I'm trying to use SPI API programatically using Golang.
https://github.com/amazinsellers/amazon-sp-api-sdk-go and also tried with official https://github.com/amzapi/selling-partner-api-sdk and always have permission denied on the sample code on both github...
I followed this guide for all the IAM setup on my AWS Account but still not working..
https://spapi.cyou/en/guides/SellingPartnerApiDeveloperGuide.html#terminology
Here is my response json:
{"AssumeRoleResponse": {"-xmlns": "https://sts.amazonaws.com/doc/2011-06-15/", "AssumeRoleResult": {"AssumedRoleUser": {"AssumedRoleId": "AR***:SPAPISession", "Arn": "a
rn:aws:sts::123***:assumed-role/MyStsRoleName/SPAPISession"}, "Credentials": {"SessionToken": "FwoGZXIvYXdzEPb//////////wEaDJyejpfUNUYyux***=", "Expiration": "2022-03-14T13:41:14Z", "AccessKeyId": "A***", "SecretAccessKey": "Dr***"}}, "ResponseMetadata": {"RequestId": "b000db8e-e0f0-4150-b2fe-808d8212d599"}}}
{"code":"Unauthorized","details":"","message":"Access to requested resource is denied."}
My Dev App on Seller Central is on Draft status I passed the role I created on it like following :
arn:aws:iam::123***:role/MyStsRoleName
and on my code:
SPClientID = "amzn1.application-oa2-client.123***"
SPClientSecret = "26***"
SPRefreshToken = "Atzr|**"
SPAccessKeyID = "AKI***"
SPSecretKey = "Xre***"
SPRegion = "eu"
SPRoleArn = "arn:aws:iam::123***:role/MySTSRoleName"
Is it possible to get some help, since 2 days blocked on that part and I found nothing that could help me fix that. I tried a lot of thing on IAM params nothing works.
Here is my inlined policy on my IAM User:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::123***:role/MySTSRoleName"
}
]
}
The Policy arn:aws:iam::123***:policy/SellingPartnerAPI is like :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "execute-api:*",
"Resource": "*"
}
]
}
Edit:
My role trusted entities:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123***:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Thanks a lot
Related
I generated the below code using S3 policy generator, when I paste the code in AWS S3 edit policy console it shows error. Pls help
{
"Id": "Policy1611491895768",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1611491893687",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::aws-landing-zone-configuration-756692330110-ap-south-1",
"Principal": {
"AWS": [
"\"AWS\": \"arn:aws:iam::756692330110::user/aravindkumar.s#gmail.com\""
]
}
}
]
}
There are few issues,
GetObject is applicable only to bucket objects not bucket , so, Resouce should contain /* at the end.
Principle is not formatted right.
Here is updated policy
{
"Version": "2012-10-17",
"Id": "Policy1611491895768",
"Statement": [
{
"Sid": "Stmt1611491893687",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::756692330110:user/aravindkumar.s#gmail.com"]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::aws-landing-zone-configuration-756692330110-ap-south-1/*"
}
]
}
I'm trying to set up CodeBuild with a CodeCommit source that lives in another AWS account. I believe this can be done using AssumeRole but I've had no luck. Can anyone help provide an example of how to make CodeBuild assume a role specified in another account to access a CodeCommit repo?
Currently my CodeBuild role (in account 22222222) includes the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::11111111:role/Read-CodeCommit"
}
]
}
In account 11111111 I have the Read-CodeCommit role has the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"codecommit:*"
],
"Resource": "arn:aws:codecommit:us-west-2:11111111:dashboard"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "codecommit:ListRepositories",
"Resource": "*"
}
]
}
Read-CodeCommit has the following trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::22222222:root",
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Edit:
Posting a solution I came up with for anyone who might face a similar issue.
The best I could manage was just to side-step the issue. Instead of setting up CodeCommit as a source, I'm using a custom ECR image which includes CodeCommit credentials. The buildspec then clones from the repo.
It's not as clean as I like but it gets the job done.
I am trying to use the credentials provider to access an aws S3 bucket from my IoT device. I implemented all the steps in this blogpost: https://aws.amazon.com/blogs/security/how-to-eliminate-the-need-for-hardcoded-aws-credentials-in-devices-by-using-the-aws-iot-credentials-provider/ ; however, when I use the credentials provided by the service to access S3 I get 'AmazonS3Exception: The AWS Access Key Id you provided does not exist in our records.' (Java SDK)
My role has the following access policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::*/*"
}
]
}
and this rust relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "credentials.iot.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
I used the credentials provider endpoint from here:
aws iot describe-endpoint --endpoint-type iot:CredentialProvider
The device certificate and keys work fine to access the MQTT message broker.
edit the system time and server time differ for 1 hour, hence the token looks as if it is expired when I get it ("expiration" field in the token is the same time as current system time). This should not make any difference should it? Is there a way to directly use the role, instead of an alias to test this assumption?
This is how I access s3 in java:
final AmazonS3 s3 = AmazonS3ClientBuilder.standard()
.withCredentials(
new AWSStaticCredentialsProvider(
new BasicAWSCredentials(
securityToken.getCredentials().getAccessKeyId(),
securityToken.getCredentials().getSecretAccessKey()
)
)
).withRegion(Regions.US_EAST_1)
.build();
final ObjectMetadata object = s3.getObject(new GetObjectRequest(
"iot-raspberry-test", "updateKioskJob.json"
), new File("/downloads/downloaded.json"));
This is the policy attached to the certificate of my thing:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "iot:AssumeRoleWithCertificate",
"Resource": "arn:aws:iot:us-east-1:myaccountid:rolealias/s3-access-role-alias"
}
}
What could I be missing?
Thanks in advance!
The first policy is not complete:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::*/*"
}
]
}
Load it in the simulator and you can see that it won't work. S3 needs listing access (not GetObject).
See following example:
{
"Version": "2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:ListBucket"
],
"Resource":"arn:aws:s3:::bucket-name"
},
{
"Effect":"Allow",
"Action":[
"s3:GetObject"
],
"Resource":"arn:aws:s3:::bucket-name/*"
}
]
}
I'm trying to copy contents of an S3 bucket to another bucket on another account, and I wanted to use the CLI to do this. So I set up a bucket policy on the source bucket, allowing a IAM user in the destination account to perform all S3 actions, but it keeps complaining that the ListObjects operation is denied.
I've tried Google, but I can't tell what would be the problem with my policy compared to the solutions I find. Even if I make the source bucket public (and can list it in a browser), it still gives me access denied.
What to do, what to do? Here's my bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAll",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123123123123:user/USER"
},
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::SOURCE",
"arn:aws:s3:::SOURCE/*"
]
}
]
}
Please try using below policy,
{
"Version": "2008-10-17",
"Id": "Policy1357935677554",
"Statement": [
{
"Sid": "CrossAccountList",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::examplebucket"
},
{
"Sid": "CrossAccountS3",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::examplebucket/*"
}
]
}
You can read the full steps here
Another read here
Should an IAM User say called User1 be given full access like so:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Could it also be used to create Amazon API calls? Is this a security risk or should I create another user just to access the Amazpn API Gateway?
You should never give an IAM user full privileges. So many things could go wrong, and yes it may very well be a security risk.
If you need to manage (create, configure, or deploy) your API in API Gateway with this IAM user, you can give the user this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"apigateway:*"
],
"Resource": "arn:aws:apigateway:*::/*"
}
]
}
Or, if you only need to invoke the API, you can use this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": "arn:aws:execute-api:*:*:*"
}
]
}