1

I want to publish a message to a topic provided by aws (aws has provided me the topic for integration purposes). On topic the policy has all the actions and my account also has AmazonSNSFullAccess policy.

{
Policy= {
 "Version":"version_number",
 "Id":"policy_name",
 "Statement":[
  {
   "Sid":"statement",
   "Effect":"Allow",
   "Principal":{"AWS":"*"},
   "Action": ["SNS:GetTopicAttributes","SNS:SetTopicAttributes","SNS:AddPermission","SNS:RemovePermission","SNS:DeleteTopic","SNS:Subscribe","SNS:ListSubscriptionsByTopic","SNS:Publish","SNS:Receive"],
   "Resource":"resource",
   "Condition":{"StringEquals":{"AWS:SourceOwner":"number_of_account"}}},
  }]
  some_other_information_about_subscriptions
 }
}

But when I am trying to publish a message to the topic I receive the error

software.amazon.awssdk.services.sns.model.AuthorizationErrorException: User is not authorized to perform: SNS:Publish on resource: <resource> (Service: Sns, Status Code: 403, Request ID: <request_id>, Extended Request ID: null)

As I have seen the policies are fine, but I can not understant why this error occurs.

Have anyone face it before and knows what is going on?

Thank you!

mosquito110
  • 41
  • 1
  • 5
  • What accounts are involved here, what roles / policies? Is this cross-account? What account does the topic belong to, who owns it, what is your account id? – luk2302 Feb 18 '21 at 16:17
  • Looks like the account you are using does not have permission to interact with SNS. See https://docs.aws.amazon.com/config/latest/developerguide/sns-topic-policy.html – smac2020 Feb 18 '21 at 16:34
  • @luk2302 My account is considered as a seller account and the topic is provided by aws. I did not created the topic. My group is admin with AdministratorAccess policy and my account has IAMUserChangePassword, AWSMarketplaceRead-only, AmazonSNSFullAccess and AWSMarketplaceSellerProductsReadOnly policies. The topic belongs (I guess) to aws and aws created. – mosquito110 Feb 18 '21 at 17:51
  • @smac2020 The point is that aws provided me this topic to be able to perform some actions. If you check the topic policy you will see that I (supposed to) have the access to publish. – mosquito110 Feb 18 '21 at 17:51
  • Double check the ARN field in the `"Resource"` of you policy. It should be the target topic. – madhead Feb 19 '21 at 12:12
  • @madhead I have checked it. It is the correct arn. – mosquito110 Feb 19 '21 at 15:23
  • I had a similar problem recently. turns out that the iam user I was logging in as didn't have sns permissions. you may need to update the users permissions – Buzz Apr 27 '22 at 13:14

0 Answers0