Contradictory Advice Regarding Sharing of Secret Key


#1

I’m trying to determine what is both “safe” and “recommended practice” regarding utilizing my MWS access keys (and in particular my secret key) inside an application developed by a third party. The documentation and FAQs I have read on the subject are quite confusing and at times contradictory. For example:

The [Registering to Use Amazon MWS|http://docs.developer.amazonservices.com/en_US/dev_guide/DG_Registering.html] page includes the following text:

Note: Your Secret Key is a secret that only you and Amazon should know. It is important to keep it confidential to protect your account. Never include it in your requests to Amazon MWS, never embed it in a desktop application, and never e-mail it to anyone. Do not share it outside your organization, even if an inquiry appears to come from Amazon MWS or anyone else at Amazon. No one who legitimately represents Amazon will ever ask you for your Secret Key.”

However, on the same page in the paragraphs immediately above that section:

“If you are developing an Amazon MWS desktop application, do not embed your credentials in the application. Rather, have the users of your application register as a developer by selecting the I want to access my own Amazon seller account with MWS option when signing up for Amazon MWS. Users of your desktop application should use their own developer credentials when submitting requests to Amazon MWS.”

And then it goes on to say:

“The Access Key ID is associated with your Amazon MWS registration. You include it in all Amazon MWS requests to identify yourself as the sender of the request. The Access Key ID is not a secret. To provide proof that you truly are the sender of the request, you must also include a digital signature. For all requests except those generated using the Amazon MWS client libraries, you calculate the signature using your Secret Key. Amazon uses the Access Key ID in the request to look up your Secret Key and then calculates a digital signature with the key. If the signature Amazon calculates matches the signature you sent, the request is considered authentic. Otherwise, the request fails authentication and is not processed.”

Finally, the [main FAQ says|https://developer.amazonservices.com/gp/mws/faq.html/186-5238319-6093805#sellerUsingDesktopApp] :
Q: I am an Amazon seller and I want to use a desktop application to access my Amazon seller account. What should I do?

4. On the MWS registration page, click the button for I want to access my own Amazon seller account with MWS.
5. Click the Next button.
6. Accept the Amazon MWS License Agreement and click the Next button.
7. Copy your account identifiers (Seller ID, Marketplace ID, Developer Account Identifier, AWS Access Key ID, and Secret Key). It is also a good practice to print this page and save it in a safe place.
8. Follow the instructions given to you by your application developer to enter your account identifiers into the application.

Which also implies that all account identifiers, including the secret key, need to be copied into the application in order for it to function.

So which is it? Is the secret key truly secret and should never be pasted into code that I didn’t write myself or not? Or is this simply a case where +ideally+ the secret key is never shared, but due to limitations in the MWS API it’s necessary to use the secret key in order for third-party non-web applications to function?

Thanks in advance!


#2

First of all you have choices.

Do not use a third party service that you have not investigated sufficiently to ensure that the company is credible and the service is reliable.

Assuming you are dealing with a credible company and a reliable service, if the service provider has a developer ID, a version of the credentials specifically for them can be generated. Then, you do not need to give your own credentials away. You can also delete those loaned credentials when you chose to.

When you are on your MWS screen, choose option 2 or 3

  • I want to use an application to access my Amazon seller account with MWS.
  • I want to give a developer access to my Amazon seller account with MWS.

You will need to request the Application or Developer’s Name and Developer Account Number. They should have those to properly access your data. Usually, those will be provided in the process to request those keys from you.

Do keep in mind that any third party services which you provide this access will have access to sensitive information. Basically, most of the data in your account is available to them. There are services used for accounting that have access to your Settlement data, repricing services that can change your prices, listing and inventory management products that can change your product details or inventory counts.

Dave

Edited by: Boardgames4Us on Aug 18, 2015 7:14 AM


#3

Thanks for the reply. It’s unfortunate that this is necessary, due to the lack of granularity on access controls (I see on another thread that improvements from Amazon are coming, so I’ll leave it at that).

> Assuming you are dealing with a credible company and a reliable service, if the service provider has a developer ID, a version of the credentials specifically for them can be generated. Then, you do not need to give your own credentials away. You can also delete those loaned credentials when you chose to.
>
> When you are on your MWS screen, choose option 2 or 3
> - I want to use an application to access my Amazon seller account with MWS.
> - I want to give a developer access to my Amazon seller account with MWS.
>
> You will need to request the Application or Developer’s Name and Developer Account Number. They should have those to properly access your data. Usually, those will be provided in the process to request those keys from you.

Is the above process “safer” in some way than the alternative? I looked for but could not find any documentation detailing any differences in access rights for the various methods of connecting with third party applications.

In this case, the developer I’m speaking with indicates that they have chosen to not utilize their own developer credentials due to Amazon’s rate limits, which could cause a denial of service for all of their customers.

> Do keep in mind that any third party services which you provide this access will have access to sensitive information. Basically, most of the data in your account is available to them. There are services used for accounting that have access to your Settlement data, repricing services that can change your prices, listing and inventory management products that can change your product details or inventory counts.

This is very much my concern. I +believe+ I’m dealing with an ethical developer, but I would feel much more confident if I didn’t have to give away the “keys to the kingdom.”

On a separate but related topic - is it possible to audit or report on API access using my credentials, to provide a way of validating that all access has been above-board?


#4

> On a separate but related topic - is it possible to audit or report on API access using my credentials, to provide a way of validating that all access has been above-board?
>
I have not seen anything that would provide that information. but there may be others who are more familiar.

By the way, YOU CAN CHANGE your credentials at any time, so if you are concerned, you can generate new keys. However, everything that is set up to use the would be broken until updated with the new credentials.

I do not understand and agree with what the developer said about being unable to use the Developer credentials. That would not cause a universal denial of service. It works the same way as using your credentials, but there may be some fees for their use of their account.

The information they would have access to is the same, so that is not relevant. They also will not have your Seller ID and password, which are required to access and reset the credentials, so risks are still minimized. The API does not have access to everything, but what it does not have access to is not all that sensitive, anyway. Your credit card and bank information can not be accessed from the API, so that is some relief.

Dave


#5

> The information they would have access to is the same, so that is not relevant. They also will not have your Seller ID and password, which are required to access and reset the credentials, so risks are still minimized. The API does not have access to everything, but what it does not have access to is not all that sensitive, anyway. Your credit card and bank information can not be accessed from the API, so that is some relief.

Thanks. That is good to know, but I still have some concerns. The developer I’m speaking to is (I believe) also an Amazon seller, and I imagine having access to a bunch of other seller accounts could be quite useful in the wrong hands.

It seems that until Amazon improves its API security controls, working with a third party ultimately comes down to making a leap of faith.


#6

Yes, there are risks.

He can’t get your money.
He could screw around with your pricing, but there are safeguards in the form of setting your own min/max prices, which are not available through the API.
He could send out bogus orders with your stuff to all his friends using Multichannel Fulfillment, but you would probably be able to determine that.

Most other information has limited value.

I don’t think you need to worry all that much as long as you pay attention to your business.

Dave

Edited by: Boardgames4Us on Aug 18, 2015 6:56 PM


#7

Where to start … I’ll be all over the place so forgive me.

As both a techie and seller I agree 100%. Whenever I do work for another seller I’m always up front about it and recommend that they watch their feeds to verify what I am doing.

Ultimately it is a leap of faith though. So make sure that while you have to trust someone you always check up on them.

To me my reputation is equally important as both a seller and techie. I have to keep the 2 separate and always have. Even the slightest hint or accusation of any miss doing puts me on edge …

All that said …

  • Embedding Keys is not the same as entering them just as you do to log into Seller Central. It means putting them into the code. Developers would/might be be tempted to do this with their own keys when distributing desktop apps. Long explanation on the why’s …
  • Using your own keys in software written by someone else is a bit risky.

Bogus … the limit is set to the SellerId and not the credentials. I can make the max restore on every client currently having me authorized. Not a single call would affect my own call rate.
Boardgames4Us

You can’t … but Amazon can. Still you shouldn’t be giving any keys to anyone since when they authorize your developer # they will be given an authorizationtoken


#8

Thanks for your perspective. I’ve decided I will explore alternative tools which don’t require my FBA key first and see if they will meet my needs. I’ll revisit if those products don’t meet my needs or Amazon improves the granularity of API permissions and reporting of API access.


closed #9