HomeDocumentationCode SamplesAPI ReferenceAnnouncementsModelsRelease NotesFAQGitHubVideos
Developer HubAPI StatusSupport
Documentation
Developer HubAPI StatusSupport

Set up credential rotation notifications

Learn how to set up a credential rotation notification.

This tutorial describes how to set up a credential rotation notification that alerts you when your credentials need to be rotated.

Prerequisites

To successfully complete this tutorial, you must have access to:

  • The Developer Console
  • Amazon SQS
  • An SQS queue

Step 1. Grant SP-API permission to write to your SQS queue

To receive notifications, you must grant the Selling Partner API (SP-API) permission to write to your SQS queue.

  1. Open the AWS Management Console and sign in with your AWS credentials.
  2. From the console, open Amazon Simple Queue Service.
  3. Select the Standard queue where you want to receive notifications.
  4. Choose the Access Policy tab.
  5. From the Access policy (Permissions) section, select Edit. The Edit Test Queue page opens.
  6. Scroll down to Access policy, then select the Policy generator link. The AWS Policy Generator opens in a new tab.
  7. In Step 1 of the policy generator, select SQS Queue Policy.
  8. In Step 2 of the policy generator:
    a. Set Effect to Allow.
    b. Set Principal to 437568002678.
    c. Set Actions to SendMessage and GetQueueAttributes.
    d. Enter the SQS ARN value in Amazon Resource Name (ARN).
    e. Choose Add Statement and verify the details.
  9. In Step 3 of the policy generator, select Generate Policy. A dialog box with the new policy opens.
  10. Copy the policy.
  11. Navigate back to the Amazon SQS queue, open the Access policy tab, then paste the policy into the Access Policy (Permissions) section.
  12. Save the changes.
  13. Reference the queue's Details section and note the ARN for this queue, as you need it to register your queue in the next step.

Step 2. Register your SQS queue to receive expiring credential notifications

  1. Sign in to your developer account on the Solution Provider Portal. Navigate to the Developer Console page that lists all your applications.

    📘

    Note

    For Seller Central users, sign in to Seller Central for your marketplace and navigate to Apps and Services, then Develop Apps.

    For Vendor Central users, sign in to Vendor Central for your marketplace and navigate to Integration, then API Integration.

  2. Select Notification Preferences.

  3. On the Subscription page, find the application for which you want to receive expiring credential notifications.

  4. In the Application Client Secret Expiry row, select the SQS ARN where you want to receive the expiring credential notification.

Step 3. Listen for expiring credentials

Amazon sends a notification to the registered queue when the application is approaching LWA credential expiration. You can listen to your SQS queue and rotate your credentials when you receive the notification.

Use an Amazon SQS client to receive the message from your pre-registered queue. Follow the ReceiveMessage documentation.

Notification example

{
  "notificationVersion":"1.0",
  "notificationType":"APPLICATION_OAUTH_CLIENT_SECRET_EXPIRY",
  "payloadVersion":"2023-11-30",
  "eventTime":"2024-01-10T02:15:10.045Z",
  "payload":{
    "applicationOAuthClientSecretExpiry":{
      "clientId":"amzn1.application-oa2-client.xxxxxxxxxxxxxxxxxxxxxxxxxxxx",
      "clientSecretExpiryTime":"2024-03-03T22:06:39.224Z",
      "clientSecretExpiryReason":"PERIODIC_ROTATION"
    }
  },
  "notificationMetadata":{
    "applicationId":"amzn1.sp.solution.xxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "subscriptionId":"a275c00d-260c-4xxxxxxxxxxxf25",
    "publishTime":"2024-01-10T02:15:14.269Z",
    "notificationId":"e7e27216-4970-477a-882c-e4xxxxxxxxxxxxxdc"
  }
}

Updated about 6 hours ago