Reputation: 2181
SNS notification target rule is "unreachable" when tryin to send a notification from code pipeline
I am trying to set up a notification for the code pipeline using its notification rule which supporters SNS.
As you can see in the picture the status is "unreachable"
If I look at the link here aws troubleshoot
I have followed all the step even the step of adding of codestar-notifications in Acces policy of SNS topic.
{
"Sid": "AWSCodeStarNotifications_publish",
"Effect": "Allow",
"Principal": {
"Service": "codestar-notifications.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:codestar-notifications:us-east-1:272075499248:notificationrule/50d629524d433dceeafdb6c5fe136e404f29e9e5"
}
But still, the status remains the same also tried with manually starting the pipeline but still not working.
Am I missing something? could anyone help me out of this?
EDIT:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish",
"SNS:Receive"
],
"Resource": "arn:aws:sns:us-east-1:272075499248:develop",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "272075499248"
}
}
},
{
"Sid": "AWSCodeStarNotifications_publish",
"Effect": "Allow",
"Principal": {
"Service": "codestar-notifications.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:272075499248:develop"
}
]
}
Upvotes: 18
Views: 9413
Answers (7)
Reputation: 474
What worked for me was just adding an additional statement object to the default:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish",
"SNS:Receive"
],
"Resource": "arn:aws:sns:us-east-1:XXXXXXXXX:my-awesome-topic",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "XXXXXXXXX"
}
}
},
// added here below
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"Service": "codestar-notifications.amazonaws.com"
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-1:XXXXXXXXX:my-awesome-topic"
}
]
}
Upvotes: 0
Reputation: 2406
Answers about Access Policy are right. But the change is not applied immediately. Very annoying.
Just create new topic from CodePipeline Settings. The access policy will be auto-adjusted.
Upvotes: 0
Reputation: 865
The previous answers here were too confusing and some of them were incomplete. Here is the complete solution with the ins and outs.
1. Simple Notification Service Access Policy Confusion
Whenever you create an SNS topic by itself, the default access policy will look something like this:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:Publish",
"SNS:RemovePermission",
"SNS:SetTopicAttributes",
"SNS:DeleteTopic",
"SNS:ListSubscriptionsByTopic",
"SNS:GetTopicAttributes",
"SNS:AddPermission",
"SNS:Subscribe"
],
"Resource": "arn:aws:sns:us-east-2:123456789012:my-sns-topic",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "123456789012"
}
}
}
]
}
The above is wrong and will not let your CodePipeline access the SNS topic (make it reachable/"Active")! Change the Access policy for your SNS topic to the following instead:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "CodeNotification_publish",
"Effect": "Allow",
"Principal": {
"Service": "codestar-notifications.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-2:123456789012:my-sns-topic"
}
]
}
NOTE 1: Change 123456789012 to your AWS account ID, and my-sns-topic to the name of your SNS topic.
NOTE 2: If your region is different than us-east-2, then change that too in the above snippet.
NOTE 3: Both the SNS topic and the CodePipeline Notification rule should be in the same region, otherwise this won't work.
2. Notification Rule and Notification Rule Target Issue
Whenever you create a Notification Rule and then a Notification Rule Target,
the only way possible for AWS to refresh the Notification target status is for you to delete the Notification rule target from CodePipeline -> Settings (on the left side bar) -> Notification rules -> Notification rule targets (this is extremely important!).
NOTE: Deleting the Notification rule target from the notification rule itself won't do anything; because of that, when you re-add it in that page, the Notification rule target will still be the old one and thus the Notification target status will remain "Unreachable".
If after everything it still says it's unreachable, repeat exactly steps #1 and #2 again, you may have missed something.
Upvotes: 24
Reputation: 6016
The following did work for me.
I followed the suggestion by Phil Gilligan in the other answer. It automatically created the access policy in sns topic when its created from CodeCommit itself.
Change the account id and repo name according to your own case.
There is no other rule just this one rule. It seems like the rules are evaluated and one rule overridden the other. I think if one rule is more restrictive it takes precedence over the other.
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "CodeNotification_publish",
"Effect": "Allow",
"Principal": {
"Service": "codestar-notifications.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:ACCOUNT_ID:REPO_NAME"
}
]
}
Upvotes: 0
Reputation: 571
It could be that your pipeline’s IAM execution role doesn’t have the required permissions to publish messages to the topic. Make sure your pipeline can publish messages in both the IAM role and the SNS policy and give it another go. A telltale sign of this is the CodePipeline notification console showing “Unreachable” next to the SNS topic.
The SNS access policy will look like the following:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "StatusNotificationsPolicy",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789123:root",
"Service": "codestar-notifications.amazonaws.com"
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:ap-southeast-2:123456789123:gimme-alerts"
},
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish",
"SNS:Receive"
],
"Resource": "arn:aws:sns:ap-southeast-2:123456789123:gimme-alerts",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "123456789123"
}
}
}
]
}
https://www.stephengream.com/codepipeline-notifications
Upvotes: 0
Reputation: 473
The JSON file is correct, but you should delete and re-create the target rule
Upvotes: 0
Reputation: 21
One way to solve this is to use the CodePipeline user interface to create the Topic. This will set all of the required permissions for you. When creating the Notification Rule, under "Targets", select "Create Target" and enter the name of the Topic you wish to create. The topic will be created with permissions already set. You will just need to subscribe to the topic to receive the notifications.
Upvotes: 2
Related Questions
- How to send SSM (Agent) status notification to SNS within AWS
- AWS Eventbridge Notifications Does Not Work Using SNS topic
- CodeCommit Notification does not send event to SNS
- Terraform to setup AWS Codepipline Notification Rule
- aws codepipeline notifications without SNS?
- Create CodePipeline Notification Rule using CloudFormation
- SNS Topic is not sending the pipeline event change emails when configured through Cloudformation
- AWS CodePipeline Notifications
- Amazon Lambda to SNS notifications not working
- AWS SNS notifications not hitting the server with HTTPS