AWS Video Rekognition is not publishing results to SNS Topic

Question

Running some nodejs aws rekognition to detect labels in mp4 video, but it will not publish to the specified SNS topic when complete. I don't get any permission errors when submitting the request with the topic/ROLE arns.

const AWS = require('aws-sdk');
AWS.config.update(
    {
        region: 'us-west-2',
        accessKeyId: "asdfadsf",
        secretAccessKey: "asdfasdfasdfasd1234123423"
    }
);


const params = {
    Video: {
        S3Object: {
            Bucket: 'myvidebucket',
            Name: '5d683b81760ec59c2015.mp4'
        }
    },
    NotificationChannel: {
        RoleArn: 'arn:aws:iam::xxxxxxxxxxxxx:role/AmazonRekognitionSNSSuccessFeedback',
        SNSTopicArn: 'arn:aws:sns:us-west-2:xxxxxxxxxxxxx:recoknize',
    },
    MinConfidence: 60
};


rekognition.startLabelDetection(params).promise().then(data => {
    console.log(JSON.stringify(data));
}).catch(error => {
    console.log(error);
});

That code executes with no errors, and I get back a job id. My SNS topic subscription is confirmed, and supposed to post to my HTTPS endpoint. But nothing ever arrives, and there are no error logs anywhere in AWS console about this.

When I manually access the rekogniztion by jobid, the data comes back fine so I know it finished correctly. Something strange has to be going on with IAM permissions.

Answer 1

I have reviewed and tested your nodejs code successfully and I don't see anything wrong with it.

Since, the code returns the AWS Rekognition "JobId" successfully, you can review your SNS configuration and check if it matches the following:

1. On your SNS topic ( 'arn:aws:sns:us-west-2:xxxxxxxxxxxxx:recoknize' ), navigate to the access policy and check if you have a policy similar to the following :

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "Service": "rekognition.amazonaws.com"
      },
      "Action": [
        "SNS:GetTopicAttributes",
        "SNS:SetTopicAttributes",
        "SNS:AddPermission",
        "SNS:RemovePermission",
        "SNS:DeleteTopic",
        "SNS:Subscribe",
        "SNS:ListSubscriptionsByTopic",
        "SNS:Publish",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:us-west-2:XXXXXXXXXXXX:AmazonRekognitionTopic"
    }
  ]
}

2. On your IAM role ('arn:aws:iam::xxxxxxxxxxxxx:role/AmazonRekognitionSNSSuccessFeedback') , make sure of the following:

(i) The "Trust relationship" of your role has the following statement :

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service":"rekognition.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

(ii) The role has an attached policy document similar to one given below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sns:publish"
            ],
            "Resource": "*"
        }
    ]
}

The successful published message from Amazon Rekognition to SNS topic should output something similar to:

"JobId":"8acd9edd6edfb0e4985f8cd269e4863e54f7fcd451af6aafe10b32996dedbdba","Status":"SUCCEEDED","API":"StartLabelDetection","Timestamp":1568544553927,"Video":{"S3ObjectName":"final.mp4","S3Bucket":"syumak-rekognition"}}

Hope this helps.

Answer 2

Buried in the docs - it's apparent that https://docs.aws.amazon.com/rekognition/latest/dg/api-video-roles.html#api-video-roles-all-topics

AmazonRekognitionServiceRole gives Amazon Rekognition Video access to Amazon SNS TOPICS that are PREFIXED with AmazonRekognition.

It doesn't say the role ARN needs to be prefixed. But won't hurt. Double check your TOPIC is AmazonRekognitionMyTopicName

 RoleArn: 'arn:aws:iam::xxxxxxxxxxxxx:role/AmazonRekognitionSNSSuccessFeedback', <- don't think this is so important.
SNSTopicArn: 'arn:aws:sns:us-west-2:xxxxxxxxxxxxx:recoknize', <- Must be something like AmazonRekognitionSuccess

Also - this helped / I moved off the FIFO which allows subscribing via email in addition to SQS. https://docs.aws.amazon.com/rekognition/latest/dg/video-troubleshooting.html

This line Verify that you have an IAM service role that gives Amazon Rekognition Video permissions to publish to your Amazon SNS topics. For more information, see Configuring Amazon Rekognition Video.

I created a new IAM and gave it AmazonRekognitionFullAccess AmazonSNSRole AmazonSNSFullAccess

I updated the trust relationship to include both sns.amazonaws.com / rekognition.amazonaws.com.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "sns.amazonaws.com",
          "rekognition.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Not sure which one of these made everything click - but was a good half day on this / hopefully this will save someone some time.

Answer 3

1. Trust relationship solved it for me . Add the below script to the trust relationship of the IAM that will be used as RoleARn for the script:

    { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": [ "sns.amazonaws.com", "rekognition.amazonaws.com", "sagemaker.amazonaws.com" ] }, "Action": "sts:AssumeRole", "Condition": {} }] }