FAQs
      Back to home
      1. Knowledge Base
      2. eCommerce Solutions
      3. FAQs

      How do I get API credentials for Amazon?

      This article provides step by step instructions to retrieve credentials from Amazon Seller Central and AWS that are required to connect CSM to Amazon.

      Obtain Channel Credentials in Amazon

      To obtain credentials for CSM Amazon you must register as a developer. It is recommended that you complete this before moving to any other steps throughout this process. Credentials cannot be shared. End-users will need to register themselves as a developer to get the proper credentials. To get the correct links to certain webpages refer to the CSM Amazon Order Management Document.

       

      Create an AWS account

      1. You must have an AWS account because the Selling Partner API security model uses AWS authentication credentials. If you're not already an AWS customer, you can create a free AWS account. For more information, refer to AWS Free Tier.
      2. On the AWS account page, click the Create a Free Account button.

      1. Enter in an email address. From there, an email will be sent with a verification code. You will enter that code into the AWS account page.
      2. Next, you will be required to fill in your contact information in all the fields. Remember to agree to the terms and conditions at the bottom of the page.
      3. You will be required to fill in your credit card/billing information in all the fields.

      Complete the sign-in process according to Amazon's direction.

       

      Create an IAM user

      Create an IAM user to get AWS keys to authenticate calls to the Selling Partner API. We recommend creating a new IAM user exclusively for this purpose.

      Use the following procedure to create an IAM user

      1. Sign into the AWS Management Console, and then open the IAM console at aws.amazon.com/iam.
      2. From the left navigation pane, choose Users and then select Add user.
      3. Enter a username.
      4. Select Programmatic access and then choose Next: Permissions.
      5. On the Set Permissions page, accept the defaults and then choose Next: Tags. You will set permissions when you create an IAM role.
      6. On the Add tags (optional) page, add any desired tags, and then choose Next: Review.
      7. On the Review page, ignore the This user has no permissions You will set permissions when you create an IAM role.
      8. Select Create user.
      9. Choose Show to view the AWS secret access key. To save the AWS access key, select Download .csv, and then save the file to a safe location.

      Important!

      This is your only opportunity to view or download your AWS secret access key, which you must use to authenticate your calls to the Selling Partner API. Save the AWS access key ID and AWS secret access key in a safe and secure place.

      You will not have access to the AWS access key again after this step.

      If you lose your AWS secret access key you must create a new IAM user with a new set of keys.

      1. Choose Close.
      2. In the Username column, select your new IAM user and record the User ARN. You will use the ARN in Create an IAM role.

      For more information about creating IAM users, refer to Creating an IAM User in Your AWS Account in the AWS documentation.

      Complete this process according to Amazon's direction.

       

      Create an IAM policy

       

      This IAM policy defines the permissions required to make calls to the Selling Partner API. Attach this policy to the IAM role that you create in Create an IAM role.

       

      Note: If your AWS account leverages AWS Organizations you must ensure that your organization level policy allows access to the Selling Partner API. For more information, refer to Managing AWS Organizations policies in the AWS documentation.

      Use the following procedure to create an IAM policy

      1. Sign in to the AWS Management Console, and then open the IAM console at aws.amazon.com/iam.
      2. From the left navigation pane, select Policies.
      3. If this is your first time choosing Policies, the Welcome to Managed Policies page appears. Choose Get Started.
      1. Select Create policy.
      2. Choose the JSON tab.
      3. Paste the following code into the text box (replacing the existing code), and then choose Next: Tags.
      1. {

      "Version": "2012-10-17",

      "Statement": [

      {

      "Effect": "Allow",

      "Action": "execute-api:Invoke", "Resource": "arn:aws:execute-api:*:*:*"

      }

      ]

      }

      1. On the Add tags (Optional) page, add any desired tags, then choose Next: Review.
      2. On the Review policy page, enter a Name and a Description (optional) for the policy that you are creating. We recommend naming your IAM policy, SellingPartnerAPI.
      3. Review the policy Summary, then choose Create policy. Complete this process according to Amazon's direction.

       

      Create an IAM role

       

      Create an IAM role that trusts the IAM user that you created in Step 2. Create an IAM user and has permissions to call the Selling Partner API.

      Use the following procedure to create an IAM role

      1. Sign in to the AWS Management Console, and then open the IAM console at aws.amazon.com/iam.
      1. From the left navigation pane, select Roles and then choose Create role.
      2. On the Create role page, choose Another AWS account.
      3. In the Account ID box, enter the account identifier for the AWS account where you created your IAM user in Step 2. Create an IAM user. The account identifier is the 12 digit number in the User ARN. Then, choose Next: Permissions.
      4. On the Attach permissions policies page, under Policy name, select the policy that you created in Step 3. Create an IAM policy, and then choose Next: Tags.

      Tip: Choose Filter policies and then select Customer managed to narrow your choices.

      1. On the Create role page, enter a role name in the Role name box, an optional role description in the Role description box, and then choose Create role.
      2. Under Role name, select the name of your new role.
      3. On the Add tags (optional) page, add any custom tags, then choose Next: Review.
      4. On the Summary page, save your role ARN. You must have the role ARN for the following tasks:
        1. Register your application.
        2. Add an AWS Security Token Service policy to your IAM user.

      Complete this process according to Amazon's direction.

       

      Add an AWS Security Token Service (AWS STS) policy to your IAM user

       

      Adding an AWS Security Token Service (AWS STS) policy to your IAM use allows you to request temporary AWS access keys that you can use to authenticate your requests to the Selling Partner API. These credentials expire after a set period of time, which helps you to control access to your AWS resources.

      1. Sign into the AWS Management Console, and then open the IAM console at aws.amazon.com/iam.
      2. From the left navigation pane, select Users and then choose the user that requires the AWS STS policy. In this tutorial, choose the user you created in Create an IAM user.
      3. On the Permissions tab, choose Add inline policy.
      4. On the Create policy page, choose Choose a service.
      5. Select the STS
      6. Tip: Enter STS in the search box to narrow your choices.
      7. Under Access Level, select the arrow next to Write.
      8. Select AssumeRole.
      9. Select the arrow next to Resources, and then choose Add ARN.
      10. In the Add ARN(s) dialog box, enter the role ARN from Step 4. Create an IAM role, choose Add, and then choose Review policy.
      11. On the Review policy page, enter a name for your policy. Review your setting, then choose Create policy

       

      To register your application (for all public applications and private seller applications)

      1. Sign into Seller Central using the credentials that you used to register as a developer.
      2. In the Partner Network menu, click Develop Apps. The Developer Central page appears.
      3. Click Add new app client.

      The App registration page appears.

      1. Complete the form.

      Note. If you are registering a public application, a Sellers check box and a Vendors check box appear after you choose the API type. Select Sellers, Vendors, or both, depending on the type of selling partner your application is for. The list of roles for which you can apply vary depending on your selection.

       

      Register your application

       

      To register your application (for private vendor applications)

      1. Sign into Vendor Central with the credentials that you used to register as a developer.
      2. In the Integration menu, click API Integration. The Developer Central page appears.
      3. Click Add new app client.

      The App registration page appears.

      1. Complete the form.
      2. As part of this registration process, you can apply for a Restricted Data Token (RDT) that authorizes you to retrieve shipping address details as part of the order retrieval process from Amazon. While companies that operate completely within an FBA model do not typically require this information, organizations engaged in FBM activity may find it useful.

       

      Important!

      When registering your application, the IAM ARN that you provide must be for the IAM entity to which you attached the IAM policy from Create an IAM policy.

       

      In this workflow, that IAM entity is the IAM role from Create an IAM role.

       

      If you register your application using your IAM user, be sure that the IAM policy is attached to it. Otherwise your calls to the Selling Partner API will fail.

      We recommend registering your application using an IAM role, as shown in this workflow, to help you better control access to your AWS resources.

       

      Viewing your application information and credentials

       

      To view your application information and credentials (for private seller applications and for public applications for any type of selling partner)

      1. Sign into Seller Central using the credentials that you used to register as a developer.
      1. In the Partner Network menu, click Develop Apps.

      The Developer Central page displays information about your application(s), including the IAM ARN associated with them.

      1. Click View under LWA credentials for the application you want.

      Your LWA client identifier and client secret for that application appear. Save these credentials as the Client ID and Client Secret.