amzn / selling-partner-api-models

This repository contains OpenAPI models for developers to use when developing software to call Selling Partner APIs.
Apache License 2.0
611 stars 733 forks source link

'Access to requested resource is denied' #991

Closed The-Geology-Guy closed 1 year ago

The-Geology-Guy commented 3 years ago

We have gone through the Documentation and set up everything as it should be -- double and triple checking everything. The main issue is that when we use the code (below), we run into the 'Unauthorized' error. Additionally, when we try to authorize the app (which has the status of 'draft') using the Self Authorization method, it does nothing.

Even while following the documentation exactly, we have not found a solution.

Code we are trying to use to connect to the SP-API:

sp_api is from https://github.com/saleweaver/python-amazon-sp-api

which works for others, but not for us.

from sp_api.auth.access_token_client import AccessTokenClient

======== GET AUTH ========

Set environment variables.

os.environ["SP_API_REFRESH_TOKEN"] = "Atzr|xxxxxxxxx" os.environ["LWA_APP_ID"] = "amzn1.application-oa2-client.xxxxxxxxx" os.environ["LWA_CLIENT_SECRET"] = "xxxxxxxxx" os.environ["SP_API_SECRET_KEY"] = "xxxxxxxxx" os.environ["SP_API_ACCESS_KEY"] = "xxxxxxxxx" os.environ["SP_API_ROLE_ARN"] = "arn:aws:iam::xxxxxxxxx:role/SellerPartnerAPIRole" os.environ["SP_AWS_REGION"] = "us-east-1"

Credentials for user created following the docs

amw_client = boto3.client( 'sts', aws_access_key_id=os.environ.get("SP_API_ACCESS_KEY"), aws_secret_access_key=os.environ.get("SP_API_SECRET_KEY"), region_name=os.environ.get("SP_AWS_REGION") )

ROLE created following the docs

STS assume policy must be included in the role

res = amw_client.assume_role( RoleArn=os.environ.get("SP_API_ROLE_ARN"), RoleSessionName='SellingPartnerAPIRole' )

Credentials = res["Credentials"] AccessKeyId = Credentials["AccessKeyId"] SecretAccessKey = Credentials["SecretAccessKey"] SessionToken = Credentials["SessionToken"]

aws_auth = AWSSigV4('execute-api', aws_access_key_id=AccessKeyId, aws_secret_access_key=SecretAccessKey, aws_session_token=SessionToken, region=os.environ.get("SP_AWS_REGION") )

params_ = { "reportTypes": { "value": [ "FEE_DISCOUNTS_REPORT", "GET_AFN_INVENTORY_DATA" ] }, "processingStatuses": { "value": [ "IN_QUEUE", "IN_PROGRESS" ] } }

request_url = 'https://sandbox.sellingpartnerapi-na.amazon.com'

======== CONSUME API ========

The 'AccessTokenClient().get_auth().access_token' provides the 'Atza|xxxxx' token.

resp = requests.get(request_url, auth=aws_auth, headers={'x-amz-access-token': AccessTokenClient().get_auth().access_token})

print(resp.json())



`Output:` {'Date': 'Wed, 27 Jan 2021 14:32:06 GMT', 'Content-Type': 'application/json', 'Content-Length': '141', 'Connection': 'keep-alive', 'x-amzn-RequestId': '75d447ab-f8e3-4777-a168-3752e2c1a7f4', 'x-amzn-ErrorType': 'AccessDeniedException', 'x-amz-apigw-id': 'Zz_oFELWoAMFr5w='}
{'errors': [{'message': 'Access to requested resource is denied.', 'code': 'Unauthorized', 'details': ''}]}
johnkw commented 3 years ago

See duplicate bug amzn/selling-partner-api-models#699 and bug amzn/selling-partner-api-models#786 .

ShivikaK commented 3 years ago

Hello @The-Geology-Guy

We will need to work with you via a support case to resolve this issue. Please open a support case so we can pursue the investigation.

Thanks, 
Shivika Khare
 Selling Partner API Developer Support

johnkw commented 3 years ago

If he followed the documentation then there's no hope of it working, because the documentation is still totally broken last I checked. Do what bug amzn/selling-partner-api-models#786 says and it will probably be fixed.

FranciscoVi commented 3 years ago

Hi, We have the next problem with SP-API. The aplication is HIPER_CALZADO (draft state) I follow having the ERROR with the SP-API: Access to Orders.ListOrders is denied

We have opened in Amazon the case 6560068722 from 16th December without reply. After that we have opened other case where Amazon asked me:

Operation:Orders: ListOrders MarketplaceId:mws.amazonservices.es RequestId:71887a1d-f6ac-4937-9806-c2da4b0eb9a3 TimeStamp:2021-01-07T09%3A27%3A40Z

After I reply this Amazon don't reply. We are on a dead end with the problem: Access to Orders.ListOrders is denied

Can someone help us? Please.

johnkw commented 3 years ago

If bug amzn/selling-partner-api-models#786 fixed that issue, then please note and close this as a duplicate of bug amzn/selling-partner-api-models#786 so it's obvious.

ShivikaK commented 3 years ago

Hi, We have the next problem with SP-API. The aplication is HIPER_CALZADO (draft state) I follow having the ERROR with the SP-API: Access to Orders.ListOrders is denied

We have opened in Amazon the case 6560068722 from 16th December without reply. After that we have opened other case where Amazon asked me:

Operation:Orders: ListOrders MarketplaceId:mws.amazonservices.es RequestId:71887a1d-f6ac-4937-9806-c2da4b0eb9a3 TimeStamp:2021-01-07T09%3A27%3A40Z

After I reply this Amazon don't reply. We are on a dead end with the problem: Access to Orders.ListOrders is denied

Can someone help us? Please.

Hello @FranciscoVi ,

I am following up on your case 6560068722 to expedite it and someone from our team will reach out to you regarding next steps or if they require additional information.

Thanks, Shivika Khare Selling Partner API Developer Support

FranciscoVi commented 3 years ago

Hello @FranciscoVi ,

I am following up on your case 6560068722 to expedite it and someone from our team will reach out to you regarding next steps or if they require additional information.

Thanks, Shivika Khare Selling Partner API Developer Support

Gracias Shivika. Aun

FranciscoVi commented 3 years ago

Thanks Shivika, They have not contacted me yet. Please can you give them another notice. We are still waiting since December 16. Best Regards. Francisco.

FranciscoVi commented 3 years ago

Thanks Shivika, They have not contacted me yet. Please can you give them another notice. We are still waiting since December 16. Best Regards. Francisco.

FranciscoVi commented 3 years ago

Hello @FranciscoVi ,

I am following up on your case 6560068722 to expedite it and someone from our team will reach out to you regarding next steps or if they require additional information.

Thanks, Shivika Khare Selling Partner API Developer Support

Hi Shivika, Please, look up this https://github.com/amzn/selling-partner-api-models/issues/1039 It is true that currently the AP-API is not enabled in EU region which is why we are receiving access denied error?

Amazon have capped the full address delivery in the old MWS API from 4 months ago, and we can't get the full address because you have the new SP-API disabled in EU region... How then can we solve this problem?

ShivikaK commented 3 years ago

Hello @FranciscoVi

If you are receiving access denied errors for FBA Inventory API in EU then yes it is due to the API not being available as of now in EU and FE. We are working on expediting the launch for this API.

Thanks, Shivika Khare Selling Partner API Developer Support

FranciscoVi commented 3 years ago

Thanks Shivika. Please, inform me as soon as possible when the API is availabled in EU zone. I have the additional problem Amazon will require from April 1 to upload all invoices for business customers. We have a lot of sales and we need upload the invoices with the SP-API. Thanks. Francisco.

FranciscoVi commented 3 years ago

Thanks Shivika. Please, inform me as soon as possible when the API is availabled in EU zone. We have been waiting for 4 months and we are running out of time. I have the additional problem Amazon will require from April 1 to upload all invoices for business customers. We have a lot of sales and we need upload the invoices with the SP-API. Thanks. Francisco.

jusjjusj commented 3 years ago

Hello, someone has been able to work with the new SP-API in the euro zone? Thanks. Jusj.

FranciscoVi commented 3 years ago

Hello, someone has been able to work with the new SP-API in the euro zone? Thanks. Jusj.

Sorry, SP-API in EU region is disabled and Amazon does not yet have an expected activation date.

rogersv commented 3 years ago

@FranciscoVi the SP-API exists in the EU-zone too. i just tried a call for getting orders and it works. Shivika only said that the FBA-inventory API was disabled, right?

FranciscoVi commented 3 years ago

@FranciscoVi the SP-API exists in the EU-zone too. i just tried a call for getting orders and it works. Shivika only said that the FBA-inventory API was disabled, right?

Ohhh, What a wonderful news. We are having the error "Access to Orders.ListOrders is denied" and Shivika told me 2 month ago the reason is SP-API is disable in EU region. Can you help me telling me where we have the error?

------------------------------ API Selection ------------------------------ API Section: Orders Operation: ListOrders

------------------------------ Authentication ------------------------------

SellerId: XXXXXXXXXXXXXX MWSAuthToken: XXXXXXXXXX.... AWSAccessKeyId: XXXXXXXXXXXXXXXXXXXX Secret Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Endpoint: mws.amazonservices.es

------------------------------ Request Details ------------------------------ POST /Orders/2013-09-01?AWSAccessKeyId=XXXXXXXXXXXXXXXXXXXX &Action=ListOrders &SellerId=XXXXXXXXXXXXXX &MWSAuthToken=XXXXXXXXXX.... &SignatureVersion=2 &Timestamp=2021-02-02T09%3A30%3A51Z &Version=2013-09-01 &Signature=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX &SignatureMethod=HmacSHA256 &MarketplaceId.Id.1=A1RKKUPIHCS9HS HTTP/1.1 Host: mws.amazonservices.es x-amazon-user-agent: AmazonJavascriptScratchpad/1.0 (Language=Javascript) Content-Type: text/xml

------------------------------ Response ------------------------------ <?xml version="1.0"?>

Sender AccessDenied Access to Orders.ListOrders is denied 503cc424-bb00-4661-bab8-ec725f3b83a2

I would really appreciate your help. From Amazon support they only limit themselves to answering that SP-API is disabled in EU region. Thanks.

rogersv commented 3 years ago

Well I have only used the self auth and my app is not published. I have only used the SP-API (not the MWS). Are you using a hybrid between MWS and the SP-API? Your call seems to be to the MWS endpoint.

The called I used was this one https://github.com/amzn/selling-partner-api-models/blob/927faf03eeda694726bed552313c7f45c971cc3e/models/orders-api-model/ordersV0.json#L27.

ShivikaK commented 3 years ago

Hello @FranciscoVi

Currently FBA Inventory API is not available in EU and JP.

But if you are getting access denied issues for any other API, it could be due to permission issues with the application, if you are using IAM role entity and not adding STS token to your request along with LWA access token or if you are using IAM user but the IAM policy is not directly added to the IAM user.

Please confirm the APIs you are getting access denied errors for in the case 6560068722 that you have opened with us and our team can further help troubleshoot the error.

Thanks, Shivika Khare Selling Partner API Developer Support

FranciscoVi commented 3 years ago

Sorry @rogersv and @ShivikaK , I got confused and pasted the old code for MWS.

About the policy we are using: ------------------------------ Policy Details ------------------------------ { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "execute-api:Invoke", "Resource": "arn:aws:execute-api:::*" } ] }

Here the code we are using now for SP-API: ------------------------------ Request Details ------------------------------

<?php

$access_key = 'XXXXXXXXXXXXXX'; $secret_key = 'XXXXXXXXXXXXXX'; $merchant_id = 'XXXXXXXXXXXXXX'; $refresh_token = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; $id_cliente = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; $client_secret = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";

$ch = curl_init(); curl_setopt($ch, CURLOPT_URL,"https://api.amazon.com/auth/o2/token"); curl_setopt($ch, CURLOPT_HTTPHEADER, array('Host: api.amazon.com','Content-Type: application/x-www-form-urlencoded;charset=UTF-8')); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, "grant_type=refresh_token&refresh_token=".$refresh_token."&client_id=".$id_cliente."&client_secret=".$client_secret); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$response = curl_exec($ch); curl_close($ch); $array_response = json_decode($response); $token = $array_response->access_token;

$version = '2011-06-15'; $action = 'AssumeRole'; $requestPayload = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; $role_arn = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'; $role_session_name = 'XXXXXXXXXXXXXXXXXXXXXX'; $resquestIAM = "Version=".$version."&Action=".$action."&RoleSessionName=".$role_session_name."&RoleArn=".$role_arn; $signature = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'; $url_sts = 'https://sts.eu-west-1.amazonaws.com/'; $user_agent = 'XXXXXXXXXXXXXXXXXXXXXXXXXXX'; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url_sts); curl_setopt($ch, CURLOPT_HTTPHEADER, array('Host: sts.eu-west-1.amazonaws.com','Authorization: AWS4-HMAC-SHA256 Credential=XXXXXXXXXXXXXXXXXXX/'.$date.'/eu-west-1/sts/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature='.$signature, 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8', 'Accept: application/json', 'user-agent: '.$user_agent, 'x-amz-access-token:'.$token, 'x-amz-date:'.$fecha)); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_BINARYTRANSFER, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $resquestIAM); $response = curl_exec($ch); curl_close($ch); $array_sts = json_decode($response); var_dump($array_sts); $iam_session_token = $array_sts->AssumeRoleResponse->AssumeRoleResult->Credentials->SessionToken; $iam_access_key_id = $array_sts->AssumeRoleResponse->AssumeRoleResult->Credentials->AccessKeyId; $iam_secret_access_key = $array_sts->AssumeRoleResponse->AssumeRoleResult->Credentials->SecretAccessKey;

$signature = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'; $url = "https://sellingpartnerapi-eu.amazon.com/orders/v0/orders"; $user_agent = 'XXXXXXXXXXXXXXXXXXXXXXXXX'; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded;charset=UTF-8', 'user-agent: '.$user_agent, 'x-amz-access-token:'.$token, 'x-amz-security-token:'.$iam_session_token, 'x-amz-date:'.$fecha, 'Authorization: AWS4-HMAC-SHA256 Credential='.$iam_access_key_id.'/'.$date.'/eu-west-1/execute-api/aws4_request, SignedHeaders=host;content-type;user-agent;x-amz-access-token;x-amz-security-token;x-amz-date, Signature='.$signature, 'Host: sellingpartnerapi-eu.amazon.com')); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_BINARYTRANSFER, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS,"MarketplaceIds=A1RKKUPIHCS9HS"); $response = curl_exec($ch); curl_close($ch); $prueba = json_decode($response); var_dump($response); ?>

------------------------------ Response ------------------------------ string(141) "{ "errors": [ { "message": "Access to requested resource is denied.", "code": "Unauthorized", "details": "" } ] }"

Can you help me about this Unauthorized error? Thank you very much!!

jusjjusj commented 3 years ago

Hi, we have opened in Amazon the case 6837269402 The aplication is andresmachado (draft state) we try to authorize the app using the Self Authorization method I follow having the ERROR with the SP-API:

< HTTP/1.1 403 Forbidden < Date: Wed, 17 Mar 2021 08:39:08 GMT < Content-Type: application/json < Content-Length: 141 < Connection: keep-alive < x-amzn-RequestId: 6eeee2ca-49b3-429a-bbe4-87e09dd2c4f3 < x-amzn-ErrorType: AccessDeniedException < x-amz-apigw-id: cUr2-HUHDoEFrlw= <

Exception when calling SellersApi->getMarketplaceParticipations: [403] Client error: GET https://sellingpartnerapi-eu.amazon.com/sellers/v1/marketplaceParticipations resulted in a 403 Forbidden response: { "errors": [ { "message": "Access to requested resource is denied.", "code": "Unauthorized", "det (truncated...)

Can someone help us? Please.

ShivikaK commented 3 years ago

Hello @FranciscoVi

For access denied errors, we request you to provide all the required information in the support case that you have created with us so that the Support engineer can further troubleshoot this and provide you with next steps.

Please provide all this information in the open Support case.

Thanks, Shivika Khare Selling Partner API Developer Support

rogersv commented 3 years ago

@FranciscoVi your SignedHeaders should be sorted in alphabetical order. That's probably one of the errors. Look at the python example here https://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html and check the comments in the code. It might help you.

FranciscoVi commented 3 years ago

Thank you very much @rogersv I tried following the steps indicated on that page, but we keep getting the same error: string(141) "{ "errors": [ { "message": "Access to requested resource is denied.", "code": "Unauthorized", "details": "" } ] }"

@ShivikaK I am going to update my support case. It is the CaseID: 6560068722. I hope this time Amazon support reply. Last time they told me: "Currently this API is not enabled in EU and FE regions which is why you are receiving access denied error. We are working in order to enable this API in EU and FE region." Can you let them know? Thanks.

jusjjusj commented 3 years ago

I have solved it by creating a new app using ARN role instead of ARN user.

If you register your application using your IAM user, be sure that the IAM policy is attached to it. Otherwise your calls to the Selling Partner API will fail. We recommend registering your application using an IAM role, as shown in this workflow, to help you better control access to your AWS resources.

FranciscoVi commented 3 years ago

Hi @jusjjusj , Yes, I tried that way too, but the respond was the same. Thank you anyway.

diegocvazquez commented 3 years ago

Hi @jusjjusj , Yes, I tried that way too, but the respond was the same. Thank you anyway.

Hi Francisco, did you made any progress on this. I Am having the same issue

FranciscoVi commented 3 years ago

Sorry @diegocvazquez Amazon don't reply the case.

Hi @ShivikaK , can you help us with this issue? Amazon doesn't reply the cases about "Access to requested resource is denied." from EU regions. For example the CaseID: 6560068722 wasn't reply.

ShivikaK commented 3 years ago

Hello @FranciscoVi

I will expedite the support case for resolution and you should receive an update on the case by next week.

Thanks, 
Shivika Khare
 Selling Partner API Developer Support

FranciscoVi commented 3 years ago

Thank you very much @ShivikaK I hope this time Amazon reply my case.

Thanks. Francisco.

daloch commented 3 years ago

Same error any news? Forbidden calling https://sellingpartnerapi-eu.amazon.com/sellers/v1/marketplaceParticipations my case #6989728532 no response

FranciscoVi commented 3 years ago

For now there is no news. It is an error that Amazon is trying to solve.

ShivikaK commented 3 years ago

6989728532

Hello @daloch

Apologies for the delay and inconvenience caused.

The case is being reviewed by Support team and it will be updated with next steps accordingly.

Please continue monitoring the case.

Thanks, 
Shivika Khare
 Selling Partner API Developer Support

marconline commented 3 years ago

Hi @FranciscoVi, I guess SP-API have problems with the EU zone, at least in the sandbox environment. We have an application (eDock) using MWS and trusted by hundreds of sellers. We are in process of migrating everything to the new SP-API before the end of September because this is what Amazon asked.

My findings:

  1. MWS tokens still works and works well on MWS endpoints, so this is a good news
  2. a SP-API token is valid for a precise region (e.g. if you authenticate your seller account in the EU region, that token will work only for sandbox and production endpoints in the EU region)
  3. I couldn't try EU productions endpoint because we currently have a problem with our developer id and had to push our app under Amazon's certification
  4. on few EU sandbox endpoints, everything works as expected. Working endpoints, at least for me, are: Seller API - GET /sellers/v1/marketplaceParticipations and Orders API - GET /orders/v0/orders). I couldn't make it work on Feeds API or Reports API. I always get Unauthorized error.
  5. unfortunately our account is registered in the EU region and so I cannot test it on the NA sandbox (that I guess would work for each endpoint).
  6. I cannot switch a customer's of us MWS token to the SP-API token, in order to test it on the NA endpoint, because of problem a point number 3. So I hope Amazon will unlock our app ASAP in order to let us do this migration.

Marco

FranciscoVi commented 3 years ago

Hi @marconline and @daloch, you can solve this problem if you use method GET (not post)

manibha-jain commented 3 years ago

Any update?. I am still getting the issue 'Access to requested resource is denied.'.And my marketplace in seller account is India.

shirushi-dev commented 3 years ago

me too @japan

dogukangun-eva commented 3 years ago

Any updates on this issue? @ShivikaK

cantonalex commented 2 years ago

me too @ShivikaK

github-actions[bot] commented 1 year ago

This is a very old issue that is probably not getting as much attention as it deserves. We encourage you to check if this is still an issue after the latest release and if you find that this is still a problem, please feel free to open a new issue and make a reference to this one.

github-actions[bot] commented 1 year ago

closed for inactivity