Reputation: 1634
Error Code: AuthorizationError in AmazonSNS
Im trying to create a SNS topic and publish messages from the lambda. But im getting authorization error when trying to do that.
Service: AmazonSNS; Status Code: 403; Error Code: AuthorizationError
Full exception
com.amazonaws.services.sns.model.AuthorizationErrorException: User: arn:aws:sts::166916908689:assumed-role/AWSLambdaVPCAccessExecutionRole/lambda-event-common-test is not authorized to perform: SNS:Publish on resource: arn:aws:sns:eu-west-1:166916908689:events (Service: AmazonSNS; Status Code: 403; Error Code: AuthorizationError; Request ID: 9266e536-baa4-55d1-b277-b766f5536b70)
my sam template looks like this
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Resources:
EventListenFunction:
Type: AWS::Serverless::Function
Properties:
Handler: event.lambda.EventHandler::handleRequest
Role: !Sub arn:aws:iam::${AWS::AccountId}:role/AWSLambdaVPCAccessExecutionRole
FunctionName: lambda-event-$ENVNAME
Runtime: java8
VpcConfig:
SecurityGroupIds:
- !ImportValue LambdaVPCSecurityGroup
SubnetIds:
- !ImportValue VsolPublicSubnetAz1
- !ImportValue VsolPublicSubnetAz2
Environment:
Variables:
SNS_TOPIC_ARN: !Ref Topic
Events:
GetResource:
Type: Api
Properties:
Path: /event/{Id}
Method: post
Policies:
Statement:
- Effect: Allow
Action: sns:Publish
Resource: !Ref Topic
Topic:
Type: "AWS::SNS::Topic"
Properties:
DisplayName: "events"
TopicName: "events"
Sending sns notification
private AmazonSNSClient snsClient =(AmazonSNSClient)AmazonSNSClient.builder().build();
snsClient.publish(new PublishRequest(System.getenv(“SNS_TOPIC_ARN
”),”Test”));
Its possible to allow any user to publish for sns topic using the console. Im looking a way to do it using the sam template.
Thanks
Upvotes: 4
Views: 9740
Answers (1)
Reputation: 34337
As you can see from this list
http://docs.aws.amazon.com/IAM/latest/UserGuide/list_sns.html
There are many many more options available for SNS IAM permission than just "sns:Publish"
You don't show your lambda code but I would guess you need "sns:CreateTopic"
If that doesn't work then allow "sns:*" and then see what it calls in Cloudtrail, then reduce the permissions to the minimum required
update: I'm not used the SAM template format so I checked the documentation. There isn't an example for declaring a new policy inline as you seem to be doing but there is for using existing IAM Policies.
So where you say
Policies:
Statement:
- Effect: Allow
Action: sns:Publish
Resource: !Ref Topic
try
Policies: AmazonSNSFullAccess
Upvotes: 1
Related Questions
- Serverless Error: The security token included in the request is invalid
- SERVERLESS: Error: RequestError: self signed certificate in certificate chain
- Serverless Framework Secrets Error - An error occurred while calling one AWS dependency service
- Authorization header requires 'Credential' parameter. Authorization header requires 'Signature' parameter
- Serverless framework deployment error: You're not authorized to access this resource
- Serverless: sqs:CreateQueue Access ... denied
- Serverless apiKey error API Keys must be strings
- AWS + serverless - (InvalidPermission.NotFound) The specified rule does not exist in this security group
- Serverless create snspolicy fails with invalid parameter
- Invalid parameter: Attributes Reason: Platform credentials are invalid