Configuring the C# SDK for the Selling Partner API

Johnson_s_Florist_Ga · 2020-12-30 21:02:07 UTC

@NutritionGuy, Oh I forgot to put in the assume role task.

‘’’ private static async Task GetAssumeRoleTokenDetail()
{
// AWS IAM user data, NOT seller central dev data
var accessKey = “…”; // get from users access key id from first step
var secretKey = “…”; // get from users secret key from first step

        var credentials = new BasicAWSCredentials(accessKey, secretKey);

        var client = new AmazonSecurityTokenServiceClient(credentials);

        var assumeRoleRequest = new AssumeRoleRequest()
        {
            DurationSeconds = 3600,
            // role ARN you create here: 
            // https://github.com/amzn/selling-partner-api-docs/blob/main/guides/developer-guide/SellingPartnerApiDeveloperGuide.md#step-4-create-an-iam-role
            RoleArn = "arn:aws:iam::*:role/SellerRoleAPI",
            RoleSessionName = DateTime.Now.Ticks.ToString()
        };

        var assumeRoleResponse = await client.AssumeRoleAsync(assumeRoleRequest);

        Console.WriteLine(assumeRoleResponse.HttpStatusCode);

        return assumeRoleResponse;
    }

‘’’

NutritionGuy · 2020-12-30 21:28:48 UTC

I would have thought since I am using the Role ARN in my self - authorized app in Seller Central, I would not need the Assume Role code.

I like how this is clearly documented. NOT.

I’ll give it a try.

NutritionGuy · 2020-12-31 00:42:24 UTC

Well that’s just great, I am running your code and still getting the same error.

“The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.”

NutritionGuy · 2020-12-31 02:02:11 UTC

Hey it worked!

Thank you!

I have no idea how you figured that out, I totally appreciate your help.

Johnson_s_Florist_Ga · 2020-12-31 13:51:09 UTC

Great! @NutritionGuy. Also, I’m getting back orders now, but one thing is I notice I can’t keep reusing the restRequest for additional api calls? I thought this was the whole point to get access key to use for period of time? if I change the resource or any header/query info it give me signature mismatch error. So that means I have to go through and create request and go through all the signing again?

NutritionGuy · 2020-12-31 14:20:57 UTC

Yes, you will have to create a whole new request for each api call. Look at the docs / signature code and you will understand why. It takes the datestamp, url, keys, and request body and computes a hash based on that. Server side, the hash is recomputed and it has to match the hash you supplied. This prevents attacks based on data being intercepted and altered. So if you change the call, thus the url, or any parameters, the hash changes.

I don’t know how you figured out this undocumented step of role assumption and needing different credentials at each stage. Crazy.

Johnson_s_Florist_Ga · 2020-12-31 16:28:28 UTC

Well I first saw the discrepancy between the Java and C# library early on when I was just trying to put some code together, because there is not much documentation or examples for C#. And I had read that assumeRole thing while I was trying to figure out the first problem. So finally when I got the same error as those guys did it made sense. Anyway, Someone else beat me to that solution. So someone else figure it out first which is amazing! I’m just glad I found it!

Johnson_s_Florist_Ga · 2020-12-31 16:48:24 UTC

@NutritionGuy I’m still having issue with making other call’s and getting same error that signature does not match even though doing new request and same way as before?

NutritionGuy · 2020-12-31 18:48:30 UTC

No idea. You are way ahead of me now on all this.

NutritionGuy · 2020-12-31 21:07:15 UTC

Interesting. I just never looked at the java lib.