Get Hands-on with Amazon EKS - Workshop Event Series

Whether you're taking your first steps with Kubernetes or you're an experienced practitioner looking to sharpen your skills, our Amazon EKS workshop series delivers practical, real-world experience that moves you forward. Learn directly from AWS solutions architects and EKS specialists through hands-on sessions designed to build your confidence with Kubernetes. Register now and start building with Amazon EKS!

How do I resolve the "publish operation" error in Amazon SNS?

2 minute read

I tried to publish an Amazon Simple Notification Service (Amazon SNS) topic and received an "publish operation" error.

Resolution

Complete the troubleshooting steps for the type of Amazon SNS "publish operation" error that you received.

"An error occurred (AuthorizationError) when calling the Publish operation"

This occurred because of incorrect AWS Identity and Access Management (IAM) role permissions for your Amazon Elastic Compute Cloud (Amazon EC2) instance and SNS policy.

To resolve this error, see How do I use an IAM role to publish an Amazon SNS topic from a cross-account Amazon EC2 instance?

"An error occurred (KMSAccessDenied) when calling the Publish operation"

This error occurs when you try to publish an SNS topic from an AWS cross-account Amazon EC2 instance that uses server-side encryption. This error occurred because of incorrect IAM and AWS Key Management Service (AWS KMS) permissions. The permissions for the IAM role of your EC2 instance and the AWS KMS key policy of your KMS key are incorrect.

To resolve the error, activate your AWS KMS key and update your AWS KMS key policy and IAM policy to the correct permissions.

Note: It's a best practice to grant least privilege permissions with IAM policies.

Complete the following steps:

Make sure that your AWS KMS key is activated.

Confirm that your EC2 instance IAM role is allowed to perform kms:GenerateDataKey* and kms:Decrypt in the AWS KMS key policy. This is the key policy of the KMS key that's used for server-side encryption on your SNS topic similar to the following:

{  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::111122223333:role/cross-acc-ec2-sns-publish-role"
  },
  "Action": [
    "kms:GenerateDataKey*",
    "kms:Decrypt"
  ],
  "Resource": "*"
}

Attach the following IAM role policy to your EC2 instance with kms:GenerateDataKey* and kms:Decrypt permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey*"
            ],
            "Resource": "your_KMS_Key_ARN"
        }
    ]
}

Note: Replace your_KMS_Key_ARN with your KMS Key Amazon Resource Name (ARN).

Topics: Application Integration
Tags: Amazon Simple Notification Service (SNS)
Language: English

AWS OFFICIALUpdated 2 months ago

No comments

Relevant content

API Gateway to SNS publish
Krishn
asked 2 years ago
How to Configure Time-to-Live (TTL) for SMS Messages Sent via SNS Publish API?
jona
asked a year ago
Publish to SNS topic using curl
rePost-User-5424971
asked 7 years ago
Custom AWS Systems manager document sns:Publish error - Invalid parameter: Subject
Sonic
asked a year ago
What about SNS FIFO topic total publish throughput in an account?
Accepted Answer
GabrielShiao
asked 2 years ago
How do I resolve HTTP 400 "AccessDeniedException" errors from Amazon SNS?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot "ThrottlingException Rate exceeded" errors in Amazon SNS?
AWS OFFICIALUpdated 7 days ago
Why can't I publish or subscribe to an Amazon SNS topic?
AWS OFFICIALUpdated 4 years ago
How do I troubleshoot “DeviceTokenNotForTopic” errors when publishing APNs push notifications through Amazon SNS or Amazon Pinpoint?
AWS OFFICIALUpdated 3 years ago
Unable to validate the following destination configuration
SUPPORT ENGINEER
zodwm
published 10 months ago