By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Amazon Seller SP-API Trust policy

0

Hello,

I'm new to this whole topic, so I'm still green behind the ears. I am developing a custom app for my small business and for that I need to access the Amazon SP API. Developer profile has already been created and approved, now I need to create a role in AWS/IAM for the Amazon owned AWS account (Not my own account, right?!). And here I get the error on the trust policy “Invalid principal in policy”.

It looks like this: { “Version": ‘2012-10-17’, “Statement": [ { “Effect": ‘Allow’, “Principal": { “AWS": ”arn:aws:iam::NUMBER_AWS__Account:root” }, “Action": ”sts:AssumeRole” } ] }

Is it correct that I have to use a special account for the Amazon SP-API?

Regards, Leon

Topics
Security, Identity, & Compliance
Tags
IAM Policies
Language
English
Leon
asked 19 days ago45 views
2 Answers
0

Thank you for your question, Leon. I understand you're new to this topic and developing a custom app that needs to access the Amazon Selling Partner API (SP-API).

You're on the right track, but there are a few important points to clarify:

  1. The IAM role you need to create should be in your own AWS account, not in an Amazon-owned account. This role will allow Amazon's SP-API service to assume the role and access your resources on your behalf.

  2. The error you're seeing ("Invalid principal in policy") is likely because the Principal in your trust policy is not correctly formatted. For the Amazon SP-API, you need to use a specific service principal, not an AWS account number.

  3. The correct trust policy for the Amazon SP-API should look like this:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "sellingpartnerapi.amazon.com" }, "Action": "sts:AssumeRole" } ] }

This policy allows the Amazon Selling Partner API service to assume the role.

  1. After creating the role with this trust policy, you'll need to attach the necessary permissions policies to the role to define what actions it can perform.

  2. Once you've created and configured the role, you'll need to provide the ARN (Amazon Resource Name) of this role to Amazon when setting up your SP-API application.

Remember, you're creating this role in your own AWS account to allow Amazon's service to access your resources in a controlled manner. You're not creating anything in Amazon's account.

I hope this helps clarify the process for you, Leon. If you have any more questions as you proceed with setting up your SP-API access, don't hesitate to ask.
Sources
Update a role trust policy - AWS Identity and Access Management
Access to AWS accounts owned by third parties - AWS Identity and Access Management

profile picture
re:Post Agent
answered 19 days ago
0

Hello,

Thank you for your reply.

I proceeded as follows:

  1. IAM --> Roles --> Create role
  2. AWS service --> EC2 (only as placeholder) --> Next
  3. add authorizations (is not needed?!) --> Next
  4. assign role name --> click on edit at “Step 1: Selection of trusted entities”
  5. select user-defined trust policy
  6. insert this code* there --> Next
  7. click on Create role
  8. this error appears: Invalid principal in policy: “SERVICE”: “sellingpartnerap*.amazon.com”

Code: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "sellingpartnerap*.amazon.com" }, "Action": "sts:AssumeRole" } ] }

I have read that not all AWS regions/accounts support this service principal?

Regards, Leon

Leon
answered 18 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content