AWS push notification service integration error

Question

I am trying to integrate Amazon Push Notifications to my iPhone app. I did follow the tutorial provided here correctly.

I am getting this error when creating the Platform EndPoint. (Seems a permission issue with identity pool???)

CognitoIdentityCredentials is not authorized to perform: SNS:CreatePlatformEndpoint

Full message:

Error: Error Domain=com.amazonaws.AWSSNSErrorDomain Code=4 "The operation couldn’t be completed. (com.amazonaws.AWSSNSErrorDomain error 4.)" UserInfo=0x165dcef0 {Type=Sender, Message=User: arn:aws:sts::290442422498:assumed-role/Cognito_Laugh_DevUnauth_Role/CognitoIdentityCredentials is not authorized to perform: SNS:CreatePlatformEndpoint on resource: arn:aws:sns:us-east-1:290442422498:app/APNS_SANDBOX/Laugh, __text=(
"\n    ",
"\n    ",
"\n    ",
"\n  "
), Code=AuthorizationError}

Code

AWSRegionType const CognitoRegionType = AWSRegionUSEast1;
AWSRegionType const DefaultServiceRegionType = AWSRegionUSEast1;
NSString *const CognitoIdentityPoolId = @"us-east-1:0..................";
NSString *const SNSPlatformApplicationArn = @"arn:aws:sns:us-east-1:................";
NSString *const MobileAnalyticsAppId = @"YourMobileAnalyticsAppId";


- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {

  // Sets up the AWS Mobile SDK for iOS
 AWSCognitoCredentialsProvider *credentialsProvider =   [[AWSCognitoCredentialsProvider alloc] initWithRegionType:CognitoRegionType identityPoolId:CognitoIdentityPoolId];

 AWSServiceConfiguration *defaultServiceConfiguration = [[AWSServiceConfiguration alloc] initWithRegion:DefaultServiceRegionType
                                                                                   credentialsProvider:credentialsProvider];

 AWSServiceManager.defaultServiceManager.defaultServiceConfiguration = defaultServiceConfiguration;
}


- (void)application:(UIApplication*)application didRegisterForRemoteNotificationsWithDeviceToken:(NSData*)deviceToken{

NSString *deviceTokenString = [[[deviceToken description] stringByTrimmingCharactersInSet:[NSCharacterSet characterSetWithCharactersInString:@"<>"]] stringByReplacingOccurrencesOfString:@" " withString:@""];

NSLog(@"deviceTokenString: %@", deviceTokenString);
[[NSUserDefaults standardUserDefaults] setObject:deviceTokenString forKey:@"deviceToken"];
[[NSUserDefaults standardUserDefaults] synchronize];

AWSSNS *sns = [AWSSNS defaultSNS];
AWSSNSCreatePlatformEndpointInput *request = [AWSSNSCreatePlatformEndpointInput new];
request.token = deviceTokenString;
request.platformApplicationArn = SNSPlatformApplicationArn;

NSLog(@"SNSPlatformApplicationArn %@", SNSPlatformApplicationArn);

[[sns createPlatformEndpoint:request] continueWithBlock:^id(BFTask *task) {
    if (task.error != nil) {
        NSLog(@"Error: %@",task.error);
    } else {
        AWSSNSCreateEndpointResponse *createEndPointResponse = task.result;
        NSLog(@"endpointArn: %@",createEndPointResponse);
        [[NSUserDefaults standardUserDefaults] setObject:createEndPointResponse.endpointArn forKey:@"endpointArn"];
        [[NSUserDefaults standardUserDefaults] synchronize];
        //[self.window.rootViewController.childViewControllers.firstObject performSelectorOnMainThread:@selector(displayDeviceInfo) withObject:nil waitUntilDone:NO];

    }

    return nil;
}];

}

Are you sure you can use the constant "`SNSPlatformApplicationArn`"? When I look at the description for [`platformApplicationArn`](http://docs.aws.amazon.com/AWSiOSSDK/latest/Classes/AWSSNSCreatePlatformEndpointInput.html#//api/name/platformApplicationArn), it says "PlatformApplicationArn returned from CreatePlatformApplication is used to create a an endpoint." — Michael Dautermann, Jun 29 '15 at 04:48

score 18 · Accepted Answer · answered Jun 29 '15 at 05:57

18

The issue was in the AWS SNS configurations. We need to add "SNS:CreatePlatformEndpoint" to the policy for both Auth and Unauth roles

answered Jun 29 '15 at 05:57

smartsanja

4,413
9
58
106

1

Would you mind detailing a bit how you solved this? I assume you mean that you fixed this in the IAM console by attaching a custom policy to the cognito unauth role, and that the policy had to be manually generated using the action sns:CreatePlatformEndpoint as described in http://docs.aws.amazon.com/sns/latest/dg/AccessPolicyLanguage_SpecialInfo.html ? I am having trouble finding decent documentation on doing so, but granted I am bit rusty on IAM policies in general. Since you said you fixed it in the SNS config I was just curious if there was a quicker way of adding the needed policy. – JHH Sep 29 '15 at 13:24
You also need to add the Resource ARNs in the policy. – phatmann Oct 27 '15 at 21:23
2

Thanks! Fixed it as well, just had to go into the IAM Management Console and look for the proper policy and added SNS:CreatePlatformEndpoint. – Michael D. Irizarry Mar 09 '16 at 16:27
Checking the docs I can't see the SNS:CreatePlatformEndpoint ... any idea if there is an equivalent now? – jpganz18 Jan 23 '20 at 13:10

score 9 · Answer 2 · edited Apr 29 '16 at 13:20

9

You can add AmazonSNSFullAccess under Roles->attach policy.

edited Apr 29 '16 at 13:20

CubeJockey

2,209
8
24
31

answered Apr 29 '16 at 13:00

Dhananjay Kashyap

631
1
11
24

AWS push notification service integration error

2 Answers2

Linked