4

Im trying to create a SNS topic and publish messages from the lambda. But im getting authorization error when trying to do that. 

Service: AmazonSNS; Status Code: 403; Error Code: AuthorizationError

Full exception

com.amazonaws.services.sns.model.AuthorizationErrorException: User: arn:aws:sts::166916908689:assumed-role/AWSLambdaVPCAccessExecutionRole/lambda-event-common-test is not authorized to perform: SNS:Publish on resource: arn:aws:sns:eu-west-1:166916908689:events (Service: AmazonSNS; Status Code: 403; Error Code: AuthorizationError; Request ID: 9266e536-baa4-55d1-b277-b766f5536b70)

my sam template looks like this

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Resources:
  EventListenFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: event.lambda.EventHandler::handleRequest
      Role: !Sub arn:aws:iam::${AWS::AccountId}:role/AWSLambdaVPCAccessExecutionRole
      FunctionName: lambda-event-$ENVNAME
      Runtime: java8
      VpcConfig:
        SecurityGroupIds:
          - !ImportValue LambdaVPCSecurityGroup
        SubnetIds:
          - !ImportValue VsolPublicSubnetAz1
          - !ImportValue VsolPublicSubnetAz2
      Environment:
        Variables:
          SNS_TOPIC_ARN: !Ref Topic
      Events:
        GetResource:
          Type: Api
          Properties:
            Path: /event/{Id}
            Method: post
      Policies:
        Statement:
          - Effect: Allow
            Action: sns:Publish
            Resource: !Ref Topic
  Topic:
      Type: "AWS::SNS::Topic"
      Properties:
        DisplayName: "events"
        TopicName: "events"

Sending sns notification

private AmazonSNSClient snsClient =(AmazonSNSClient)AmazonSNSClient.builder().build();
 snsClient.publish(new PublishRequest(System.getenv(“SNS_TOPIC_ARN
”),”Test”));

Its possible to allow any user to publish for sns topic using the console. Im looking a way to do it using the sam template.

Thanks

Dilantha
  • 1,552
  • 2
  • 30
  • 46
  • 1
    What permissions are in the Role you have assigned to the Lambda function? Also, which line in your Lambda function raised that error? – John Rotenstein Oct 05 '17 at 04:43
  • @JohnRotenstein Thanks for the response. When you say permission role , is it this one ? Other than that i have not mention anything in the sam template " Role: !Sub arn:aws:iam::${AWS::AccountId}:role/AWSLambdaVPCAccessExecutionRole. I have added the code which i use to send sns notifications " – Dilantha Oct 05 '17 at 15:32

1 Answers1

0

As you can see from this list

http://docs.aws.amazon.com/IAM/latest/UserGuide/list_sns.html

There are many many more options available for SNS IAM permission than just "sns:Publish"

You don't show your lambda code but I would guess you need "sns:CreateTopic"

If that doesn't work then allow "sns:*" and then see what it calls in Cloudtrail, then reduce the permissions to the minimum required

update: I'm not used the SAM template format so I checked the documentation. There isn't an example for declaring a new policy inline as you seem to be doing but there is for using existing IAM Policies.

So where you say

  Policies:
    Statement:
      - Effect: Allow
        Action: sns:Publish
        Resource: !Ref Topic

try

 Policies: AmazonSNSFullAccess
Vorsprung
  • 32,923
  • 5
  • 39
  • 63
  • Thanks for the reply. I tried what you said by changing it to sns:*. Still getting the same error :( – Dilantha Oct 05 '17 at 15:33