1

How to allow only jobs from a certain AWS Batch queue (and based on a specific job description) to publish to the specific SNS topic?

I though about attaching to jobs IAM policy with the statement:

    {
      "Effect": "Allow",
      "Action": "sns:Publish",
      "Resource": ["<arn of the specific SNS topic"]
      "Condition": {"ArnEquals": {"aws:SourceArn": "arn:aws:???"}}

    }

But what should be the source ARN? ARN of the job queue, ARN of the job definition? Or maybe this should be set up completely differently?

MarKed
  • 167
  • 1
  • 7

1 Answers1

1

I had a similar experience when worked with AWS Batch jobs executed in Fargate containers which follow the same principles as ECS in scope of assigning roles and permissions.

If you are going to publish messages into specific topic from the code executed inside of your container, then you should create a role with necessary permissions and then use its ARN in the JobRoleArn property of your job definition.

For example (there can be minor mistakes in the code below, but I am just trying to explain the concept here):

Role cloudformation:

"roleresourceID": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "AWS": "*"
              }
            }
          ],
          "Version": "2012-10-17"
        },
        "RoleName": "your-job-role"
      }
    }

Policy attached to the role:

"policyresourceid": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyDocument": {
          "Statement": [
             {
               "Action": "sns:Publish",
               "Effect": "Allow",
               "Resource": "<arn of the specific SNS topic>"
             }
          ],
          "Version": "2012-10-17"
        },
      "PolicyName": "your-job-role-policy",
      "Roles": [
          {
            "Ref": "roleresourceID"
          }
        ]
      }
   }

And finally attach role to the Job Definition:

....other job definition properties

"JobRoleArn": {
      "Fn::GetAtt": [
         "roleresourceID",
         "Arn"
       ]
   }

Of course you may structure and format roles and policies in way you like, the main idea of this explanation is that you need to attach proper role using JobRoleArn property of your job definition.

Artem Arkhipov
  • 7,025
  • 5
  • 30
  • 52
  • 1
    OK, so if I was using same job definition for couple of different batch jobs so far, I have to create new job definition for my specific batch job, with new role having policy giving publish to specific SNS topic permission. Thank you! – MarKed Dec 28 '21 at 02:16