CODEWITHSUNDEEP
amazon-selling-partner-apiamazonsellercentral
kmcconnell
kmcconnell

Reputation: 351

How do we resolve "Access to requested resource is denied" on getOrders operation of Amazon Selling Partner API?

I am getting the following when sending a getOrders request to /orders/v0/orders via Postman after following instructions and examples provided at https://developer-docs.amazon.com/sp-api/docs/connecting-to-the-selling-partner-api and https://developer-docs.amazon.com/sp-api/docs/orders-api-v0-reference.

{
    "errors": [
        {
            "message": "Access to requested resource is denied.",
            "code": "Unauthorized",
            "details": ""
        }
    ]
}

We have registered a self-authorized app client in Draft status which has a user ARN IAM attached as described at https://developer-docs.amazon.com/sp-api/docs/registering-your-application.

I've checked the inline and role policies for the ARN IAM. They are exactly as described at https://developer-docs.amazon.com/sp-api/docs/creating-and-configuring-iam-policies-and-entities#step-4-create-an-iam-role.

We are able to successfully request an LWA access token following the docs at https://developer-docs.amazon.com/sp-api/docs/connecting-to-the-selling-partner-api#step-1-request-a-login-with-amazon-access-token.

Using the AWS Signature Version 4 process in Postman, we're able to send a request to /orders/v0/orders following the docs at https://developer-docs.amazon.com/sp-api/docs/orders-api-v0-reference. However, we get the Unauthorized response above.

It is somewhat unclear if the getOrders operation requires an RDT since it is listed here https://developer-docs.amazon.com/sp-api/docs/tokens-api-use-case-guide#restricted-operations. However, then at https://developer-docs.amazon.com/sp-api/docs/tokens-api-use-case-guide#step-1-get-an-order-id, it's explained that you need an order ID to get an RDT and to call getOrders for a list of order IDs, then get an RDT for a specific order ID and then use the RDT with a subsequent call such as getOrderItems. So, it seems to me that the initial getOrders call should/does not require an RDT.

Thus, it's not clear what else needs to be done to resolve the Unauthorized response from the getOrders operation.

Has anyone else solved this? We've opened several support cases with Amazon Developer Support only to have the cases closed with templated responses copied from the pages I've referenced above.

Upvotes: 3

Views: 7918

Answers (2)

Sora Teichman
Sora Teichman

Reputation: 184

Have you read the Regulated Orders documentation? To make certain orders API calls, you need 'Approval for the Direct-to-Consumer Delivery (Restricted) role in your developer profile' and 'The Direct-to-Consumer Delivery (Restricted) role selected in the App registration page for your application'. Ensure you have these permissions and follow the directions for how to complete these calls.

Upvotes: 0

Tajnep
Tajnep

Reputation: 51

Do you still need help with this issue? If so, here are some possible issues: --assuming you have already been approved for direct to consumer shipping when you applied

1.) Yes you do need an RDT for getOrders. 2.) The RDT should be obtained with the following information:

POST body to acquire the RDT should include:

"targetApplication": your application ID (from seller central -> develop apps -> should look like amzn1.sp.solution.(more chars))

so the body should look like this in json format:

{
   "targetApplication":"amzn1.sp.solution.askdeqevfjaiv",
   "restrictedResources":[
      {
         "method":"GET",
         "path":"/orders/v0/getOrders",
         "dataElements":[
            "shippingAddress"
         ]
      }
   ]
}

targetApplication IS required when you are a private application with self authorization. I know this is not in the docs. It is possible to get an RDT but have it not work if the targetApplication is not included.

3.) It seems you are a private application which intends to remain in draft status. if so, make sure that this is the case:

3a.) Make sure your app is registered with the USER ARN not the role ARN like the documentation suggests.

3b.) make sure you DO NOT have a policy or role attached to that user.

3c.) add an inline policy to the user. Page into the JSON option the following

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:*:*:*"
        }
    ]
}

if you had to change your ARN, you must generate an use a new refresh token.

If you have a successful RDT TOKEN, then the following may be an issue:

a request to get orders requires the following query string parameters minimum:

a request to getOrders for your app requires either (CreatedAfter or LastUpdatedAfter) and MarketplaceIds they must also be in order of character code. In this case, CreatedAfter and then MarketplaceIds CreatedAfter must be in ISO 8601 format. marketplaceIds can be found here: https://developer-docs.amazon.com/sp-api/docs/marketplace-ids

another possibility is that you are using the wrong keys in the wrong places IE:

 "lwaClientId" => "<LWA client ID>", from seller central
    "lwaClientSecret" => "<LWA client secret>",from seller central
    "lwaRefreshToken" => "<LWA refresh token>", from seller central
    "awsAccessKeyId" => "<AWS access key ID>", the IAM USER
    "awsSecretAccessKey" => "<AWS secret access key>", from IAM USER

if none of these work, please let me know. I have worked through a lot of SP-API issues.

Upvotes: 5

Related Questions