Why does subscribing from AWS CLI to a SNS topic generate an unexpected payload?

Question

I must be doing something horribly wrong, but when I try to subscribe to a SNS topic using AWS CLI, like so:

aws sns subscribe --topic-arn <valid-arn> --protocol http --endpoint-url <valid, accessible URL>

I get a totally unexpected POST payload:

POST /api/aws/sns HTTP/1.1
Host: <censored>
Accept-Encoding: identity
User-Agent: aws-cli/1.11.38 Python/3.6.0 Linux/4.8.13-1-ARCH botocore/1.5.1
X-Amz-Date: 20170120T140758Z
Authorization: <censored>
Content-Length: 127
Content-Type: application/x-www-form-urlencoded

Action=Subscribe&Version=2010-03-31&TopicArn=censored&Protocol=http[!http]

When according to the documentation:

Your code should read the HTTP headers of the HTTP POST requests that Amazon SNS sends to your endpoint. Your code should look for the header field x-amz-sns-message-type, which tells you the type of message that Amazon SNS has sent to you.

So it should be a JSON document with at least the x-amz-sns-message-type header.

Furthermore, the verification POST request is made from my host to the URL endpoint, which seems weird.

Is there a fundamental difference between subscribing to a SNS topic from AWS CLI vs the web console?

Answer 1

You should be using --notification-endpoint not --endpoint-url. The endpoint-url parameter is used to tell the AWSCLI where to send the actual subscribe request. That is what you are seeing.

aws sns subscribe --topic-arn <valid-arn> --protocol http --notification-endpoint <valid, accessible URL>