How do I resolve authorization errors when trying to add subscribers to an Amazon SNS topic?

Last updated: 2021-10-06

I receive AWS Identity and Access Management (IAM) authorization errors when I add subscribers to my Amazon Simple Notification Service (Amazon SNS) topic. How do I resolve the errors?

Short description

When an IAM entity tries to add a subscription to an Amazon SNS topic without Subscribe API action permissions, SNS returns the following error:

An error occurred (AuthorizationError) when calling the Subscribe operation: User: your_IAM_user_or_role is not authorized to perform: sns:Subscribe on resource: YOUR_SNS_TOPIC_ARN

Note: The IAM entity could be an IAM user or role.

To resolve the error, grant the IAM entity permission to run the Subscribe API action on the Amazon SNS topic.

If you receive a similar error that ends in an "explicit deny"

Remove any policy statements that explicitly deny the IAM entity access to the SNS resource.

Resolution

If the IAM entity and the SNS topic are in different AWS accounts

Do both of the following:

Attach an IAM policy statement to the IAM entity that allows entity to run the "sns:Subscribe" action

For instructions, see Adding and removing IAM identity permissions. Attach the following example IAM policy statement:

Important: Replace "YOUR_SNS_TOPIC_ARN" with your Amazon SNS topic's Amazon Resource Name (ARN).

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SNSSubscribePermission",
            "Effect": "Allow",
            "Action": "sns:Subscribe",
            "Resource": "YOUR_SNS_TOPIC_ARN"
        }
    ]
}

Attach an Amazon SNS policy statement to your topic's access policy that allows the IAM entity to run the "sns:Subscribe" action

For instructions, see How do I edit my Amazon SNS topic's access policy? Attach the following example Amazon SNS policy statement:

Important: Replace "YOUR_IAM USER/ROLE_ARN" with your IAM entity's ARN. Replace "YOUR_SNS_TOPIC_ARN" with your Amazon SNS topic's ARN.

{
  "Sid": "AllowIAMEntity",
  "Effect": "Allow",
  "Principal": {
    "AWS": "YOUR_IAM USER/ROLE_ARN "
  },
  "Action": "sns:Subscribe",
  "Resource": "YOUR_SNS_TOPIC_ARN"
}

If the IAM entity and the SNS topic are in the same account

Do either of the following, but not both:

Attach an IAM policy statement to the IAM entity that allows entity to run the "sns:Subscribe" action.

-or-

Attach an Amazon SNS policy statement to your topic's access policy that allows the IAM entity to run the "sns:Subscribe" action.

For example policy statements, see the If the IAM entity and the SNS topic are in different AWS accounts section of this article.

Verify that neither the IAM entity's policy or SNS topic's access policy explicitly denies access to the SNS resource

Review the IAM entity's policy and SNS topic's access policy. Then, remove any policy statements that explicitly deny the IAM entity access to the SNS resource.

For more information, see The difference between explicit an implicit denies.


Did this article help?


Do you need billing or technical support?