AWS re:Post Knowledge Center Feedback Survey

Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.

How do I resolve IAM authorization errors when I add subscribers to an Amazon SNS topic?

2 minute read

I tried to add subscribers to an Amazon Simple Notification Service (Amazon SNS) topic but received an Identity and Access Management (IAM) authorization error.

Short description

When an IAM entity tries to add a subscription to an Amazon SNS topic without Subscribe API action permissions, SNS returns the following error:

"An error occurred (AuthorizationError) when calling the Subscribe operation: User: your_IAM_user_or_role is not authorized to perform: sns:Subscribe on resource: YOUR_SNS_TOPIC_ARN"

Note: Check your specific error message to determine if the error is from an identity-based policy or a resource-based policy.

To resolve this error, grant the IAM entity permission to run the Subscribe API action on the Amazon SNS topic.

Resolution

To grant the IAM entity permission to run the Subscribe API action on the Amazon SNS topic, complete the following steps:

Cross-account access

If the IAM entity is in an AWS cross-account for your SNS topic, then complete the following steps:

Attach the following identity-based policy to the IAM entity that allows the entity to run the sns:Subscribe API action:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SNSSubscribePermission",
            "Effect": "Allow",
            "Action": "sns:Subscribe",
            "Resource": "YOUR_SNS_TOPIC_ARN"
        }
    ]
}

Note: Replace YOUR_SNS_TOPIC_ARN with your Amazon SNS topic's Amazon Resource Name (ARN).

Attach the following resource-based policy to your topic's access policy that allows the IAM entity to run the sns:Subscribe API action:

{
    "Sid": "AllowIAMEntity",
    "Effect": "Allow",
    "Principal": {
        "AWS": "YOUR_IAM_ENTITY_ARN "
    },
    "Action": "sns:Subscribe",
    "Resource": "YOUR_SNS_TOPIC_ARN"
}

Note: Replace YOUR_IAM_ENTITY_ARN with your IAM entity's ARN. Replace YOUR_SNS_TOPIC_ARN with your Amazon SNS topic's ARN.

Same account access

If the IAM entity is in the same AWS account as your SNS topic, then attach a policy to allow permission to the sns:Subscribe action. Attach either an identity-based policy or a resource-based policy from the preceding steps.

Related information

Using identity-based policies with Amazon SNS

Topics: Application Integration
Tags: Amazon Simple Notification Service (SNS)
Language: English

AWS OFFICIALUpdated 2 months ago

No comments

Relevant content

Can you Subscribe to an sns topic using organization id?
J99
asked 2 years ago
Issue: Unable to Configure SNS Topic for End User Messaging (2-Way SMS) – IAM Client Config Error
Robin
asked 6 months ago
How to make SNS Topic
Accepted Answer
SusuGang
asked a year ago
Solution to subscribe to an SNS topic from different region - aws-managed-waf-rule-notifications
Accepted Answer
Andre
asked 2 years ago
SQS FIFO Queue subscribed to SNS FIFO topic stopped receiving messages suddenly
edgegoldberg
asked 3 years ago
Why do I get an authorization error when I try to subscribe my Lambda function to my Amazon SNS topic?
AWS OFFICIALUpdated 4 years ago
How do I resolve an “authorization error" when attempting to view or modify a cross-account SQS subscription's attributes on the Amazon SNS console?
AWS OFFICIALUpdated 4 years ago
Why can't I publish or subscribe to an Amazon SNS topic?
AWS OFFICIALUpdated 4 years ago
How do I resolve the error that I receive when I subscribe a Lambda function to a push-based event source in CloudFormation?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot when User: arn is no authorized to perform Create * or Delete * or Update * on resource(s) because no identity- policy allows the actions
EXPERT
Priyanka Y
published a year ago