❝
In addition to third-party service providers, in fact, Amazon sellers themselves can also use programs to automate many aspects of Amazon store sales operation management through docking with SP-API. Simple applications such as the docking of SP-API can be used to realize Amazon sellers Regular automatic download of various reports in the background and data analysis and sorting work. Data tracking and analysis is a very important but tedious, time-consuming and labor-intensive task for Amazon e-commerce operators. However, if the program can be used to automate most of the work, the time and energy required for it can be greatly liberated and the effect of getting twice the result with half the effort can be achieved.
❞
The name of the application programming interface open to the public on the Amazon e-commerce platform is Amazon SP-API (selling partner API). Before that, it was called Marketplace Web Services, or MWS. Approved third-party applications, which are applications created by third parties using the open API of the Amazon platform to help sellers manage and develop their businesses more efficiently.
However, in order to successfully realize the program docking call of SP-API, it is quite challenging for those who do not have a professional programming learning foundation in the initial setting stage. The following is my initial setup stage, trying to sort out and understand some concepts.
SP-API call credentials
The main concept of this article revolves around how to obtain the necessary credentials to call SP-API. Required credentials include:refresh_token
lwa_app_id
lwa_client_secret
aws_access_key
aws_secret_key
role_arn
Among them, the first three are obtained after related operations in the developer center of the seller's background, and the latter three are obtained through related operations in the background of Amazon AWS cloud services.
When calling SP-APT, there are many ways to pass the above credentials into the program. The following is an example of passing the credentials directly into the program code in the form of code parameters through a dic data type.
credentials=dict(
refresh_token='<refresh_token>',
lwa_app_id='<lwa_app_id>',
lwa_client_secret='<lwa_client_secret>',
aws_secret_key='<aws_secret_access_key>',
aws_access_key='<aws_access_key_id>',
role_arn='<role_arn>',
)
Let’s talk about AWS IAM first
Because SP-API calls SP-API through the identity and access management framework (IAM) of Amazon AWS cloud service. A brief description is to create a specific IAM User user and IAM Role in the AWS background, and at the same time bind the IAM User and IAM User with specific permissions (policy) defined by SP-API, namely IAM User Policy and IAM User policy.
Therefore, the whole process needs to be operated in the Amazon seller background and Amazon AWS cloud service operation background respectively. If the whole process is divided into seven main steps, the first and seventh steps are performed in the seller's background, and the middle five steps are operated in the Amazon aws background.
Step One: Create a Developer Profile
The main goal of the first step in the Amazon background is to create a developer profile and open the developer center. This step is basically not difficult, especially if it is only used as a private application development for your own store, just follow the steps to fill in the relevant information and wait for Amazon to approve it. One thing to note is that when selecting SP-API Roles, all roles except restricted roles can be selected.
After the developer profile is approved and the development center is opened, the operations from the second to the fifth steps will be performed in the background of AWS.
The second step is to prepare the AWS account
If we don't have an AWS account yet, we need to sign up for a free account in advance.
After registering an account, log in to the Amazon aws operation background at the following link https://Aws.amazon.com/console
The third step is to create a new IAM User
Then the second step is to open the IAM background in the aws operation background and create a new IAM user. The IAM background link is as follows: https://console.aws.amazon.com/iam
The full name of IAM is Identity and access management, which stands for identity and access management. In AWS, for example, there are several different identities such as IAM user, IAM group, and IAM role. AWS limits the permissions corresponding to different identities by binding different policies to different identities.
In this step, we will create a new IAM user. The credential type we choose is "access key - Programmic access"
It should be noted that the IAM user we registered at this time does not have permission, because we have not bound the policy on it. So there will be the following prompt.
When the IAM User is successfully created, the prompt page will have two pieces of information: "Access key ID" and "secret access key", and provide the CSV download link option, which are two of the credentials for calling the SP-API mentioned earlier in the article. indivual. That is to aws_access_key
say aws_secret_key
.
Step 4: Bind the policy to the newly created IAM User
After creating a good IAM User, we will create an IAM policy to define the permission to call SP-API.
This step is to bind the policy for the newly created "SellingPartner" IAM user. Because this is a newly created user for calling SP-API, its policy is also related to the requirements for calling SP-API. And this permission is defined by SP-API, so we need to replace the jason file inside with the policy defined in the official SP-API document under the policy option corresponding to this IAM user.
Step 5: Create a new IAM Role and bind the policy
The official guidance of SP-API suggests that we create a new IAM Role, but it is not impossible to work without an IAM Role. IAM Role is mainly used to authenticate calls to SP-API (authenticate calls to SP-API). IAM role is very similar to IAM user, because they are both identities with permission policies (defined by policy), which determine what the identity can and cannot do in AWS. The difference is that IAM roles have no associated credentials (passwords or access keys), but instead rely on a temporary security credential to access AWS. In the process of creating a new IAM Role, it will automatically go to the step of binding the policy. In this step, just bind the policy created by the previous IAM User. In this way, the IAM Role also has the permission to call the SP-API.
NOW ROLE
Step 6: Add AWS STS polity to the IAM user
The final step in AWS IAM setup is to add a binding AWS Security Token Service, or STS policy, to the newly created IAM user. It is mainly an AssumeRole policy here, which allows IAM users to use temporary security credentials to authenticate SP-API requests. Obtain the permissions required to call the SP-API of the previously created IAM Role. These temporary credentials consist of an access key ID, a secret access key, and a security token.
About AWS ARNs
The full name of ARN is "Amazon Resource Names", in AWS it is a file naming convention used to identify specific resources in the Amazon Web Services (AWS) public cloud. ARN is specific to AWS and it helps administrators track and use AWS Items and policies in AWS products and API calls.
It uniquely identifies AWS resources. When we need to clearly specify a resource in all AWS, we need to use ARN. When we create IAM User, IAM Role and bind policy separately, then IAM User, IAM Role and policy all correspond to an ARN. In AWS You can view the ARN information corresponding to the project in the background. When calling the SP-API, you need to provide the IAM ARN information. At this time, we provide the ARN ROLE information. So this is the third credential to call SP-API on the AWS siderole_arn
Step 7: Add a client app in the developer center of the seller's background
After the setting on the AWS side is completed, it is necessary to go back to the Amazon seller’s background developer center for a step of setting operation. This step is mainly to obtain the LMA credential information necessary for calling the SP-API by adding a client app and authorizing the app. Including "client identifier" and "client secret", LMA credentials are equivalent to login credentials. After clicking "Authorize app", a long string of "Refresh Token" will be generated. In this step, we can obtain the other three credentials for calling SP-API, namely, and, where refresh_token
and lwa_app_id
correspond lwa_client_secret
to lwa_app_id
LMA lwa_client_secret
credentials The "client identifier" and "client secret" of the information.
To explain, in the process of adding a client app, there will be a part that requires IAM ARN. In this step, we can copy the ARN information of the corresponding page in AWS IAM Role to here.