How can resolve the authorization error that I receive when I try to subscribe my Lambda function to my Amazon SNS topic?

Last updated: 2021-05-27

I want to resolve the error that I receive when I subscribe my AWS Lambda function to my Amazon Simple Notification Service (Amazon SNS) topic.

Short description

You could receive the following error when you try to subscribe a Lambda function to an SNS topic that's in a different AWS account. That is, the SNS topic is in one account, and your Lambda function is in another account.

If you're using the AWS Command Line Interface (AWS CLI), then you receive this error:

An error occurred (AuthorizationError) when calling the Subscribe operation: The account YOUR_AWS_ACCOUNT_ID_1 is not the owner of the endpoint arn:aws:lambda:us-east-1:YOUR_AWS_ACCOUNT_ID_2:function: your_Lambda_function_ARN

If you're using the AWS Management Console, then you receive this error:

Error code: AccessDeniedException - Error message: User: your_IAM_entity is not authorized to perform: lambda:AddPermission on resource: your_Lambda_function_ARN

To resolve either error, you must subscribe your Lambda function to the SNS topic from the AWS account where your Lambda function is located. You can do this using either the Lambda console or AWS CLI.

Resolution

Use the Lambda console

1.    On the Functions page of the Lambda console, choose your function.

2.    Under Overview, choose Add trigger. For more information, see Use the function overview.

3.    For Trigger configuration, choose Select a trigger, and then choose SNS.

4.    For SNS topic, paste the SNS topic Amazon Resource Name (ARN) from the other AWS account.

5.    Select the Enable trigger check box.

6.    Choose Add.

For more information, see Configuring functions in the console.

Important: You could receive the following error when you add the trigger. To resolve, see How can I resolve the IAM authorization errors that I receive when I try to add a subscriber to my Amazon SNS topic?

An error occurred (AuthorizationError) when calling the Subscribe operation: User: your_IAM_user_or_role is not authorized to perform: SNS:Subscribe on resource: your_SNS_topic_ARN

When you add the SNS trigger using the Lambda console, the console automatically allows the lambda:InvokeFunction permission from the principal service:sns.amazonaws.com.

Use the AWS CLI

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.

1.    Configure your AWS CLI with an AWS Identity and Access Management (IAM) user who belongs to the AWS account where your Lambda function is located:

aws configure --profile-name your_profile_name

Note: Be sure to pass the AWS Access Key Id and Secret Key of your IAM User.

2.    Allow Lambda invocations from the SNS topic by adding the lambda:InvokeFunction permission from the principal service:sns.amazonaws.com:

aws lambda add-permission --function-name your_lambda_function_name --statement-id sns_invoke_permission --action lambda:InvokeFunction --principal sns.amazonaws.com --source-arn your_sns_topic_arn

3.    Subscribe your Lambda function to your SNS topic:

aws sns subscribe --topic-arn your_sns_topic_ARN --protocol lambda --notification-endpoint your_lambda_function_arn --profile your_profile_name_passed_on_#1
An error occurred (AuthorizationError) when calling the Subscribe operation: User: your_IAM_user_or_role is not authorized to perform: SNS:Subscribe on resource: your_SNS_topic_ARN

Did this article help?


Do you need billing or technical support?