github.com/saleweaver/python-amazon-sp-api

which works for others, but not for us.

from sp_api.auth.access_token_client import AccessTokenClient

======== GET AUTH ========

Set environment variables.

os.environ["SP_API_REFRESH_TOKEN"] = "Atzr|xxxxxxxxx" os.environ["LWA_APP_ID"] = "amzn1.application-oa2-client.xxxxxxxxx" os.environ["LWA_CLIENT_SECRET"] = "xxxxxxxxx" os.environ["SP_API_SECRET_KEY"] = "xxxxxxxxx" os.environ["SP_API_ACCESS_KEY"] = "xxxxxxxxx" os.environ["SP_API_ROLE_ARN"] = "arn:aws:iam::xxxxxxxxx:role/SellerPartnerAPIRole" os.environ["SP_AWS_REGION"] = "us-east-1"

Credentials for user created following the docs

amw_client = boto3.client( 'sts', aws_access_key_id=os.environ.get("SP_API_ACCESS_KEY"), aws_secret_access_key=os.environ.get("SP_API_SECRET_KEY"), region_name=os.environ.get("SP_AWS_REGION") )

ROLE created following the docs

STS assume policy must be included in the role

res = amw_client.assume_role( RoleArn=os.environ.get("SP_API_ROLE_ARN"), RoleSessionName='SellingPartnerAPIRole' )

Credentials = res["Credentials"] AccessKeyId = Credentials["AccessKeyId"] SecretAccessKey = Credentials["SecretAccessKey"] SessionToken = Credentials["SessionToken"]

aws_auth = AWSSigV4('execute-api', aws_access_key_id=AccessKeyId, aws_secret_access_key=SecretAccessKey, aws_session_token=SessionToken, region=os.environ.get("SP_AWS_REGION") )

params_ = { "reportTypes": { "value": [ "FEE_DISCOUNTS_REPORT", "GET_AFN_INVENTORY_DATA" ] }, "processingStatuses": { "value": [ "IN_QUEUE", "IN_PROGRESS" ] } }

request_url = 'https://sandbox.sellingpartnerapi-na.amazon.com'

======== CONSUME API ========

The 'AccessTokenClient().get_auth().access_token' provides the 'Atza|xxxxx' token.

resp = requests.get(request_url, auth=aws_auth, headers={'x-amz-access-token': AccessTokenClient().get_auth().access_token})

print(resp.json())

`Output:` {'Date': 'Wed, 27 Jan 2021 14:32:06 GMT', 'Content-Type': 'application/json', 'Content-Length': '141', 'Connection': 'keep-alive', 'x-amzn-RequestId': '75d447ab-f8e3-4777-a168-3752e2c1a7f4', 'x-amzn-ErrorType': 'AccessDeniedException', 'x-amz-apigw-id': 'Zz_oFELWoAMFr5w='}
{'errors': [{'message': 'Access to requested resource is denied.', 'code': 'Unauthorized', 'details': ''}]}

[johnkw]

See duplicate bug amzn/selling-partner-api-models#699 and bug amzn/selling-partner-api-models#786 .

[ShivikaK]

Hello @The-Geology-Guy

We will need to work with you via a support case to resolve this issue. Please open a support case so we can pursue the investigation.

Thanks, 
Shivika Khare
 Selling Partner API Developer Support

[johnkw]

If he followed the documentation then there's no hope of it working, because the documentation is still totally broken last I checked. Do what bug amzn/selling-partner-api-models#786 says and it will probably be fixed.

[FranciscoVi]

Hi, We have the next problem with SP-API. The aplication is HIPER_CALZADO (draft state) I follow having the ERROR with the SP-API: Access to Orders.ListOrders is denied

We have opened in Amazon the case 6560068722 from 16th December without reply. After that we have opened other case where Amazon asked me:

Operation:Orders: ListOrders MarketplaceId:mws.amazonservices.es RequestId:71887a1d-f6ac-4937-9806-c2da4b0eb9a3 TimeStamp:2021-01-07T09%3A27%3A40Z

After I reply this Amazon don't reply. We are on a dead end with the problem: Access to Orders.ListOrders is denied

Can someone help us? Please.

[johnkw]

If bug amzn/selling-partner-api-models#786 fixed that issue, then please note and close this as a duplicate of bug amzn/selling-partner-api-models#786 so it's obvious.

[ShivikaK]

Hi, We have the next problem with SP-API. The aplication is HIPER_CALZADO (draft state) I follow having the ERROR with the SP-API: Access to Orders.ListOrders is denied

We have opened in Amazon the case 6560068722 from 16th December without reply. After that we have opened other case where Amazon asked me:

Operation:Orders: ListOrders MarketplaceId:mws.amazonservices.es RequestId:71887a1d-f6ac-4937-9806-c2da4b0eb9a3 TimeStamp:2021-01-07T09%3A27%3A40Z

After I reply this Amazon don't reply. We are on a dead end with the problem: Access to Orders.ListOrders is denied

Can someone help us? Please.

Hello @FranciscoVi ,

I am following up on your case 6560068722 to expedite it and someone from our team will reach out to you regarding next steps or if they require additional information.

Thanks, Shivika Khare Selling Partner API Developer Support

[FranciscoVi]

Hello @FranciscoVi ,

I am following up on your case 6560068722 to expedite it and someone from our team will reach out to you regarding next steps or if they require additional information.

Thanks, Shivika Khare Selling Partner API Developer Support

Gracias Shivika. Aun

[FranciscoVi]

Thanks Shivika, They have not contacted me yet. Please can you give them another notice. We are still waiting since December 16. Best Regards. Francisco.

[FranciscoVi]

Thanks Shivika, They have not contacted me yet. Please can you give them another notice. We are still waiting since December 16. Best Regards. Francisco.

[FranciscoVi]

Hello @FranciscoVi ,

I am following up on your case 6560068722 to expedite it and someone from our team will reach out to you regarding next steps or if they require additional information.

Thanks, Shivika Khare Selling Partner API Developer Support

Hi Shivika, Please, look up this https://github.com/amzn/selling-partner-api-models/issues/1039 It is true that currently the AP-API is not enabled in EU region which is why we are receiving access denied error?

Amazon have capped the full address delivery in the old MWS API from 4 months ago, and we can't get the full address because you have the new SP-API disabled in EU region... How then can we solve this problem?

[ShivikaK]

Hello @FranciscoVi

If you are receiving access denied errors for FBA Inventory API in EU then yes it is due to the API not being available as of now in EU and FE. We are working on expediting the launch for this API.

Thanks, Shivika Khare Selling Partner API Developer Support

[FranciscoVi]

Thanks Shivika. Please, inform me as soon as possible when the API is availabled in EU zone. I have the additional problem Amazon will require from April 1 to upload all invoices for business customers. We have a lot of sales and we need upload the invoices with the SP-API. Thanks. Francisco.

[FranciscoVi]

Thanks Shivika. Please, inform me as soon as possible when the API is availabled in EU zone. We have been waiting for 4 months and we are running out of time. I have the additional problem Amazon will require from April 1 to upload all invoices for business customers. We have a lot of sales and we need upload the invoices with the SP-API. Thanks. Francisco.

[jusjjusj]

Hello, someone has been able to work with the new SP-API in the euro zone? Thanks. Jusj.

[FranciscoVi]

Hello, someone has been able to work with the new SP-API in the euro zone? Thanks. Jusj.

Sorry, SP-API in EU region is disabled and Amazon does not yet have an expected activation date.

[rogersv]

@FranciscoVi the SP-API exists in the EU-zone too. i just tried a call for getting orders and it works. Shivika only said that the FBA-inventory API was disabled, right?

[FranciscoVi]

@FranciscoVi the SP-API exists in the EU-zone too. i just tried a call for getting orders and it works. Shivika only said that the FBA-inventory API was disabled, right?

Ohhh, What a wonderful news. We are having the error "Access to Orders.ListOrders is denied" and Shivika told me 2 month ago the reason is SP-API is disable in EU region. Can you help me telling me where we have the error?

------------------------------ API Selection ------------------------------ API Section: Orders Operation: ListOrders

------------------------------ Authentication ------------------------------

SellerId: XXXXXXXXXXXXXX MWSAuthToken: XXXXXXXXXX.... AWSAccessKeyId: XXXXXXXXXXXXXXXXXXXX Secret Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Endpoint: mws.amazonservices.es

------------------------------ Request Details ------------------------------ POST /Orders/2013-09-01?AWSAccessKeyId=XXXXXXXXXXXXXXXXXXXX &Action=ListOrders &SellerId=XXXXXXXXXXXXXX &MWSAuthToken=XXXXXXXXXX.... &SignatureVersion=2 &Timestamp=2021-02-02T09%3A30%3A51Z &Version=2013-09-01 &Signature=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX &SignatureMethod=HmacSHA256 &MarketplaceId.Id.1=A1RKKUPIHCS9HS HTTP/1.1 Host: mws.amazonservices.es x-amazon-user-agent: AmazonJavascriptScratchpad/1.0 (Language=Javascript) Content-Type: text/xml

------------------------------ Response ------------------------------ <?xml version="1.0"?>

Sender AccessDenied Access to Orders.ListOrders is denied 503cc424-bb00-4661-bab8-ec725f3b83a2

I would really appreciate your help. From Amazon support they only limit themselves to answering that SP-API is disabled in EU region. Thanks.

[rogersv]

Well I have only used the self auth and my app is not published. I have only used the SP-API (not the MWS). Are you using a hybrid between MWS and the SP-API? Your call seems to be to the MWS endpoint.

The called I used was this one https://github.com/amzn/selling-partner-api-models/blob/927faf03eeda694726bed552313c7f45c971cc3e/models/orders-api-model/ordersV0.json#L27.

[ShivikaK]

Hello @FranciscoVi

Currently FBA Inventory API is not available in EU and JP.

But if you are getting access denied issues for any other API, it could be due to permission issues with the application, if you are using IAM role entity and not adding STS token to your request along with LWA access token or if you are using IAM user but the IAM policy is not directly added to the IAM user.

Please confirm the APIs you are getting access denied errors for in the case 6560068722 that you have opened with us and our team can further help troubleshoot the error.

Thanks, Shivika Khare Selling Partner API Developer Support

[FranciscoVi]

Sorry @rogersv and @ShivikaK , I got confused and pasted the old code for MWS.

About the policy we are using: ------------------------------ Policy Details ------------------------------ { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "execute-api:Invoke", "Resource": "arn:aws:execute-api:::*" } ] }

Here the code we are using now for SP-API: ------------------------------ Request Details ------------------------------

<?php

$access_key = 'XXXXXXXXXXXXXX'; $secret_key = 'XXXXXXXXXXXXXX'; $merchant_id = 'XXXXXXXXXXXXXX'; $refresh_token = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; $id_cliente = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; $client_secret = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";

$ch = curl_init(); curl_setopt($ch, CURLOPT_URL,"https://api.amazon.com/auth/o2/token"); curl_setopt($ch, CURLOPT_HTTPHEADER, array('Host: api.amazon.com','Content-Type: application/x-www-form-urlencoded;charset=UTF-8')); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, "grant_type=refresh_token&refresh_token=".$refresh_token."&client_id=".$id_cliente."&client_secret=".$client_secret); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$response = curl_exec($ch); curl_close($ch); $array_response = json_decode($response); $token = $array_response->access_token;

$version = '2011-06-15'; $action = 'AssumeRole'; $requestPayload = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; $role_arn = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'; $role_session_name = 'XXXXXXXXXXXXXXXXXXXXXX'; $resquestIAM = "Version=".$version."&Action=".$action."&RoleSessionName=".$role_session_name."&RoleArn=".$role_arn; $signature = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'; $url_sts = 'https://sts.eu-west-1.amazonaws.com/'; $user_agent = 'XXXXXXXXXXXXXXXXXXXXXXXXXXX'; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url_sts); curl_setopt($ch, CURLOPT_HTTPHEADER, array('Host: sts.eu-west-1.amazonaws.com','Authorization: AWS4-HMAC-SHA256 Credential=XXXXXXXXXXXXXXXXXXX/'.$date.'/eu-west-1/sts/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature='.$signature, 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8', 'Accept: application/json', 'user-agent: '.$user_agent, 'x-amz-access-token:'.$token, 'x-amz-date:'.$fecha)); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_BINARYTRANSFER, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $resquestIAM); $response = curl_exec($ch); curl_close($ch); $array_sts = json_decode($response); var_dump($array_sts); $iam_session_token = $array_sts->AssumeRoleResponse->AssumeRoleResult->Credentials->SessionToken; $iam_access_key_id = $array_sts->AssumeRoleResponse->AssumeRoleResult->Credentials->AccessKeyId; $iam_secret_access_key = $array_sts->AssumeRoleResponse->AssumeRoleResult->Credentials->SecretAccessKey;

$signature = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'; $url = "https://sellingpartnerapi-eu.amazon.com/orders/v0/orders"; $user_agent = 'XXXXXXXXXXXXXXXXXXXXXXXXX'; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded;charset=UTF-8', 'user-agent: '.$user_agent, 'x-amz-access-token:'.$token, 'x-amz-security-token:'.$iam_session_token, 'x-amz-date:'.$fecha, 'Authorization: AWS4-HMAC-SHA256 Credential='.$iam_access_key_id.'/'.$date.'/eu-west-1/execute-api/aws4_request, SignedHeaders=host;content-type;user-agent;x-amz-access-token;x-amz-security-token;x-amz-date, Signature='.$signature, 'Host: sellingpartnerapi-eu.amazon.com')); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_BINARYTRANSFER, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS,"MarketplaceIds=A1RKKUPIHCS9HS"); $response = curl_exec($ch); curl_close($ch); $prueba = json_decode($response); var_dump($response); ?>

------------------------------ Response ------------------------------ string(141) "{ "errors": [ { "message": "Access to requested resource is denied.", "code": "Unauthorized", "details": "" } ] }"

Can you help me about this Unauthorized error? Thank you very much!!

[jusjjusj]

Hi, we have opened in Amazon the case 6837269402 The aplication is andresmachado (draft state) we try to authorize the app using the Self Authorization method I follow having the ERROR with the SP-API:

• Hostname in DNS cache was stale, zapped
• Trying XX.XX.XX.XX...
• TCP_NODELAY set
• Connected to sellingpartnerapi-eu.amazon.com (XX.XX.XX.XX) port 443 (#0)
• ALPN, offering http/1.1
• Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
• successfully set certificate verify locations:
• CAfile: /Applications/XAMPP/xamppfiles/share/curl/curl-ca-bundle.crt CApath: none
• SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
• ALPN, server accepted to use http/1.1
• Server certificate:
• subject: CN=sellingpartnerapi-eu.amazon.com
• start date: May 2 00:00:00 2020 GMT
• expire date: Jun 2 12:00:00 2021 GMT
• subjectAltName: host "sellingpartnerapi-eu.amazon.com" matched cert's "sellingpartnerapi-eu.amazon.com"
• issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
• SSL certificate verify ok.

  GET /sellers/v1/marketplaceParticipations HTTP/1.1 host: sellingpartnerapi-eu.amazon.com Accept: application/json Content-Type: application/json user-agent: cs-php-sp-api-client/2.1 x-amz-access-token: XXXXXXXXX x-amz-date: 20210317T083907Z x-amz-security-token: XXXXXXXXX Authorization: AWS4-HMAC-SHA256 Credential=XXXXXXXXX/20210317/eu-west-1/execute-api/aws4_request, SignedHeaders=host;user-agent;x-amz-access-token;x-amz-date;x-amz-security-token, Signature=XXXXXXXXX

< HTTP/1.1 403 Forbidden < Date: Wed, 17 Mar 2021 08:39:08 GMT < Content-Type: application/json < Content-Length: 141 < Connection: keep-alive < x-amzn-RequestId: 6eeee2ca-49b3-429a-bbe4-87e09dd2c4f3 < x-amzn-ErrorType: AccessDeniedException < x-amz-apigw-id: cUr2-HUHDoEFrlw= <

• Connection #0 to host sellingpartnerapi-eu.amazon.com left intact

Exception when calling SellersApi->getMarketplaceParticipations: [403] Client error: GET https://sellingpartnerapi-eu.amazon.com/sellers/v1/marketplaceParticipations resulted in a 403 Forbidden response: { "errors": [ { "message": "Access to requested resource is denied.", "code": "Unauthorized", "det (truncated...)

Can someone help us? Please.

[ShivikaK]

Hello @FranciscoVi

For access denied errors, we request you to provide all the required information in the support case that you have created with us so that the Support engineer can further troubleshoot this and provide you with next steps.

Please provide all this information in the open Support case.

Thanks, Shivika Khare Selling Partner API Developer Support

[rogersv]

@FranciscoVi your SignedHeaders should be sorted in alphabetical order. That's probably one of the errors. Look at the python example here https://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html and check the comments in the code. It might help you.

[FranciscoVi]

Thank you very much @rogersv I tried following the steps indicated on that page, but we keep getting the same error: string(141) "{ "errors": [ { "message": "Access to requested resource is denied.", "code": "Unauthorized", "details": "" } ] }"

@ShivikaK I am going to update my support case. It is the CaseID: 6560068722. I hope this time Amazon support reply. Last time they told me: "Currently this API is not enabled in EU and FE regions which is why you are receiving access denied error. We are working in order to enable this API in EU and FE region." Can you let them know? Thanks.

[jusjjusj]

I have solved it by creating a new app using ARN role instead of ARN user.

If you register your application using your IAM user, be sure that the IAM policy is attached to it. Otherwise your calls to the Selling Partner API will fail. We recommend registering your application using an IAM role, as shown in this workflow, to help you better control access to your AWS resources.

[FranciscoVi]

Hi @jusjjusj , Yes, I tried that way too, but the respond was the same. Thank you anyway.

[diegocvazquez]

Hi @jusjjusj , Yes, I tried that way too, but the respond was the same. Thank you anyway.

Hi Francisco, did you made any progress on this. I Am having the same issue

[FranciscoVi]

Sorry @diegocvazquez Amazon don't reply the case.

Hi @ShivikaK , can you help us with this issue? Amazon doesn't reply the cases about "Access to requested resource is denied." from EU regions. For example the CaseID: 6560068722 wasn't reply.

[ShivikaK]

Hello @FranciscoVi

I will expedite the support case for resolution and you should receive an update on the case by next week.

Thanks, 
Shivika Khare
 Selling Partner API Developer Support

[FranciscoVi]

Thank you very much @ShivikaK I hope this time Amazon reply my case.

Thanks. Francisco.

[daloch]

Same error any news? Forbidden calling https://sellingpartnerapi-eu.amazon.com/sellers/v1/marketplaceParticipations my case #6989728532 no response

[FranciscoVi]

For now there is no news. It is an error that Amazon is trying to solve.

[ShivikaK]

6989728532

Hello @daloch

Apologies for the delay and inconvenience caused.

The case is being reviewed by Support team and it will be updated with next steps accordingly.

Please continue monitoring the case.

Thanks, 
Shivika Khare
 Selling Partner API Developer Support

[marconline]

Hi @FranciscoVi, I guess SP-API have problems with the EU zone, at least in the sandbox environment. We have an application (eDock) using MWS and trusted by hundreds of sellers. We are in process of migrating everything to the new SP-API before the end of September because this is what Amazon asked.

My findings:

1. MWS tokens still works and works well on MWS endpoints, so this is a good news
2. a SP-API token is valid for a precise region (e.g. if you authenticate your seller account in the EU region, that token will work only for sandbox and production endpoints in the EU region)
3. I couldn't try EU productions endpoint because we currently have a problem with our developer id and had to push our app under Amazon's certification
4. on few EU sandbox endpoints, everything works as expected. Working endpoints, at least for me, are: Seller API - GET /sellers/v1/marketplaceParticipations and Orders API - GET /orders/v0/orders). I couldn't make it work on Feeds API or Reports API. I always get Unauthorized error.
5. unfortunately our account is registered in the EU region and so I cannot test it on the NA sandbox (that I guess would work for each endpoint).
6. I cannot switch a customer's of us MWS token to the SP-API token, in order to test it on the NA endpoint, because of problem a point number 3. So I hope Amazon will unlock our app ASAP in order to let us do this migration.

Marco

[FranciscoVi]

Hi @marconline and @daloch, you can solve this problem if you use method GET (not post)

[manibha-jain]

Any update?. I am still getting the issue 'Access to requested resource is denied.'.And my marketplace in seller account is India.

[shirushi-dev]

me too @japan

[dogukangun-eva]

Any updates on this issue? @ShivikaK

[cantonalex]

me too @ShivikaK

[github-actions[bot]]

This is a very old issue that is probably not getting as much attention as it deserves. We encourage you to check if this is still an issue after the latest release and if you find that this is still a problem, please feel free to open a new issue and make a reference to this one.

[github-actions[bot]]

closed for inactivity