Configuring the C# SDK for the Selling Partner API


@NutritionGuy, Oh I forgot to put in the assume role task.

‘’’ private static async Task GetAssumeRoleTokenDetail()
// AWS IAM user data, NOT seller central dev data
var accessKey = “…”; // get from users access key id from first step
var secretKey = “…”; // get from users secret key from first step

        var credentials = new BasicAWSCredentials(accessKey, secretKey);

        var client = new AmazonSecurityTokenServiceClient(credentials);

        var assumeRoleRequest = new AssumeRoleRequest()
            DurationSeconds = 3600,
            // role ARN you create here: 
            RoleArn = "arn:aws:iam::*:role/SellerRoleAPI",
            RoleSessionName = DateTime.Now.Ticks.ToString()

        var assumeRoleResponse = await client.AssumeRoleAsync(assumeRoleRequest);


        return assumeRoleResponse;



I would have thought since I am using the Role ARN in my self - authorized app in Seller Central, I would not need the Assume Role code.

I like how this is clearly documented. NOT.

I’ll give it a try.


Well that’s just great, I am running your code and still getting the same error.

“The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.”


Hey it worked!

Thank you!

I have no idea how you figured that out, I totally appreciate your help.


Great! @NutritionGuy. Also, I’m getting back orders now, but one thing is I notice I can’t keep reusing the restRequest for additional api calls? I thought this was the whole point to get access key to use for period of time? if I change the resource or any header/query info it give me signature mismatch error. So that means I have to go through and create request and go through all the signing again?


Yes, you will have to create a whole new request for each api call. Look at the docs / signature code and you will understand why. It takes the datestamp, url, keys, and request body and computes a hash based on that. Server side, the hash is recomputed and it has to match the hash you supplied. This prevents attacks based on data being intercepted and altered. So if you change the call, thus the url, or any parameters, the hash changes.

I don’t know how you figured out this undocumented step of role assumption and needing different credentials at each stage. Crazy.


Well I first saw the discrepancy between the Java and C# library early on when I was just trying to put some code together, because there is not much documentation or examples for C#. And I had read that assumeRole thing while I was trying to figure out the first problem. So finally when I got the same error as those guys did it made sense. Anyway, Someone else beat me to that solution. So someone else figure it out first which is amazing! I’m just glad I found it!


@NutritionGuy I’m still having issue with making other call’s and getting same error that signature does not match even though doing new request and same way as before?


No idea. You are way ahead of me now on all this.


Interesting. I just never looked at the java lib.


please put github link


Hello @NutritionGuy, Can you please share how you were able to resolve this issue? I am having the same issue and don’t know how to resolve it.

My have verified code more than 20 times, line-by-line and it matches with the above code. My key are correct and my IAM user information is also correct.

Please help.


hi i am trying your code and getting an error
. (User: arn: :user/ .com is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam **:role/***ner-role).
cant understand why
I followed all the steps in the guide