Reputation: 642
SNS subscription error for AmazonIpSpaceChanged on different region
Why is it that I can't susbscribe SNS on AmazonIpSpaceChanged? Please check, I need your guidance.
The guide I basically followed with is How to Automatically Update Your Security Groups for Amazon CloudFront and AWS WAF by Using AWS Lambda from the AWS Security blog.
Here's an output of the terminal:
➜ terminal $ cat ~/.aws/config [default] region = ap-southeast-1 ➜ terminal $ aws sns subscribe --topic-arn arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged --protocol lambda --notification-endpoint arn:aws:lambda:ap-southeast-1:accountid_removed:function:cloudfront-securitygroup-controller An error occurred (InvalidParameter) when calling the Subscribe operation: Invalid parameter: TopicArn ➜ terminal $ AWS_REGION=ap-southeast-1 aws sns subscribe --topic-arn arn:aws:sns:ap-southeast-1:806199016981:AmazonIpSpaceChanged --protocol lambda --notification-endpoint arn:aws:lambda:ap-southeast-1:accountid_removed:function:cloudfront-securitygroup-controller An error occurred (AuthorizationError) when calling the Subscribe operation: User: arn:aws:iam::accountid_removed:user/[email protected] is not authorized to perform: SNS:Subscribe on resource: arn:aws:sns:ap-southeast-1:806199016981:AmazonIpSpaceChanged
This is also the output when done through the AWS Web Console:
User: arn:aws:iam::accountid_removed:user/[email protected] is not authorized to perform: SNS:Subscribe on resource: arn:aws:sns:ap-southeast-1:806199016981:AmazonIpSpaceChanged (Service: AmazonSNS; Status Code: 403; Error Code: AuthorizationError; Request ID: 0e87384a-e298-569e-bf2d-6a5718eedc40)
Upvotes: 4
Views: 4769
Answers (2)
Reputation: 151
This is also possible from CloudFormation, with the (new) Region parameter.
Code snipped of CloudFormation (json) SNS resource:
"LambdaAmazonIpSpaceChangedSubscription" : {
"Type" : "AWS::SNS::Subscription",
"Properties" : {
"Endpoint" : {"Fn::GetAtt" : ["LambdaFunction", "Arn"] },
"Protocol" : "lambda",
"TopicArn" : "arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged",
"Region": "us-east-1"
}
},
Upvotes: 3
Reputation: 269550
The error is because your API call must be made to the us-east-1 region, where the Amazon SNS topic is located.
$ aws sns subscribe --topic-arn arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged --protocol email --notification-endpoint [email protected] --region us-east-1
{
"SubscriptionArn": "pending confirmation"
}
It appears that subscribe a AWS Lambda function in a different region works too (or, at least did not return an error):
aws sns subscribe --topic-arn arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged --protocol lambda --notification-endpoint arn:aws:lambda:ap-southeast-2:123456789012:foo --region us-east-1
{
"SubscriptionArn": "arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged:37dab281-1e8f-16ba-8e4a-ef9de429101b"
}
Upvotes: 10
Related Questions
- AWS lambda subscribed to SNS topic not working
- Cross account, cross region SNS message processing
- SNS trigger issue for Lambda
- Unable to publish to SNS from new region
- Invoke AWS Service across regions
- Failing to Execute Lambda Function Subscribed to SNS Topic
- Error creating lambda to invoke from SNS Topic events in different region
- SNS -> Lambda subscription doesn't work when set via API, but does when set by admin console
- AWS Lambda & SNS: Invoke Lambda cross-region
- Amazon Lambda to SNS notifications not working