By using AWS re:Post, you agree to the Terms of Use
/Textract completion msg not published to SNS Topic using Cognito user/

Textract completion msg not published to SNS Topic using Cognito user

0

I have read the instructions https://docs.aws.amazon.com/textract/latest/dg/api-async-roles.html#api-async-roles-all-topics . My set up is somewhat different because I am using a Cognito user. To enable textract to publish msg to SNS, I pass relevant permissions to Textract to enable it to call SNS. I am able to call StartDocumentAnalysis method and get a response. But the SNS message is never published. The weird thing is that on a few occasions I did see the several data points in CloudWatch's SNS Metric - 'NumberOfNotificationsDelivered', indicating that the messages were published. However, they are almost all gone now. What is wrong with the below?

The cognito authorized user has the CognitoAuthRole role:

CognitoAuthRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Federated: cognito-identity.amazonaws.com
Action: sts:AssumeRoleWithWebIdentity
Condition:
StringEquals:
cognito-identity.amazonaws.com:aud: !Ref CoginitoIdentityPool
ForAnyValue:StringLike:
cognito-identity.amazonaws.com:amr: authenticated
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
- Effect: Allow
Principal:
Service: textract.amazonaws.com
Action: sts:AssumeRole
Description: Used by cognito authenticated users
ManagedPolicyArns:
- !Ref DesktopPolicy #definition is immediately below

And the desktop policy is:

DesktopPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: DesktopBackup
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'iam:GetRole'
- 'iam:PassRole'
Resource: !GetAtt "TextractEc2Role.Arn" #definition is below
- Effect: Allow
Action:
- "sns:Publish"
Resource:
- arn:aws:sns:us-east-1:xxxxxxxxxxxx:AmazonTextractTopic
- Effect: Allow
Action:
- "textract:GetDocumentAnalysis"
- "textract:GetDocumentTextDetection"
- "textract:StartDocumentAnalysis"
- "textract:StartDocumentTextDetection"
Resource:
- "*"

The role that is passed to Textract service using iam:PassRole is:

TextractEc2Role:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: textract.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
- arn:aws:iam::aws:policy/AmazonSNSFullAccess
- arn:aws:iam::aws:policy/AmazonTextractFullAccess
- arn:aws:iam::aws:policy/service-role/AmazonTextractServiceRole
RoleName: TextractEc2

Edited by: L Jones on Sep 1, 2020 6:40 PM

Edited by: L Jones on Sep 1, 2020 6:41 PM

asked 2 years ago5 views
1 Answers
0

I found the the issue. When using the .NET API (or any other API), there is no need to specify "iam:PassRole" for the user. The API has the ability to specify both the role Textract needs to call SNS and also which topic to send completion message. See .NET solution below

NotificationChannel channel = new NotificationChannel();
channel.RoleArn = MY_TEXTRACT_SNS_ROLE_ARN;
channel.SNSTopicArn = MY_TEXTRACT_SNS_TOPIC_ARN;
request.NotificationChannel = channel;

Where MY_TEXTRACT_SNS_TOPIC_ARN is an SNS topic that must begin with 'AmazonTextract'. Ex: AmazonTextractMyTopic

Where MY_TEXTRACT_SNS_ROLE_ARN is the ARN for:

TextractSnsRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:

  • Effect: Allow
    Principal:
    Service: textract.amazonaws.com
    Action: sts:AssumeRole
    ManagedPolicyArns:
  • arn:aws:iam::aws:policy/service-role/AmazonTextractServiceRole
    RoleName: TextractSns
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions