En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Textract completion msg not published to SNS Topic using Cognito user

0

I have read the instructions https://docs.aws.amazon.com/textract/latest/dg/api-async-roles.html#api-async-roles-all-topics . My set up is somewhat different because I am using a Cognito user. To enable textract to publish msg to SNS, I pass relevant permissions to Textract to enable it to call SNS. I am able to call StartDocumentAnalysis method and get a response. But the SNS message is never published. The weird thing is that on a few occasions I did see the several data points in CloudWatch's SNS Metric - 'NumberOfNotificationsDelivered', indicating that the messages were published. However, they are almost all gone now. What is wrong with the below?

The cognito authorized user has the CognitoAuthRole role:

CognitoAuthRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Federated: cognito-identity.amazonaws.com
Action: sts:AssumeRoleWithWebIdentity
Condition:
StringEquals:
cognito-identity.amazonaws.com:aud: !Ref CoginitoIdentityPool
ForAnyValue:StringLike:
cognito-identity.amazonaws.com:amr: authenticated
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
- Effect: Allow
Principal:
Service: textract.amazonaws.com
Action: sts:AssumeRole
Description: Used by cognito authenticated users
ManagedPolicyArns:
- !Ref DesktopPolicy #definition is immediately below

And the desktop policy is:

DesktopPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: DesktopBackup
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'iam:GetRole'
- 'iam:PassRole'
Resource: !GetAtt "TextractEc2Role.Arn" #definition is below
- Effect: Allow
Action:
- "sns:Publish"
Resource:
- arn:aws:sns:us-east-1:xxxxxxxxxxxx:AmazonTextractTopic
- Effect: Allow
Action:
- "textract:GetDocumentAnalysis"
- "textract:GetDocumentTextDetection"
- "textract:StartDocumentAnalysis"
- "textract:StartDocumentTextDetection"
Resource:
- "*"

The role that is passed to Textract service using iam:PassRole is:

TextractEc2Role:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: textract.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
- arn:aws:iam::aws:policy/AmazonSNSFullAccess
- arn:aws:iam::aws:policy/AmazonTextractFullAccess
- arn:aws:iam::aws:policy/service-role/AmazonTextractServiceRole
RoleName: TextractEc2

Edited by: L Jones on Sep 1, 2020 6:40 PM

Edited by: L Jones on Sep 1, 2020 6:41 PM

Sujets
Machine Learning et AI
Balises
Amazon Textract
Langue
English
L Jones
demandé il y a 4 ans944 vues
1 réponse
0

I found the the issue. When using the .NET API (or any other API), there is no need to specify "iam:PassRole" for the user. The API has the ability to specify both the role Textract needs to call SNS and also which topic to send completion message. See .NET solution below

NotificationChannel channel = new NotificationChannel();
channel.RoleArn = MY_TEXTRACT_SNS_ROLE_ARN;
channel.SNSTopicArn = MY_TEXTRACT_SNS_TOPIC_ARN;
request.NotificationChannel = channel;

Where MY_TEXTRACT_SNS_TOPIC_ARN is an SNS topic that must begin with 'AmazonTextract'. Ex: AmazonTextractMyTopic

Where MY_TEXTRACT_SNS_ROLE_ARN is the ARN for:

TextractSnsRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:

  • Effect: Allow
    Principal:
    Service: textract.amazonaws.com
    Action: sts:AssumeRole
    ManagedPolicyArns:
  • arn:aws:iam::aws:policy/service-role/AmazonTextractServiceRole
    RoleName: TextractSns
L Jones
répondu il y a 4 ans

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents