Login/Register
Is it possible to generate an AWS access key via IAM for use with the Product Advertising API?
Asked Answered
Solved apiamazon-web-servicesamazon-product-apiamazon-iam
T

5

16

I like using IAM (Identity and Access Management) to create users/groups with specific permissions for specific purposes.

The Product Advertising API requires use of an access key (request param is AWSAccessKeyId) and IAM can generate access keys, but I don't see a way to give IAM users/groups access to only the Product Advertising API.

Anyone know if this can be done? Or do you know of a workaround?

Tynishatynwald answered 13/3, 2012 at 17:51 Comment(0)
M
11

Update

Reading the mentioned thread IAM policies for Amazon Product API entirely reveals, that the questioner actually tried to to just that, i.e. use IAM access keys to access the Product Advertising API, but apparently to no avail. So I'm afraid the mentioned AWS team response has to be taken literally and your use case is not covered yet by IAM, unfortunately.

Initial Answer

AWS Identity and Access Management (IAM) doesn't currently support the Product Advertising API (see the AWS team response to IAM policies for Amazon Product API), but assuming the IAM access keys as such do work there as well, you could deny your users/groups access to every other AWS service supporting IAM by means of a respective IAM policy at least (which should cover the majority of critical ones). The recommended AWS Policy Generator can help in crafting a respective policy, which might actually be as simple as this (I just selected Effect -> Deny and checked the AWS Service -> All Services checkbox):

{
  "Statement": [
    {
      "Sid": "Stmt1331670627168",
      "Action": "*",
      "Effect": "Deny",
      "Resource": "*"
    }
  ]
}
Mozellemozes answered 13/3, 2012 at 20:35 Comment(1)
I actually create a user and a group for "Product Advertising API". Initially, I assign a policy for this test group, but I remove the policy right after the group is created. So you could manage a group which has no policy for Product Advertising API. Still, "Product Advertising API" is not in the IAM policy!Convolve
T
2

As Amazon Product API isn't yet covered by IAM Policies, one can expect that it shall be enough to have a user without any policy attached because default is to deny. (In other words, for such user everything will be denied except for Product API which is not protected by IAM.)

But that's not true. Whatever I tried I only could access the API with my root key. (To avoid security implications I decided to register an additional account with no credit card attached.)

Telstar answered 13/1, 2015 at 9:9 Comment(0)
S
1

Amazon Product API DOES work with IAM.

I created an IAM user. It's not in a group and has no roles. I only attached "AdministratorAccess" policy to it. I tested it in "ItemSearch" and "CartCreate" operations. It's working very well.

You can also create a new deny policy to restrict the user access to other services as described by byronicM here: https://forums.aws.amazon.com/message.jspa?messageID=289929#289929

Selfservice answered 7/9, 2016 at 16:13 Comment(1)
I've independently come to the same conclusion as byronicM in the link here - give a user AdministrationAccess and explicitly Deny all services individually. Given the only alternative is to use root keys which are not restricted in any way, this seems to be a safer approach (if initial experimentation pans out)Stiffler
P
1

This was quietly added earlier this year (documentation). Use this policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ProductAdvertisingAPI:*",
            "Resource": "*"
        }
    ]
}
Playwright answered 14/12, 2018 at 17:26 Comment(0)
D
0

Until Amazon supports this, it is recommended you to create a separate full key and delete them later when you are done with development. So, first production key is not exposed and won't need change, that will save you time.

Deice answered 17/12, 2013 at 23:10 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.