stackoom
  简体   繁体   中英

Cross Account SNS Subscribe to Lambda in second account

 原文  2020-02-18 09:12:19       amazon-web-services/ aws-lambda/ amazon-sns

Question

I have used the below policy for the SNS topic to subscribe this SNS in Lambda with account number as 222222222222. I have also given access to my lambda with a similar policy adding it to the execution role of Lambda.

Getting the error below:

An error occurred when creating the trigger: User: arn:aws:sts::222222222222:assumed-role/TSI_Base_FullAccess/AXXXXXXXX is not authorized to perform: SNS:Subscribe on resource: arn:aws:sns:eu-west-1:111111111111:Story-5555 (Service: AmazonSNS; Status Code: 403; Error Code: AuthorizationError; Request ID: 1321942c-25c4-52a1-bacb-c2e9bd641067)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1582008007178",
      "Action": [
        "sns:GetSubscriptionAttributes",
        "sns:GetTopicAttributes",
        "sns:ListSubscriptions",
        "sns:ListSubscriptionsByTopic",
        "sns:ListTagsForResource",
        "sns:ListTopics",
        "sns:Publish",
        "sns:Subscribe"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:sns:eu-west-1:111111111111:Story-5555",
      "Condition": {
        "ArnEquals": {
          "aws:PrincipalArn": "arn:aws:lambda:eu-west-1:222222222222:function:New_Cross_SNS"
        }
      }
    }
  ]
}

1 answers

solution1
 0  2020-02-18 10:10:23

According AWS Documentation you should specify principle additionally to the condition.

So your policy should resemble

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1582008007178",
      "Action": [
        "sns:GetSubscriptionAttributes",
        "sns:GetTopicAttributes",
        "sns:ListSubscriptions",
        "sns:ListSubscriptionsByTopic",
        "sns:ListTagsForResource",
        "sns:ListTopics",
        "sns:Publish",
        "sns:Subscribe"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:sns:eu-west-1:111111111111:Story-5555",
      "Principal": {
        "AWS": ["222222222222"]
      },
      "Condition": {
        "ArnEquals": {
          "aws:PrincipalArn": [
               "arn:aws:lambda:eu-west-1:222222222222:function:New_Cross_SNS",
               "arn:aws:sts::222222222222:assumed-role:TSI_Base_FullAccess:AXXXXXXXX"
          ]
        }
      }
    }
  ]
}

The way to be sure which ARN to specify in the condition section of the policy is to call (and print) get-caller-identity API from your function.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Error while doing AWS Lambda Cross Account integration with AWS SNS AWS Cross Account SNS Publish Cross account, cross region SNS message processing SNS cross account subscription with additional layer Aws lambda cross account access How to subscribe an SNS topic of one account by SQS of another account using boto3? Invoking SNS from cross account using API Gateway Cross account SNS SQS subscription set up (CDK) AWS Lambda cross-account access denied How to access Lambda Function in cross account?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM