When following Introducing AWS Lambda Destinations I'm told to create an SNS as destination, I do that:
But it doesn't send anything. I had already an SNS able to send mail to my account, and I have adapted the policy to accept everything from everyone (it works with the 'Publish another message' button)
If I call the sns from code it works:
if (event.Success) {
console.log("Success");
context.callbackWaitsForEmptyEventLoop = false;
var sns = new AWS.SNS();
sns.publish({
Message: 'File(s) uploaded successfully',
TopicArn: 'arn:aws:sns:XXX:YYY:ZZZ'
}, (err,data) => {
if (err) {
console.log(err.stack);
return;
}
callback(null);
});
}
But I was hoping not having to write code for that (that what's suggested from the blog entry) so for example if I change the SNS topic I don't have to change the code.
Have any of you succeeded in doing this?
Thanks,
I have reviewed and replicated the AWS Lambda Destinations blog successfully without modifying the sample code snippet from the blog.
I would suggest, you review your SNS configuration (and change us-west-2 region to your AWS region of use as need be) and check if it matches the following:
1. On your SNS topic ('arn:aws:sns:us-west-2:1234567890:YourSNSTopicOnSuccess'), navigate to the access policy and check if you have a policy similar to the following :
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish",
"SNS:Receive"
],
"Resource": "arn:aws:sns:us-west-2:1234567890:YourSNSTopicOnSuccess"
}
]
}
2. On your Lambda role ('arn:aws:iam::1234567890:role/YourLambdaDestinationRole'), make sure of the following:
(i) The "Trust relationship" of your role has the following statement :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service":"lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
(ii) The Lambda role has an attached policy document similar to one given below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:publish"
],
"Resource": "*"
}
]
}
The successful published message from Amazon Lambda to SNS topic should output something similar to:
{"version":"1.0","timestamp":"2020-03-22T16:29:50.528Z","requestContext":{"requestId":"43d109d2-54be-4e2e-b8d8-2757e3f06f76","functionArn":"arn:aws:lambda:eu-west-1:1234567890:function:event-destinations:$LATEST","condition":"Success","approximateInvokeCount":1},"requestPayload":{ "Success": true },"responseContext":{"statusCode":200,"executedVersion":"$LATEST"},"responsePayload":null}
Hope this helps.
Related
I am trying to set up a notification for the code pipeline using its notification rule which supporters SNS.
As you can see in the picture the status is "unreachable"
If I look at the link here aws troubleshoot
I have followed all the step even the step of adding of codestar-notifications in Acces policy of SNS topic.
{
"Sid": "AWSCodeStarNotifications_publish",
"Effect": "Allow",
"Principal": {
"Service": "codestar-notifications.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:codestar-notifications:us-east-1:272075499248:notificationrule/50d629524d433dceeafdb6c5fe136e404f29e9e5"
}
But still, the status remains the same also tried with manually starting the pipeline but still not working.
Am I missing something? could anyone help me out of this?
EDIT:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish",
"SNS:Receive"
],
"Resource": "arn:aws:sns:us-east-1:272075499248:develop",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "272075499248"
}
}
},
{
"Sid": "AWSCodeStarNotifications_publish",
"Effect": "Allow",
"Principal": {
"Service": "codestar-notifications.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:272075499248:develop"
}
]
}
The previous answers here were too confusing and some of them were incomplete. Here is the complete solution with the ins and outs.
1. Simple Notification Service Access Policy Confusion
Whenever you create an SNS topic by itself, the default access policy will look something like this:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:Publish",
"SNS:RemovePermission",
"SNS:SetTopicAttributes",
"SNS:DeleteTopic",
"SNS:ListSubscriptionsByTopic",
"SNS:GetTopicAttributes",
"SNS:AddPermission",
"SNS:Subscribe"
],
"Resource": "arn:aws:sns:us-east-2:123456789012:my-sns-topic",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "123456789012"
}
}
}
]
}
The above is wrong and will not let your CodePipeline access the SNS topic (make it reachable/"Active")! Change the Access policy for your SNS topic to the following instead:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "CodeNotification_publish",
"Effect": "Allow",
"Principal": {
"Service": "codestar-notifications.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-2:123456789012:my-sns-topic"
}
]
}
NOTE 1: Change 123456789012 to your AWS account ID, and my-sns-topic to the name of your SNS topic.
NOTE 2: If your region is different than us-east-2, then change that too in the above snippet.
NOTE 3: Both the SNS topic and the CodePipeline Notification rule should be in the same region, otherwise this won't work.
2. Notification Rule and Notification Rule Target Issue
Whenever you create a Notification Rule and then a Notification Rule Target,
the only way possible for AWS to refresh the Notification target status is for you to delete the Notification rule target from CodePipeline -> Settings (on the left side bar) -> Notification rules -> Notification rule targets (this is extremely important!).
NOTE: Deleting the Notification rule target from the notification rule itself won't do anything; because of that, when you re-add it in that page, the Notification rule target will still be the old one and thus the Notification target status will remain "Unreachable".
If after everything it still says it's unreachable, repeat exactly steps #1 and #2 again, you may have missed something.
One way to solve this is to use the CodePipeline user interface to create the Topic. This will set all of the required permissions for you. When creating the Notification Rule, under "Targets", select "Create Target" and enter the name of the Topic you wish to create. The topic will be created with permissions already set. You will just need to subscribe to the topic to receive the notifications.
The JSON file is correct, but you should delete and re-create the target rule
It could be that your pipeline’s IAM execution role doesn’t have the required permissions to publish messages to the topic. Make sure your pipeline can publish messages in both the IAM role and the SNS policy and give it another go. A telltale sign of this is the CodePipeline notification console showing “Unreachable” next to the SNS topic.
The SNS access policy will look like the following:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "StatusNotificationsPolicy",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789123:root",
"Service": "codestar-notifications.amazonaws.com"
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:ap-southeast-2:123456789123:gimme-alerts"
},
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish",
"SNS:Receive"
],
"Resource": "arn:aws:sns:ap-southeast-2:123456789123:gimme-alerts",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "123456789123"
}
}
}
]
}
https://www.stephengream.com/codepipeline-notifications
The following did work for me.
I followed the suggestion by Phil Gilligan in the other answer. It automatically created the access policy in sns topic when its created from CodeCommit itself.
Change the account id and repo name according to your own case.
There is no other rule just this one rule. It seems like the rules are evaluated and one rule overridden the other. I think if one rule is more restrictive it takes precedence over the other.
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "CodeNotification_publish",
"Effect": "Allow",
"Principal": {
"Service": "codestar-notifications.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:ACCOUNT_ID:REPO_NAME"
}
]
}
Answers about Access Policy are right. But the change is not applied immediately. Very annoying.
Just create new topic from CodePipeline Settings. The access policy will be auto-adjusted.
I am trying to send SMS to my Mobile when my EC2 instance stops.
I am automatically stopping my EC2 instance and now I want to send SMS to my mobile when it stops.
I created SNS topic with my mobile no. as subscriber.
I created an Alarm when the EC2 stops.
Under SNS > Mobile > Text messaging (SMS) > Text messaging preferences (Edit):
a. I selected "Default message type" as "Transactional".
b. I created a new IAM role.
IAM role policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:PutMetricFilter",
"logs:PutRetentionPolicy"
],
"Resource": [
"*"
]
}
]
}
SNS topic access policy
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:Publish",
"SNS:RemovePermission",
"SNS:SetTopicAttributes",
"SNS:DeleteTopic",
"SNS:ListSubscriptionsByTopic",
"SNS:GetTopicAttributes",
"SNS:Receive",
"SNS:AddPermission",
"SNS:Subscribe"
],
"Resource": "arn:aws:sns:us-west-2:account-id:sns-topic-name",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "account-id"
},
"ArnLike": {
"AWS:SourceArn": "arn:aws:cloudwatch:us-west-2:account-id:alarm:*"
}
}
}
]
}
When the alarm is triggered, I am getting the below error:
{
"actionState": "Failed",
"stateUpdateTimestamp": 1561102479560,
"notificationResource": "arn:aws:sns:us-west-2:account-id:sns-topic-name",
"publishedMessage": null,
"error": "Resource: arn:aws:cloudwatch:us-west-2:account-id:alarm:alarm-name is not authorized to perform: SNS:Publish on resource: arn:aws:sns:us-west-2:account-id:sns-topic-name"
}
I am unable to understand what permission is it expecting.
The cause of the error is most likely due to the policy having incorrect values. I'm not sure which values you changed to protect sensitive values, but you'd need to update sns-topic-name and account-id.
However, I would recommend another way of achieving your goals...
You can use Amazon CloudWatch Events to look out for a specific event (eg an instance changing state to Stopped) and have it send a message to Amazon SNS directly (without using an Alarm).
The steps are:
In the Amazon CloudWatch console, click Rules
Create rule
Service name: EC2
Event type: EC2 Instance State-change Notification
Specific state(s): Stopped
Choose Any instance or Specific instance Id(s)
On the right, under Targets, click Add target
SNS topic
Select your topic
This will then send a message whenever the instance stops.
It seems the error is due to missing permissions on your IAM role for publishing messages to an SNS topic. Make arrangements to attach necessary permissions to the role you use or to the user, like this:
{
"Id": "Policy1415489375392",
"Statement": [
{
"Sid": "AWSConfigSNSPolicy20150201",
"Action": [
"SNS:Publish"
],
"Effect": "Allow",
"Resource": "arn:aws:sns:region:account-id:myTopic",
"Principal": {
"AWS": [
"account-id1",
"account-id2",
"account-id3",
]
}
}
]
}
I have two AWS accounts:
Account 1 (111111111111) contains Simple Notification Service Topic (Email Events Topic)
Account 2 (222222222222) contains Simple Email Service with Configuration Set (Configuration_Set_01).
I want to add SNSDestination to Configuration_Set_01 - to be able to publish SES event notifications to Email Events Topic
I’ve set up following Topic Policy for Email Events Topic:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__console_pub_0",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::2222222222222:root"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:email-events-topic"
}
]
}
When I try to add SNSDestination to Configuration_Set_01, referring Email Events Topic, it gives me an error Could not access SNS topic <…> …:
If Email Events Topic's policy is as follows, destination can be added successfully:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__console_pub_0",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:email-events-topic"
}
]
}
This works:
"Principal": {
"AWS": "*"
}
This doesn't work:
"Principal": {
"AWS": "arn:aws:iam::222222222222:root"
}
As I can see here https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-bucket-user-policy-specifying-principal-intro.html - the syntax for Principal.AWS value in the second option is correct.
How can I correctly set up Topic Policy on Email Events Topic to be able to add it as an event destination only to Account 2's SES Configuration Sets (or any Account 2's services)?
What else should be done to solve the problem in case the problem is not only with the Topic Policy?
The sample link you shared is for S3 resource policy. Could you please try to edit the policy as following which is from SNS document?
{
"Version":"2012-10-17",
"Id":"AWSAccountTopicAccess",
"Statement" :[
{
"Sid":"give-1234-publish",
"Effect":"Allow",
"Principal" :{
"AWS":"111122223333"
},
"Action":["sns:Publish"],
"Resource":"arn:aws:sns:us-east-1:444455556666:MyTopic"
}
]
}
Additionally, you can also use "AWS:SourceAccount" condition key with Principal *.
Here is the Topic Policy, which works for the described situation:
{
"Version": "2012-10-17",
"Id": "MyTopicPolicy",
"Statement": [
{
"Sid": "sid001",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:email-events-topic",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:ses:us-east-1:222222222222:*"
}
}
}
]
}
The tricky part was Condition -> ArnLike:
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:ses:us-east-1:222222222222:*"
}
}
I want to set up IAM policies to allow an user to publish to SNS to send SMS and to publish to a specific SNS arn.
I have found a way to allow SMS publish without allowing any SNS publish :
Authorization when sending a text message using AmazonSNSClient
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"sns:Publish"
],
"Resource": "arn:aws:sns:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"Resource": "*"
}
]
}
But this policy is explicitly denying all other SNS publish, so I can't add a policy allowing a specific SNS.
The problem is that SMS publish does not have a specific arn.
So I am looking at conditions to find a way to limit the allow to publish only SMS. But the specific SMS parameters (PhoneNumber cf https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/SNS.html#publish-property) cannot be filtered in condition :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "*",
"Condition": {"Null":{"PhoneNumber":"false"}}
}
]
}
Is there a way to accomplish such a policy ?
Actually to do the trick I found a way using an allow whit the NotResource JSON Policy Element (spec). I use this property to match the resources which do NOT have an ARN:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"NotResource": "arn:aws:sns:*:*:*"
}
]
}
With this trick I can allow all sns Publish without ARN (but I don't know if there is any other services then SMS...).
This also allow me to allow specifics ARN in another policy.
In SNS, I set up a topic.
In IAM, I have set up a policy to allow access to the topics ARN from only from a specific IP address:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sns:Publish",
"sns:Subscribe"
],
"Resource": "arn:aws:sns:us-east-1:111111111111:topic_name",
"Condition": {
"IpAddress": {
"aws:SourceIp": "xxx.xxx.xxx.x"
}
}
}
]
}
I have attached this policy to a group, and added a user to this group.
From a C# windows application, I can now subscribe and publish the topic from the specified SourceIp listed in the policy.
But in this case, I need to use the AccessKey and SecretAccessKey of the IAM user.
Is there a way that I can bypass needing the AccessKey and SecretKey as long as the SourceIp is correct?
I see that the SNS topic "topic policy", but I could not figure out how to add the IpAddress Condition. Is that possible?
topic policy:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish",
"SNS:Receive"
],
"Resource": "arn:aws:sns:us-east-1:111111111111:topic_name",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "111111111111"
}
}
}
]
}
Amazon SNS requires authentication and authorization to use the service. This means either an IAM user or role. This means you must use credentials to access the service.
I would combine IAM User Policies with SNS Policies to control who (user or service) can publish / subscribe to SNS.
There are many AWS services that can use SNS. Your IP address policy may break them.
SNS: Controlling User Access to Your AWS Account