Okay, this is vexxing me.
We have two Amazon MWS accounts. One in USA one in Canada.
USA
I set up an AWS role and user, then create an app in MWS. Configured the app to point to the role ARN, generated tokens. I have 100% success running the API getting back what I need from the SP-API. It's working exactly as expected.
Canada
I set up an app in MWS exactly the same as the USA. It's literally identical pointing to the exact same AWS role. I can generate LWA credentials, but when I try to use those values to get STS keys it returns: Roles may not be assumed by root accounts
So I'm hitting a wall here. The exact same roll is being used in both scenarios. How is it possible AWS is configured correctly for USA but the exact same configuration gives an error for Canada? What am I missing here?
I thought perhaps you have to use the USER ARN (for the MWS app) in Canada instead of the Role ARN (the user ARN doesn't work at all in the USA, only the role as stated in multiple documents). Same result.
I don't even know what else to try at this point.
Edit/Resolution:
To anyone else running into this, I've found a solution. Don't ask my why you need to do this, but it works.
It turns out you can't actually use the same user and roll for two different amazon accounts (at least in two different markets).
All I did was literally duplicate the user and roll being used in the US. All I changed was the trust relationships to point the new roll to the new user and vice versa. No settings, no differences, a literal carbon copy then pointing the SP-API for Canada to use the new user and roll.
So yeah...