Denied access to requested resource
Closed this issue · 12 comments
Has anyone experienced this after setting up policies, roles, etc.?
ErrorType"=>"AccessDeniedException", "x-amz-apigw-id"=>"Ds0GIGANoAMF1Mg="}
Response body: {
"errors": [
{
"message": "Access to requested resource is denied.",
"code": "Unauthorized",
"details": ""
}
]
}
We're using this just for private, self-authorized access. I've gone through these procedures 3 times now, and still receiving this error when trying to pull an order with the Orders API.
I can take a look at how I got around that tomorrow. If it's just for orders, I think we could figure something out. I was able to get all of my issues solved pretty quickly with this. Some finessing and it works like a champ.
Yeah, this has been a nightmare. I believe all of the IAM policy settings are correct, but there are so many moving parts to this it's difficult to narrow down. Not sure where to begin debugging...
Edit: I should add there appear to be no issues receiving an access token.
Same result - just tried catalog API
I've figured it out. Hopefully my pain will help others trying to navigate this situation!
In the Amazon docs, they describe creating a policy, and then attaching that to a role, and then using STS to assume the role.
I simply created an inline policy and attached it to the user I'm authenticating with using the following JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:*:*:*"
}
]
}
With this method, no role is needed at all, and you simply use the IAM ARN for the user and assign that to the app you're building.
AmzSpApi.configure do |config|
config.refresh_token = 'auth token from amazon'
config.client_id = 'amazon app client id'
config.client_secret = 'amazon app secret'
config.region = 'na'
config.aws_access_key_id = 'IAM user access key'
config.aws_secret_access_key = 'IAM user secret key'
config.logger = Rails.logger
config.debugging = true
end
@jheathco , I'm new to amazon-spi-api and my comment might be off the rail here
but considering your recent comment you seem an experienced resource that might help me out here.
I'm confused how to get the refresh_token for configuration, I'm getting the following error on my query can you have a look at it,
The query is:
api = AmzSpApi::ReportsApiModel::ReportsApi.new(AmzSpApi::SpApiClient.new)
api.get_report("string")
The refresh token is given when you authorize your app on seller central - this gem is not involved with that.
@jheathco after adding refresh token, I'm still getting the Access Denied:
you have stated something regarding inline policy, can you guide me how to use it, I'm initialising the gem as follow:
and querying my reports as:
api = AmzSpApi::ReportsApiModel::ReportsApi.new(AmzSpApi::SpApiClient.new)
api.get_report("GET_FBA_MYI_ALL_INVENTORY_DATA")
Are you using the IAM ARN for the user? Paste that into the seller central app setting.