I am trying to enable SMS message delivery logs in AWS SNS. But no matter what I do I get this error:
Couldn't set text messaging attributes. Error code: AuthorizationError
- Error message: You are not authorized to perform actions for the provided bucket
I have tried numerous IAM roles (including admin access role) and I am logged in as the root account owner.
What might I be missing? What can I try?
Thank you!
I found this specific documentation that solved it for me: https://docs.aws.amazon.com/sns/latest/dg/sms_stats_usage.html#example_bucket_policy
The key is that the bucket policy needs to list sns.amazonaws.com as the principal, and really only needs to allow these 3 actions to finish configuring SMS:
s3:GetBucketLocation
s3:ListBucket
s3:PutObject
{
"Version": "2012-10-17",
"Id": "Policy1653549854620",
"Statement": [
{
"Sid": "Stmt1653549853470",
"Effect": "Allow",
"Principal": {
"Service": "sns.amazonaws.com"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::BUCKETNAME"
}
]
}
Related
Goal: Grant permissions to IAM user to confirm an SNS Topic Subscription
Problem: Using AWS Web Console, I am unable to grant the proper SNS permissions to the IAM user account no matter what permissive policies I attach to it.
Steps completed: I created a Topic which tracks changes to S3 objects and pushes that information to my application via an SNS subscription (HTTPS/JSON calls).
My code that receives the request:
def self.confirm(arn, token)
client = retrieve_client
client.confirm_subscription(topic_arn: arn, token: token)
end
def self.retrieve_client
creds = Aws::Credentials.new(
Rails.application.credentials.dig(:aws, :access_key_id),
Rails.application.credentials.dig(:aws, :secret_access_key)
)
Aws::SNS::Client.new(region: 'us-east-2', credentials: creds)
end
When my code receives the SNS confirmation request, I receive this error message:
Aws::SNS::Errors::AuthorizationError (User: arn:aws:iam::12345678912:user/user_name is not authorized to perform: SNS:ConfirmSubscription on resource: arn:aws:sns:us-east-2:12345678912:topic_name because no boundary policy allows the SNS:ConfirmSubscription action)
The above code works well with a different application (but different IAM user), so I don't believe the code is the culprit, yet.
I've attempted adding policies to a group, then the user to the group, nothing changes.
I've resorted to directly adding policies to the user, nothing changes.
Here are the two most permissive policies I've tried and I don't know what other blanket permissions I can give this user to make this subscription confirmation work.
Topic arn: arn:aws:sns:us-east-2:12345678912:topic_name
Topic access policy:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-2:12345678912:topic_name
"StringEquals": {
"AWS:SourceAccount": "12345678912"
},
"ArnLike": {
"AWS:SourceArn": "arn:aws:s3:*:*:*"
}
}
}
]
}
Policy 1 (from the AWS Managed AmazonSNSFullAccess policy):
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sns:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Policy 2, where I just click as many Action selections as possible to see if anything will work:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sns:TagResource",
"sns:DeleteTopic",
"sns:ListTopics",
"sns:Unsubscribe",
"sns:CreatePlatformEndpoint",
"sns:SetTopicAttributes",
"sns:UntagResource",
"sns:OptInPhoneNumber",
"sns:CheckIfPhoneNumberIsOptedOut",
"sns:ListEndpointsByPlatformApplication",
"sns:SetEndpointAttributes",
"sns:Publish",
"sns:DeletePlatformApplication",
"sns:SetPlatformApplicationAttributes",
"sns:VerifySMSSandboxPhoneNumber",
"sns:Subscribe",
"sns:ConfirmSubscription",
"sns:RemovePermission",
"sns:ListTagsForResource",
"sns:DeleteSMSSandboxPhoneNumber",
"sns:ListSubscriptionsByTopic",
"sns:GetTopicAttributes",
"sns:ListSMSSandboxPhoneNumbers",
"sns:CreatePlatformApplication",
"sns:SetSMSAttributes",
"sns:CreateTopic",
"sns:GetPlatformApplicationAttributes",
"sns:GetSubscriptionAttributes",
"sns:ListSubscriptions",
"sns:AddPermission",
"sns:ListOriginationNumbers",
"sns:DeleteEndpoint",
"sns:ListPhoneNumbersOptedOut",
"sns:GetEndpointAttributes",
"sns:SetSubscriptionAttributes",
"sns:GetSMSSandboxAccountStatus",
"sns:CreateSMSSandboxPhoneNumber",
"sns:ListPlatformApplications",
"sns:GetSMSAttributes"
],
"Resource": "*"
}
]
}
It's completely unclear to me what other policies are required to give this user the authorization necessary to confirm the SNS subscription.
Thanks to the question Marcin asked about the "boundary policy," I learned that the concept of an IAM boundary policy existed, what it was, and then fixed my problem.
At some point, when the IAM user was setup, a boundary policy was attached to the user account, which precludes any other policies that may be given to that user by other service or group policies.
Thus, when I inspected the IAM user in question, I found a boundary policy that only permitted access to AWS S3 services. This policy prevented my efforts to give the user access to AWS SNS services.
After removing the boundary policy, the IAM user settings now read "Permissions boundary (not set)" and the confirmation of the SNS subscriptions work as expected.
Thanks for the help, Marcin!
I've recently setup AWS SES and continue to run into the following error when sending email from a local application.
User `arn:aws:iam::REDACTED:user/mail_user' is not authorized to perform `ses:SendEmail' on resource `arn:aws:ses:us-east-1:REDACTED:identity/mail#REDACTED.COM'
I've setup the below policy for the email mail#REDACTED.COM
{
"Version": "2012-10-17",
"Id": "SampleAuthorizationPolicy",
"Statement": [
{
"Sid": "AuthorizeEmail",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::REDACTED:user/mail_user"
},
"Action": [
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource": "arn:aws:ses:us-east-1:REDACTED:identity/mail#REDACTED.COM"
}
]
}
Any suggestions as to why I'm continuing to receive the unauthorized error?
To resolve this issue I created an inline policy for the user via IAM (the permissions tab under the User).
I granted the following permissions to resource arn:aws:ses:us-east-1:REDACTED:identity/mail#REDACTED.COM
SendEmail
SendRawEmail
I did not need to create an identity policy via the SES management panel.
I am trying to configure the SQS policy for a queue to authorize all principles of an account to send messages to this queue, according to the documentation here:
{
"Version": "2012-10-17",
"Id": "sqspolicy",
"Statement": [
{
"Sid": "Sqs policy1",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789:root"
]
}
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:eu-west-1:123456789:my_queue"
}
]
}
Will this allow any principle of this account to send messages to my_queue or will it only allow the root user?
Or should I use the below policy with a condition instead?
{
"Version": "2012-10-17",
"Id": "sqspolicy",
"Statement": [
{
"Sid": "Sqs policy1",
"Effect": "Allow",
"Principal": {
"AWS": "*"
}
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:eu-west-1:123456789:my_queue"
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "123456789"
}
}
}
]
}
TIA
The documentation says:
When you use an AWS account identifier as the principal in a policy, you delegate authority to the account. All identities inside the account can access the resource if they have the appropriate IAM permissions attached to explicitly allow access. This includes IAM users and roles in that account.
According to this, your first approach will allow all of your users to send messages.
Only first policy is valid. The second policy will not work, the way you may think. The reason is that aws:SourceAccount is only used for service-to-service requests, not IAM users or roles. The most common example of when aws:SourceAccount is used is for S3:
For example, when an Amazon S3 bucket update triggers an Amazon SNS topic post, the Amazon S3 service invokes the sns:Publish API operation. The bucket is considered the source of the SNS request and the value of the key is the account ID associated with the bucket.
Send-messages requests made by IAM users/roles in the second account will be denied because for these entities there is no aws:SourceAccount.
sqs.addPermission("https://sqs.eu-west-1.amazonaws.com/111111111111/queueName", "remoteAccess",
Arrays.asList("arn:aws:iam::222222222222:user/user.x#mycompany.com"), Arrays.asList(SQSActions.SendMessage.name()));
Should (IMO) add permissions on a queue to a user in a different account.
I get an error.
Value [arn:aws:iam::222222222222:user/user.x#mycompany.com] for
parameter PrincipalId is invalid. Reason: Unable to verify. (Service:
AmazonSQS; Status Code: 400; Error Code: InvalidParameterValue;
Anyone know how to programmatically give a specific user in a different account access to a queue?
This is the same user arn as I see when I add the permission via the sqs web console.
This section of the documentation has examples for cross-account SQS access policies : https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-customer-managed-policy-examples.html
You need to apply a policy both on the queue level and to the principal in the other account.
For example, at the queue level
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {"AWS": "111122223333"},
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage"
],
"Resource": ["arn:aws:sqs:*:123456789012:queue1"],
}
}
If you do want to grant access to specific user, group or roles, you can use the Principal field like this :
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:role/role1",
"arn:aws:iam::111122223333:user/username1"
]
},
and in the other account, to the role or user who needs to access the queue (you can obviously limit the SQS API list, this just an example)
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sqs:*",
"Resource": "arn:aws:sqs:*:123456789012:queue1"
}
}
I'm trying to follow this tutorial, but when I try to test the API I've created, I get the following message:
API Gateway does not have permission to assume the provided role
The API request should be posting to a DynamoDB table I've created.
I've created an IAM Role and attached the policy AmazonDynamoDBFullAccess. I've also tried attaching this policy to my administrator user.
Here is the integration request in my API:
Any help is much appreciated.
Below worked for me
Go to IAM > Roles > whateverRole > Trust Relationships > Edit Trust Relationship and add apigateway under Statements
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Assisted by this guy https://histerr.blogspot.com/2016/06/api-gateway-does-not-have-permission-to.html?showComment=1549214559316#c3046645274286738526
The ARN you have provided for the IAM Role is a policy. It needs to be a role. Please go to your generated role and update your ARN to that. It should look something like this *:role/AmazonDynamoDBFullAccess-201709151726