Solved!!! Response(403): "message": "Access to requested resource is denied.", "code": "Unauthorized", "details": "",

[kerbalwzy]

403 
 {
  "errors": [
    {
      "message": "Access to requested resource is denied.",
     "code": "Unauthorized",
     "details": ""
    }
  ]
}

Can not understand why 403, because not have 'details'.
I had got an effective 'access token', but got this response from request .
I`m sure we had done the store authorized successfully.
Who have the same experience ? can help ? very thanks

[kerbalwzy]

我已经解决了这个问题.
I have solved this problem.

原因是我们给APP绑定IAM策略时是通过IAM角色实现的, 可以通过正确使用 AWS-STS解决这个问题.
The reason is we bound the application with the IAM role to use the IAM policy, can solved by correct use AWS-STS.

两种解决方案:
Two solutions:

• 第一种解决方案, 重新创建新的APP绑定IAM用户的ARN而不是IAM角色的, 注意IAM用户需要的绑定的授权策略如图.
  The first solution is to recreate the new app binding the ARN of IAM users instead of the IAM role. Note that the authorization policies of binding required by IAM user are shown in the figure

• 第二种解决方案, 通过AMS-STS-AssumeRole获取临时的AccessKeyId, SecretAccessKey 和SessionToken, 其中SessionToken要被添加到你的每个请求中, 设置的请求头是x-amz-security-token, 注意这个请求头也要参与到签名计算.
  The second solution is to obtain temporary AccessKeyId, SecretAccessKey and SessionToken through AMS-STS-AssumeRole. The SessionToken will be added to each request. The request header is x-amz-security-token. Note that this request header should also participate in signature calculation.

  ---

  
  你可以通过使用 AWS-CLI命令快速得到临时数据进行测试
  You can quickly get temporary data for testing by using AWS-CLI commands
  你可能需要先配置 AWS-CLI才能执行下面的的命令
  You may need to configure AWS-CLI before to execute the following commands

aws sts assume-role --role-arn '<Your IAM role ARN string>' --role-session-name '<Your IAM role name>'

[fengmiq]

@kerbalwzy 你这中文很秀

[zachary]

It does not work, even sts works. please advise it.

[fengmiq]

@kerbalwzy 这不就是交易报告吗？发送消息和上传文件接口一直测不通，蛋疼，也授权了，官方也没人理。

[kerbalwzy]

It does not work, even sts works. please advise

Please use the first way, it more easy!

Create an new App in 'amazon seller central' bind with the IAM user, then develop with the new App.

[kerbalwzy]

这不就是交易报告吗

大佬, 你知道具体的报表类型么, 从这个文档里我实在是没有找到. 我现在还有TM有部分接口在测试的时候告诉我资源未授权, 我们创建的开发者账号的授权项有些没勾选(勾了就会触发审核), 我也是头疼.

[newpepsi]

这不就是交易报告吗

大佬, 你知道具体的报表类型么, 从这个文档里我实在是没有找到. 我现在还有TM有部分接口在测试的时候告诉我资源未授权, 我们创建的开发者账号的授权项有些没勾选(勾了就会触发审核), 我也是头疼.

哪些权限要审核？

[kerbalwzy]

@newpepsi

[newpepsi]

@newpepsi

开发者资料里面那些项目么？

[kerbalwzy]

@newpepsi 是的, 这些勾上了就要填写更多的开发者资料, 然后还会触发审核, 审核的过程中不允许创建新的App

[newpepsi]

@newpepsi 是的, 这些勾上了就要填写更多的开发者资料, 然后还会触发审核, 审核的过程中不允许创建新的App

APP能删除么？

[kerbalwzy]

@newpepsi 是的, 这些勾上了就要填写更多的开发者资料, 然后还会触发审核, 审核的过程中不允许创建新的App

APP能删除么？

我在界面上就没找到删除按钮

[fengmiq]

这不就是交易报告吗

大佬, 你知道具体的报表类型么, 从这个文档里我实在是没有找到. 我现在还有TM有部分接口在测试的时候告诉我资源未授权, 我们创建的开发者账号的授权项有些没勾选(勾了就会触发审核), 我也是头疼.

Settlement reports这个就是的

[newpepsi]

有谁知道面单在哪个接口里？

[kerbalwzy]

@newpepsi 大兄弟, 你自己发Issues问, 你在我的Issues里留言没啥人能看到的

[kerbalwzy]

@fengmiq
Settlment reports 我之前请求下载看表头过了, 和公司财务要求的报表不一样, 她们用的报表是从店铺后台下载的聚合数据.
难哦, 不过没关系了, 找个功能暂时不做了, 有其他更紧急的事情顶上来了

[Zhc-Pro]

我已经解决了这个问题（我已经解决了这个问题。）

原因是我们给APP绑定IAM策略时是通过IAM角色实现的，可以通过AWS-STS解决这个问题。（原因是我们将具有IAM角色的应用程序绑定为使用IAM策略，可以通过使用AWS-STS来解决。）

两种解决方案（共2种方式）：

• 1. 这个方式更简单，重新给APP通过IAM用户绑定IAM授权策略。
     （这是一种非常简单的方法。将应用程序与IAM用户而非IAM角色绑定以使用IAm策略）
• 1. 通过AMS-STS-AssumeRole获取临时的AccessKeyId，SecretAccessKey和SessionToken，SessionToken要被添加到您的每个请求中，通过请求头x-amz-security-token，这个请求头也要参与到签名计算中。
     （使用AMS-STS-AssumeRole来获取临时AccessKeyId，SecretAccessKey和SessionToken，SessionToken在请求操作中将多余的标头x-amz-security-token使用，并且必须将该标头联接才能进行签名。）

你可以通过使用AWS-CLI命令快速得到临时数据
您可以使用AWS-CLI通过命令迅速获得一个暂时的数据。
你可能需要先配置AWS-CLI才能执行下面的的命令
使用AWS CLI之前，您需要配置您的AWS凭证

aws sts假设角色--role-arn arn：aws：iam :: 58205000480：role / SPROLE_XX --role-session-name SPROLE_XX 

终端打印的结果，需要配置的时候将默认输出格式设置为JSON
，在配置时需要使用JSON设置默认输出格式。

{
     “凭证”：{
         “ AccessKeyId ”：“ XXXXXXXXXXXXXXXXXXX ”，
         “ SecretAccessKey ”：“ WxxdwoY6yIK3QXXXXXXXXXXXE21yG0OgNV ”，
         “ SessionToken ”：“FwoGZXIvYXdzECwaDXXXXXXXXXXAluJmF / ver4lRXqD09GrC61WHGID8f7rEbU9kVev / lAeRrjnBQIcFTm4lSTbxeqTAFKSgtIfbHJP9kJDCw4 // 7v2KeJ6VTFve18td5OGAZiOvEtgCUqv21GEPUCmw1QNAbS1e + s136cCVPlHY5rAsiTP + esvNfeeQ20O2GXKVV6T9WF7FQ5GuZprBQOMaE95L8MviQqRuc5MpKU3ckk7R4XXXXXXXXXXXXXXXf4FMi2FsGJmipQ / 4 / NGDmOkuyIPOquIo6O / ID / NPJqFKGhQ15YK / kG7sduNAAGwEFY = “，
         “ Expiration ”：“ 2020-12-02T11：25：30Z ” 
    }，“ AssumedRoleUser ”：{
         “ AssumedRoleId ”：“ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ”，
         “ Arn ”：“ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ” 
    } 
}
    

大佬，这个解决方案是在哪个页面处理的啊，方便给个链接吗？

[weiliguo15634145]

1. x-amz-security-token

第一种方法 , 我使用用户ARN创建的app , 之后还是返回403同样的结果 .
第二种方法 , 我获取到的sessionToken , 直接作为x-amz-security-token , 添加到请求标头(Header)中 ,得到的结果是
{
"errors": [
{
"message": "The security token included in the request is invalid",
"code": "InvalidInput"
}
]
}
所以这个问题还是困扰着我, 还有什么其他的建议吗 ?

[kerbalwzy]

To use the first solution, you need to correctly bind authorization policies to IAM user!

zh:

en:

[jason1004]

我已经解决了这个问题 ( I have solved this problem. )

原因是我们给APP绑定IAM策略时是通过IAM角色实现的, 可以通过 AWS-STS解决这个问题. (The reason is we bound the application with the IAM role to use the IAM policy, can solved by use AWS-STS.)

两种解决方案(Total 2 ways):

• 1. 这个方式更简单, 重新给APP通过IAM用户绑定IAM授权策略, 用户需要的绑定的授权策略如图.
     (This is a very simple way. Bind the application with the IAM user instead IAM role to use IAM policy, The binding authorization policy required by the user is shown in the figure.)
     
• 1. 通过AMS-STS-AssumeRole获取临时的AccessKeyId, SecretAccessKey 和SessionToken, SessionToken要被添加到你的每个请求中, 通过请求头x-amz-security-token, 这个请求头也要参与到签名计算.
     (Use AMS-STS-AssumeRole to got an temporary AccessKeyId, SecretAccessKey and SessionToken, The SessionToken use the for the excess header x-amz-security-token in your request action, and this header must be join to sign.)

你可以通过使用 AWS-CLI命令快速得到临时数据
You can use AWS-CLI get an temporary data quickly by command.
你可能需要先配置 AWS-CLI才能执行下面的的命令
Before using the AWS CLI, you need to configure your AWS credentials

aws sts assume-role --role-arn arn:aws:iam::58205000480:role/SPROLE_XX --role-session-name SPROLE_XX 

终端打印的结果, 需要配置的时候将默认输出格式 设置为JSON
the result in terminal, need set the default output format with JSON when configure.

{
    "Credentials": {
        "AccessKeyId": "XXXXXXXXXXXXXXXXXXX",
        "SecretAccessKey": "WxxdwoY6yIK3QXXXXXXXXXXXE21yG0OgNV",
        "SessionToken": "FwoGZXIvYXdzECwaDXXXXXXXXXXAluJmF/ver4lRXqD09GrC61WHGID8f7rEbU9kVev/lAeRrjnBQIcFTm4lSTbxeqTAFKSgtIfbHJP9kJDCw4//7v2KeJ6VTFve18td5OGAZiOvEtgCUqv21GEPUCmw1QNAbS1e+s136cCVPlHY5rAsiTP+esvNfeeQ20O2GXKVV6T9WF7FQ5GuZprBQOMaE95L8MviQqRuc5MpKU3ckk7R4XXXXXXXXXXXXXXXf4FMi2FsGJmipQ/4/NGDmOkuyIPOquIo6O/id/NPJqFKGhQ15YK/kG7sduNAAGwEFY=",
        "Expiration": "2020-12-02T11:25:30Z"
    },
    "AssumedRoleUser": {
        "AssumedRoleId": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
        "Arn": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
    }
}

我现在的问题是大部分账号可以正常访问接口，少数账号访问所有接口都是得到：

{
"errors": [
{
"message": "Access to requested resource is denied.",
"code": "Unauthorized",
"details": ""
}
]
}

这个证明是开发者应用的相关设置是正常的

[kerbalwzy]

@jason1004
少部分接口没有权限的话有这些可能:

• 这个API只能在指定的授权大区使用
• 你访问是需要有PII权限的API, 但是你注册的开发者账号并没有PII权限
• 授权的卖家店铺被关闭停用了

[jason1004]

@kerbalwzy

1. 是个getOrders ， 三个区域都可以使用的
2. 与PII没有关系，其他账号是可以正常访问
3. 报错的卖家账号没有被停用

已经开了一个case , 亚马逊还没有回复

[kerbalwzy]

@aidensgithub
In the case of using the first solution, you need to ensure that the app created with the IAM user's ARN instead of the IAM role's.
You can consider using the IAM user's ARN to re create an new app and use it.

[jamesaq12wsx]

@kerbalwzy
My application already bind to IAM user's ARN but still not work. Do I really need to create a new app to make it work? cause our selling partners are using our existing application.

[kerbalwzy]

@jamesaq12wsx
May need check the authorization policy of your IAM user

[haiderasad]

hi @kerbalwzy can you please explain solution 1 in detail mate? i think I am missing something ,first of all I am trying sp API using python
createReportResponse = Reports(credentials=credentials).create_report(reportType=ReportType.GET_FLAT_FILE_ACTIONABLE_ORDER_DATA_SHIPPING)
error is same that

"message": "Access to requested resource is denied.", "code": "Unauthorized", "details": ""

just to sum it up
1)follow amazon guide(including making IAM role)
2)create new app and add USER ARN not role ARN
3)Go to IAM user and
a)add permissions--->existing policy------>add policy made in amazon to user
b)add permissions--->existing policy------>add AmazonAPIGatewayInvokeFullAccess(another user suggested this)

am I missing something?please tell

[kerbalwzy]

@haiderasad
try this:
b)add permission--->Add inline policy-------> STS

[github-actions]

This is a very old issue that is probably not getting as much attention as it deserves. We encourage you to check if this is still an issue after the latest release and if you find that this is still a problem, please feel free to open a new issue and make a reference to this one.