How to fix issue calling Amazon SP-API, which always returns Unauthorized, even with valid Token and Signature

Question

I went through the guide of for getting setup to call the new SP-API (https://github.com/amzn/selling-partner-api-docs/blob/main/guides/developer-guide/SellingPartnerApiDeveloperGuide.md), and during the process checked off all of the api areas to grant access to (i.e. Orders, Inventory, etc). I am using the C# library provided by Amazon (https://github.com/amzn/selling-partner-api-models/tree/main/clients/sellingpartner-api-aa-csharp). I successfully get an access token and successfully sign the request, but always get the following error:

Access to requested resource is denied. / Unauthorized, with no details.

I am trying to perform a simple get to the /orders/v0/orders endpoint. What am I doing wrong?

Below is my code:

private const string MARKETPLACE_ID = "ATVPDKIKX0DER";
var resource = $"/orders/v0/orders";
var client = new RestClient("https://sellingpartnerapi-na.amazon.com");

IRestRequest restRequest = new RestRequest(resource, Method.GET);

restRequest.AddParameter("MarketPlaceIds", MARKETPLACE_ID, ParameterType.QueryString);

restRequest.AddParameter("CreatedAfter", DateTime.UtcNow.AddDays(-5), ParameterType.QueryString);

var lwaAuthorizationCredentials = new LWAAuthorizationCredentials
{
    ClientId = AMAZON_LWA_CLIENT_ID,
    ClientSecret = AMAZON_LWA_CLIENT_SECRET,
    RefreshToken = AMAZON_LWA_REFRESH_TOKEN,
    Endpoint = new Uri("https://api.amazon.com/auth/o2/token")
};

restRequest = new LWAAuthorizationSigner(lwaAuthorizationCredentials).Sign(restRequest);

var awsAuthenticationCredentials = new AWSAuthenticationCredentials
{
    AccessKeyId = AMAZON_ACCESS_KEY_ID,
    SecretKey = AMAZON_ACCESS_SECRET,
    Region = "us-east-1"
};

restRequest = new AWSSigV4Signer(awsAuthenticationCredentials).Sign(restRequest, client.BaseUrl.Host);

var response = client.Execute(restRequest);

Answer 1

If you using c# take look to

https://github.com/abuzuhri/Amazon-SP-API-CSharp

  AmazonConnection amazonConnection = new AmazonConnection(new AmazonCredential()
{
     AccessKey = "AKIAXXXXXXXXXXXXXXX",
     SecretKey = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
     RoleArn = "arn:aws:iam::XXXXXXXXXXXXX:role/XXXXXXXXXXXX",
     ClientId = "amzn1.application-XXX-client.XXXXXXXXXXXXXXXXXXXXXXXXXXXX",
     ClientSecret = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
      RefreshToken= "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
 });

var orders= amazonConnection.Orders.ListOrders();

Answer 2

I dont think is a duplicated question, buy the solution may apply: https://stackoverflow.com/a/66860192/1034622

Answer 3

You also get this error if your sp app is under review, drove me nuts!

Answer 4

If you followed the SP-API guide, then you created a Role (which is the IAM ARN your app is registered with) and a User which has permissions to assume that role to make API calls.

However, one thing the guide is not clear about is that you can't make API calls using that user's credentials directly. You must first call the STS API's AssumeRole method with your User's credentials (AMAZON_ACCESS_KEY_ID/AMAZON_ACCESS_SECRET), and it will return temporary credentials authorized against the Role. You use those temporary credentials when signing requests.

AssumeRole will also return a session token which you must include with your API calls in a header called X-Amz-Security-Token. For a brief description of X-Amz-Security-Token see https://docs.aws.amazon.com/STS/latest/APIReference/CommonParameters.html

Answer 5

In our situation, we had to explicitly add an IAM policy to the user we defined as making the API call. Please see the link below and confirm that the user you have calling the API has the policy assigned to them:

https://github.com/amzn/selling-partner-api-docs/blob/main/guides/developer-guide/SellingPartnerApiDeveloperGuide.md#step-3-create-an-iam-policy

Somehow we went through the step-by-step setup twice, and adding this explicit policy was missed. Initially I believe it was added 'inline' as instructed, but that does not seem to work.