Access to requested resource is denied on AWS - amazon-product-api

I am trying to hit the amazon SP-API endpoint. When I am hitting the API endpoint, I am always getting an error 403 Forbidden with the message Access to the requested resource is denied.
{
"errors": [
{
"message": "Access to requested resource is denied.",
"code": "Unauthorized",
"details": ""
}
]
}
Steps I did:
I have created the IAM user, IAM role, and IAM policies.
I have created the seller account and developer account as well.
I am using the role ARN in my seller central app.
Using the access token to sign the API request.

Related

gcloud auth print-identity-token returning token with wrong audiences

I am using google cloud auth for signing my requests for a firebase based project. Until yesterday it worked seamlessly, after using the gcloud auth print-identity-token I have received a token for the selected project and account. Yesterday after a restart this functionality stopped working. I still receive a token and the gcloud seems to be configured well(re-initialised it, and tried to completely uninstall/install it), but the returned token has different aud field. Therefore my firebase functions consider my requests as unauthenticated. let me paste the error message below:
Failed to validate auth token. FirebaseAuthError: Firebase ID token has incorrect "aud" (audience) claim. Expected "xyzmyproject" but got "32512345659.apps.googleusercontent.com". Make sure the ID token comes from the same Firebase project as the service account used to authenticate this SDK
I have checked the identity token via jwt.io and the aud is set to the wrong 32512345659.apps.googleusercontent.com value as the error message describes it.
Furthermore while was investigating I found out that the gcloud auth login command redirects me to the url the client_id is specified as 32512345659.apps.googleusercontent.com.

unable to access aws cost explorer api from IAM user credential

I am trying to use cost explorer API from a IAM user credential but I am getting access denied error.
Below is the policy attached for the IAM user. Is any other permission required? Where i am going wrong?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ce:"
],
"Resource": [
""
]
}
]
}
Your policy is probably missing an asterisk (*) which is why you are getting a access denied error. You can use the policy described below to access Cost Explorer:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ce:*",
"Resource": "*"
}
]
}
First make sure you are using root user credentials.
You can enable Cost Explorer only if you are the owner of the AWS account and you signed in to the account with your root credentials. If you are the owner of a master account in an organization, enabling Cost Explorer enables Cost Explorer for all the organization accounts. In other words, all member accounts in the organization are also granted access. You can't grant or deny access individually.
Cost Explorer and IAM Users
An AWS account owner who is not using consolidated billing has full access to all Billing and Cost Management information, including Cost Explorer. After you enable Cost Explorer, you should interact with Cost Explorer as an IAM user. If you have permission to view the Billing and Cost Management console, you can use Cost Explorer.
An IAM user must be granted explicit permission to view pages in the Billing and Cost Management console. With the appropriate permissions, the IAM user can view costs for the AWS account to which the IAM user belongs. For the policy that grants the necessary permissions to an IAM user, see Controlling Access.
More details read this

Error 401 : Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential

I'm trying to add my custom API key and Oauth 2.0 ID. However I keep getting this error
"Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential."
When I use APIs Explorer Credentials it works fine.
How can I fix this?
Thank you

Getting 401 Unauthorized error on google API

I am learning how to use Google Drive API to upload a file and I am getting this error:
"Client error: `POST https://www.googleapis.com/oauth2/v4/token` resulted in a `401 Unauthorized` response:\n{\n \"error\": \"unauthorized_client\",\n \"error_description\": \"Client is unauthorized to retrieve access tokens using this me (truncated...)\n"
I think this stem from a wrong configuration of my service account. When I created my service account, I didn't use Enable G Suite Domain-wide Delegation and just used the generated json key.
Attached here is a screenshot of my IAM & ADMIN
I also enabled API for google drive, so what am I missing?
You have to create a client id for the service account and with that id you have to enable the SCOPE in security - advanced configuration

SMTP Google Apps Oauth2 - issue in relay

I am trying to send mail by connecting to Google SMTP server using oAuth2 mechanism.
public static Transport connectToSmtp(String smtpServer, int port, String email, String authToken, boolean isDebug, MimeMessage mimeMsg)
throws Exception
{
Properties props = new Properties();
props.put("mail.smtp.starttls.enable", "true");
props.put("mail.smtp.starttls.required", "true");
props.put("mail.smtp.sasl.enable", "true");
props.put("mail.smtp.sasl.mechanisms", "XOAUTH2");
props.put("mail.imaps.sasl.mechanisms.oauth2.oauthToken", authToken);
Session session = Session.getInstance(props);
session.setDebug(isDebug);
final String emptyPassword = "";
Transport transport = session.getTransport("smtp");
transport.connect(smtpServer, port, email, emptyPassword);
try
{
transport.sendMessage(mimeMsg, mimeMsg.getAllRecipients());
}
catch (Exception e)
{
logger.log(Level.WARNING, "Exception Occured : ", e);
}
return transport;
}
Client ID and Secret of my App:
ID - 345101*-i6ki*4tk1sms.apps.googleusercontent.com
Secret - e6NHB*-eZ-rk
The above code threw the following error:
javax.mail.AuthenticationFailedException: 535-5.7.8 Username and Password not accepted. Learn more at
535 5.7.8 https://support.google.com/mail/answer/14257 o135sm276925ith.4 - gsmtp
Smtp Server : aspmx.l.google.com,
Port : 25
Edited:
I have changed the below for the Google App account I am trying to connect and the above exception was cleared:
No 2 step authentication
Allow Less Secure Apps
"Security" -> "Basic Settings" -> "Go to settings for less secure apps" -> "Allow Users to Manager Their Access to Less Secure Apps"
But after clearing the above exception. I got another exception.
com.sun.mail.smtp.SMTPSendFailedException: 550-5.7.1 Invalid credentials for relay [121...2]. The IP address you've registered in Google Apps SMTP Relay service doesn't match domain of the account this email is being sent from. If you are trying to relay mail from a domain that isn't registered under your Googles Apps account or has empty envelope-from, you must configure your mail server either to use SMTP AUTH to identify the sending domain or to present one of your domain names in the HELO or EHLO command. For more information, please visit https://support.google.com/a/answer/6140680#invalidcred f65sm341248ith.1 - gsmtp
;
So I changed the following setting:
Apps > Google Apps > Gmail > Settings for Gmail > Advanced settings
SMTP relay service
Allowed senders: Any addresses (not recommended)
Only accept mail from the specified IP addresses: No
Require SMTP Authentication: Yes
Require TLS encryption: No
Even after attempting the above change the same exception is thrown.
Please help.
Plain authentication and OAuth2 must be differentiated in Transport object which sends actual mail data to the SMTP server.
This is done in JavaMail with the password parameter in Transport.connect().
If the password is given as null in the above code, then the Java MailClient treats the authentication as OAuth instead of plain auth.
So the code should be
final String emptyPassword = null;
As reply to the comment,
If authentication is given as IP Address, then the given username and password are not validated. Instead, the IP address from which the connection comes from serves as authentication.
This is the reason the same code worked, when you added the sender IP address to the GApps Relay Mail Settings and select authentication type as IP address.