I have read the instructions https://docs.aws.amazon.com/textract/latest/dg/api-async-roles.html#api-async-roles-all-topics . My set up is somewhat different because I am using a Cognito user. To enable textract to publish msg to SNS, I pass relevant permissions to Textract to enable it to call SNS. I am able to call StartDocumentAnalysis method and get a response. But the SNS message is never published. The weird thing is that on a few occasions I did see the several data points in CloudWatch's SNS Metric - 'NumberOfNotificationsDelivered', indicating that the messages were published. However, they are almost all gone now. What is wrong with the below?
The cognito authorized user has the CognitoAuthRole role:
CognitoAuthRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Federated: cognito-identity.amazonaws.com
Action: sts:AssumeRoleWithWebIdentity
Condition:
StringEquals:
cognito-identity.amazonaws.com:aud: !Ref CoginitoIdentityPool
ForAnyValue:StringLike:
cognito-identity.amazonaws.com:amr: authenticated
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
- Effect: Allow
Principal:
Service: textract.amazonaws.com
Action: sts:AssumeRole
Description: Used by cognito authenticated users
ManagedPolicyArns:
- !Ref DesktopPolicy #definition is immediately below
And the desktop policy is:
DesktopPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: DesktopBackup
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'iam:GetRole'
- 'iam:PassRole'
Resource: !GetAtt "TextractEc2Role.Arn" #definition is below
- Effect: Allow
Action:
- "sns:Publish"
Resource:
- arn:aws:sns:us-east-1:xxxxxxxxxxxx:AmazonTextractTopic
- Effect: Allow
Action:
- "textract:GetDocumentAnalysis"
- "textract:GetDocumentTextDetection"
- "textract:StartDocumentAnalysis"
- "textract:StartDocumentTextDetection"
Resource:
- "*"
The role that is passed to Textract service using iam:PassRole is:
TextractEc2Role:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: textract.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
- arn:aws:iam::aws:policy/AmazonSNSFullAccess
- arn:aws:iam::aws:policy/AmazonTextractFullAccess
- arn:aws:iam::aws:policy/service-role/AmazonTextractServiceRole
RoleName: TextractEc2
Edited by: L Jones on Sep 1, 2020 6:40 PM
Edited by: L Jones on Sep 1, 2020 6:41 PM