Home > Software engineering >  AWS SNS ConfirmSubscription authorization never granted to IAM user
AWS SNS ConfirmSubscription authorization never granted to IAM user

Time:11-22

Goal: Grant permissions to IAM user to confirm an SNS Topic Subscription

Problem: Using AWS Web Console, I am unable to grant the proper SNS permissions to the IAM user account no matter what permissive policies I attach to it.

Steps completed: I created a Topic which tracks changes to S3 objects and pushes that information to my application via an SNS subscription (HTTPS/JSON calls).

My code that receives the request:

def self.confirm(arn, token)
    client = retrieve_client
    client.confirm_subscription(topic_arn: arn, token: token)
  end

  def self.retrieve_client
    creds = Aws::Credentials.new(
      Rails.application.credentials.dig(:aws, :access_key_id),
      Rails.application.credentials.dig(:aws, :secret_access_key)
    )
    Aws::SNS::Client.new(region: 'us-east-2', credentials: creds)
  end

When my code receives the SNS confirmation request, I receive this error message:

Aws::SNS::Errors::AuthorizationError (User: arn:aws:iam::12345678912:user/user_name is not authorized to perform: SNS:ConfirmSubscription on resource: arn:aws:sns:us-east-2:12345678912:topic_name because no boundary policy allows the SNS:ConfirmSubscription action)

The above code works well with a different application (but different IAM user), so I don't believe the code is the culprit, yet.

I've attempted adding policies to a group, then the user to the group, nothing changes.

I've resorted to directly adding policies to the user, nothing changes.

Here are the two most permissive policies I've tried and I don't know what other blanket permissions I can give this user to make this subscription confirmation work.

Topic arn: arn:aws:sns:us-east-2:12345678912:topic_name

Topic access policy:

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "sns:Publish",
      "Resource": "arn:aws:sns:us-east-2:12345678912:topic_name
        "StringEquals": {
          "AWS:SourceAccount": "12345678912"
        },
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:s3:*:*:*"
        }
      }
    }
  ]
}

Policy 1 (from the AWS Managed AmazonSNSFullAccess policy):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "sns:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Policy 2, where I just click as many Action selections as possible to see if anything will work:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sns:TagResource",
                "sns:DeleteTopic",
                "sns:ListTopics",
                "sns:Unsubscribe",
                "sns:CreatePlatformEndpoint",
                "sns:SetTopicAttributes",
                "sns:UntagResource",
                "sns:OptInPhoneNumber",
                "sns:CheckIfPhoneNumberIsOptedOut",
                "sns:ListEndpointsByPlatformApplication",
                "sns:SetEndpointAttributes",
                "sns:Publish",
                "sns:DeletePlatformApplication",
                "sns:SetPlatformApplicationAttributes",
                "sns:VerifySMSSandboxPhoneNumber",
                "sns:Subscribe",
                "sns:ConfirmSubscription",
                "sns:RemovePermission",
                "sns:ListTagsForResource",
                "sns:DeleteSMSSandboxPhoneNumber",
                "sns:ListSubscriptionsByTopic",
                "sns:GetTopicAttributes",
                "sns:ListSMSSandboxPhoneNumbers",
                "sns:CreatePlatformApplication",
                "sns:SetSMSAttributes",
                "sns:CreateTopic",
                "sns:GetPlatformApplicationAttributes",
                "sns:GetSubscriptionAttributes",
                "sns:ListSubscriptions",
                "sns:AddPermission",
                "sns:ListOriginationNumbers",
                "sns:DeleteEndpoint",
                "sns:ListPhoneNumbersOptedOut",
                "sns:GetEndpointAttributes",
                "sns:SetSubscriptionAttributes",
                "sns:GetSMSSandboxAccountStatus",
                "sns:CreateSMSSandboxPhoneNumber",
                "sns:ListPlatformApplications",
                "sns:GetSMSAttributes"
            ],
            "Resource": "*"
        }
    ]
}

It's completely unclear to me what other policies are required to give this user the authorization necessary to confirm the SNS subscription.

CodePudding user response:

Thanks to the question Marcin asked about the "boundary policy," I learned that the concept of an IAM boundary policy existed, what it was, and then fixed my problem.

At some point, when the IAM user was setup, a boundary policy was attached to the user account, which precludes any other policies that may be given to that user by other service or group policies.

Thus, when I inspected the IAM user in question, I found a boundary policy that only permitted access to AWS S3 services. This policy prevented my efforts to give the user access to AWS SNS services.

After removing the boundary policy, the IAM user settings now read "Permissions boundary (not set)" and the confirmation of the SNS subscriptions work as expected.

Thanks for the help, Marcin!

  • Related