IAM Role - limit api permissions


#1

Hi all,

I am working on integrating Selling Partner API (SP-API). I’ve managed to work through most of the steps, I can upload products etc, but I have one concern.
I would only like to know if it’s possible to limit role permissions. Currently, my role policy is (as per documentation):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:*:*:*"
        }
    ]
}

But it would potentially allow this role to call any API within API Gateway (?). Is it possible to limit it only to Selling Partner APIs? I’ve tried using APP_ID from SellerCentral as part of ARN but it wasn’t working as I’ve started getting 401s. For example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:*:ACCOUNT_NUMBER:amzn1.sellerapps.app.APP_ID_FROM_SELLER_CENTRAL:*"
        }
    ]
}

I want to have one IAM role which will be used on Dev and another one which will be used on Production.

Thank you,
Developer


#2

Hi,
This may help…
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-iam-policy-examples-for-api-execution.html

https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html


#3

Hi @Anglozone,

Thank you for your reply. I’ve seen those examples but when I try to use App ID from Seller Central, it automatically starts sending 401 back.


#4

There is a specific Forum help Section which you may find useful (link below.)

You can’t use the old MWS authorization workflow with the new SP-API. It requires a developer id and does not return the correct token needed for the SP-API access. (only the MWSAuthToken comes back) This workflow is valid only for older MWS apps that have not migrated at all to SP-API.

If you want to access accounts other than your own, the new process requires you to register your application into the appstore. (create listing on the app action, develop apps page ) There will be an authorize button created within the appstore listing for clients to start the new authorize workflow when the app is approved. You can also generate a link within your website to start the authorize workflow, but only after the app is approved and listed in the appstore.
https://sellercentral.amazon.com/forums/t/cant-find-my-developer-id/822850/5

hope this helps :slightly_smiling_face:


#5

Thank you, @Anglozone for the response.

I am using flow described in https://github.com/amzn/selling-partner-api-docs/blob/main/guides/en-US/developer-guide/SellingPartnerApiDeveloperGuide.md

I am using Self authorization and everything seems to work ok, my app can send requests successfully to SP-API, but I wanted to narrow down permissions on the role I am using for authorization (in IAM).

In Step. 3 Documentation suggest creating policy which allows this particular user to execute calls on ANY resource: “arn:aws:execute-api:::*” which raised a bit of concern. My main question is: is it possible to narrow it down only to specific APP as we will have 2 versions: dev and production. So I will need 2 IAM users with 2 different policies - one which will allow access to dev APP, one which will access to Prod APP.
Unless my concern is completely unnecessary!

Thanks :slight_smile:


#6

Whilst you can setup multiple users I don’t believe that their is a way to distinguish between the sandbox environment and live.