How can I resolve the publish operation error in Amazon SNS?

Last updated: 2021-07-28

I get an error in Amazon Simple Notification Service (Amazon SNS). The error happens when I'm using a subnet, and I try to publish my SNS topic from a cross-account Amazon Elastic Compute Cloud (Amazon EC2) instance.

Short description

If you receive an authorization error when you call the Publish operation, then complete the steps in the Verify EC2 instance IAM role and SNS topic access policy permissions section.

If you have issues with an SNS topic that's using server-side encryption and you receive a "KMSAccessDenied" error, then complete the steps in the Verify KMS key settings and EC2 IAM role permissions section.

Note: If your EC2 instance can't connect to the internet with an internet gateway, see Why can't my EC2 instance connect to the internet using an internet gateway?

Resolution

Verify EC2 instance IAM role and SNS topic access policy permissions

Misconfigured AWS Identity and Access Management (IAM) role permissions for your EC2 instance and Amazon SNS topic access policy can cause the following error:

"An error occurred (AuthorizationError) when calling the Publish operation: User: arn:aws:iam::111122223333:role/cross-acc-ec2-sns-publish-role/i-0123456789f804d is not authorized to perform: SNS:Publish on resource: arn:aws:sns:us-east-2:123456789012:cross-account-ec2-sns."

Verify KMS key settings and EC2 IAM role permissions

If permissions for the IAM role of your EC2 instance and the AWS Key Management Service (AWS KMS) key policy of your AWS KMS key (KMS key) are incorrect, you can receive the following error:

An error occurred (KMSAccessDenied) when calling the Publish operation: null (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Re
quest ID: IDNumber; Proxy: null)

Note: The preceding error occurs only when your SNS topic uses server-side encryption.

To resolve the error, check your KMS key settings and AWS KMS key policy permissions:

1.    Confirm that your KMS key is enabled.

2.    Confirm that your EC2 instance IAM role is allowed to perform kms:GenerateDataKey* and kms:Decrypt in the AWS KMS key policy. This is the key policy of the KMS key that's used for server-side encryption on your SNS topic. For example:

{
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::111122223333:role/cross-acc-ec2-sns-publish-role"
  },
  "Action": [
    "kms:GenerateDataKey*",
    "kms:Decrypt"
  ],
  "Resource": "*"
}

3.    Confirm that kms:GenerateDataKey* and kms:Decrypt permissions are attached to the IAM role of your EC2 instance. For example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey*"
      ],
      "Resource": "*"
    }
  ]
}

Did this article help?


Do you need billing or technical support?