search

jlevers / selling-partner-api

A PHP client library for Amazon's Selling Partner API
BSD 3-Clause "New" or "Revised" License
402 stars 189 forks source link

Assume role credentials are not being used while signing request #575

Closed a-Akanksha-dixit closed 1 year ago

a-Akanksha-dixit commented 1 year ago

I'm trying to make a custom authorization file to override current SellingPartnerApi\Authentication file. While debugging code flow i came to realise that while signing non-sts calls we are not sending X-Amz-Security-Token ( session token received by generating temporary assume role (sts) call ) in header while signing the api request.

I was wondering why this is not throwing any exception while making calls to Amazon, i regenerated api calls on Postman in which i made some changes:-

  1. selecting no auth in Authorization tab.
  2. add X-Amz-Date in header in UTC format (YYYYMMDDTHHMMSSZ). ex- 20230706T065738Z
    1. in Authorization header field :- i have randomly provide awsAccessKey, awsSecretKey instead of valid one sample is proving below AWS4-HMAC-SHA256 Credential=abcdefgh/12345/eu-west-1/execute-api/aws4_request, SignedHeaders=accept;content-type;host;user-agent, Signature=signature

While in every documentation of Sp-Api, Amazon has mentioned to use Assume role for authorization, i'm still able to get 100% success rate in every api calls of Amazon.(I have tried report, catalog, productType and order apis by this method).

Does amazon has lifted restriction to send Assume roles keys or is it some bug i'm not able to understand.

i'm providing a signed api of your sdk which do not include X-Amz-Security-Token in headers and i've given random awsAcesskey and awsSecretKey (PS i have overrided getRoleCredentials to do not generate new role keys instead return those random values ) and still api calls are successful with status code 200.

GuzzleHttp\Psr7\Request Object ( [method:GuzzleHttp\Psr7\Request:private] => GET [requestTarget:GuzzleHttp\Psr7\Request:private] => [uri:GuzzleHttp\Psr7\Request:private] => GuzzleHttp\Psr7\Uri Object ( [scheme:GuzzleHttp\Psr7\Uri:private] => https [userInfo:GuzzleHttp\Psr7\Uri:private] => [host:GuzzleHttp\Psr7\Uri:private] => sellingpartnerapi-eu.amazon.com [port:GuzzleHttp\Psr7\Uri:private] => [path:GuzzleHttp\Psr7\Uri:private] => /catalog/2022-04-01/items [query:GuzzleHttp\Psr7\Uri:private] => identifiers=B08YRD1CNN&identifiersType=ASIN&marketplaceIds=A21TJRUUN4KGV&pageSize=10 [fragment:GuzzleHttp\Psr7\Uri:private] => )

[headers:GuzzleHttp\Psr7\Request:private] => Array
    (
        [User-Agent] => Array
            (
                [0] => jlevers/selling-partner-api/5.10.1 (Language=PHP)
            )

        [Accept] => Array
            (
                [0] => application/json
            )

        [Content-Type] => Array
            (
                [0] => application/json
            )

        [Host] => Array
            (
                [0] => sellingpartnerapi-eu.amazon.com
            )

        [Authorization] => Array
            (
                [0] => AWS4-HMAC-SHA256 Credential=<AWS access key ID>/12345/eu-west-1/execute-api/aws4_request, SignedHeaders=accept;content-type;host;user-agent, Signature=XXXXXXXX
            )

        [x-amz-date] => Array
            (
                [0] => 20230707T095525Z
            )

        [x-amz-access-token] => Array
            (
                [0] => XXXXXX
            )

    )

[headerNames:GuzzleHttp\Psr7\Request:private] => Array
    (
        [user-agent] => User-Agent
        [accept] => Accept
        [content-type] => Content-Type
        [host] => Host
        [authorization] => Authorization
        [x-amz-date] => x-amz-date
        [x-amz-access-token] => x-amz-access-token
    )

[protocol:GuzzleHttp\Psr7\Request:private] => 1.1
[stream:GuzzleHttp\Psr7\Request:private] => GuzzleHttp\Psr7\Stream Object
    (
        [stream:GuzzleHttp\Psr7\Stream:private] => Resource id #18
        [size:GuzzleHttp\Psr7\Stream:private] => 
        [seekable:GuzzleHttp\Psr7\Stream:private] => 1
        [readable:GuzzleHttp\Psr7\Stream:private] => 1
        [writable:GuzzleHttp\Psr7\Stream:private] => 1
        [uri:GuzzleHttp\Psr7\Stream:private] => php://temp
        [customMetadata:GuzzleHttp\Psr7\Stream:private] => Array
            (
            )

    )

)

Please provide an explanation why is it so.

jlevers commented 1 year ago

If you attach the policy that allows you to make requests to the SP API (the ExecuteAPI policy) directly to your AWS IAM user instead of to an IAM role, you can make requests without ever calling STS. This isn't recommended, as it's not as secure, but it is possible.

jlevers commented 1 year ago

Since I haven't heard anything from you, I'm going to assume you're all set. Feel free to reopen this if you need more help.