Why do I get an authorization error when I try to subscribe my Lambda function to my Amazon SNS topic?

5 minuto de leitura
0

I receive an authorization error when I try to subscribe my AWS Lambda function to my Amazon Simple Notification Service (Amazon SNS) topic. How do I resolve the error?

Short description

When you subscribe a Lambda function to an SNS topic, you can receive an authorization error for the following reasons:

  • You tried to create the subscription from a different AWS account than the one that your Lambda function is in.
    -or-
  • The AWS Identity and Access Management (IAM) identity that you used to create the subscription doesn't have permissions to run the following API operations:
    (Lambda) AddPermission
    (Amazon SNS) Subscribe

To resolve the issue, you must do one of the following, depending on what's causing the error:

  • Make sure that you subscribe your Lambda function to the SNS topic from the AWS account where your function is located.
    -or-
  • Make sure that the IAM identity that you're using has permissions to run both the Lambda AddPermission and SNS Subscribe API operations.

Resolution

Verify what's causing the error based on the error message that Lambda returns

If you create the subscription from a different AWS account than the one that your function is in, then Lambda returns one of the following errors:

AWS CLI error example: You tried to create the subscription from a different account than the one that your Lambda function is in

An error occurred (AuthorizationError) when calling the Subscribe operation: The account YOUR_AWS_ACCOUNT_ID_1 is not the owner of the endpoint arn:aws:lambda:us-east-1:YOUR_AWS_ACCOUNT_ID_2:function: your_Lambda_function_ARN

AWS Management Console error example: You tried to create the subscription from a different account than the one that your Lambda function is in

Error code: AccessDeniedException - Error message: User: arn:aws:sts::XXXXXXX:XXXXXXX/XXXXX/XXXXXX is not authorized to perform: lambda:AddPermission on resource: arn:aws:lambda:us-west-2:XXXXXXX:function:XXXXXXX

If you're using the correct account, but your IAM identity lacks the required permissions, then Lambda or SNS returns one of the following errors:

AWS CLI error example: The IAM identity that you used to create the subscription doesn't have permissions to run the Lambda AddPermission action

An error occurred (AccessDeniedException) when calling the AddPermission operation: User: arn:aws:iam::XXXXXXX:user/XXXXXXXX is not authorized to perform: lambda:AddPermission on resource: arn:aws:lambda:us-west-2:XXXXXX:function:XXXXXXX because no identity-based policy allows the lambda:AddPermission action

AWS Management Console error example: The IAM identity that you used to create the subscription doesn't have permissions to run the Lambda AddPermission action

Error code: AccessDeniedException - Error message: User: arn:aws:sts:XXXXXXXX:assumed-role/XXXXXXXX/XXXXX-XXXXXX is not 
authorized to perform: lambda:AddPermission on resource: 
arn:aws:lambda:us-west-2:XXXXXXXXX:function:XXXXXXX because no 
identity-based policy allows the lambda:AddPermission action

AWS CLI error example for when you try to use an IAM identity that doesn't have permission to run the SNS Subscribe action

An error occurred (AuthorizationError) when calling the Subscribe operation: User: arn:aws:iam::XXXXXXX:user/XXXXXXXX is not authorized to perform: SNS:Subscribe on resource: arn:aws:sns:us-west-2:XXXXXXXX:XXXXXXX because no resource-based policy allows the SNS:Subscribe action

Make sure that you subscribe your Lambda function to the SNS topic from the AWS account where your function is located

You can use the Lambda console or AWS CLI to subscribe your Lambda function to an SNS topic.

To subscribe a function to an SNS topic using the Lambda console

Note: When you add the SNS trigger using the Lambda console, the console automatically allows the lambda:InvokeFunction permission from the principal service:sns.amazonaws.com.

1.    On the Functions page of the Lambda console, choose your function.

2.    Under Overview, choose Add trigger.

3.    For Trigger configuration, choose Select a trigger, and then choose SNS.

4.    For SNS topic, paste the SNS topic Amazon Resource Name (ARN) from the other AWS account.

5.    Select the Enable trigger check box.

6.    Choose Add.

For more information, see Configuring Lambda function options.

Note: If you receive the following error, then you must grant Subscribe API action permissions to the IAM identity that you're using. For troubleshooting instructions, see the following article: How do I resolve authorization errors when trying to add subscribers to an Amazon SNS topic?

An error occurred (AuthorizationError) when calling the Subscribe operation: User: your_IAM_user_or_role is not authorized to perform: SNS:Subscribe on resource: your_SNS_topic_ARN

To subscribe a function to an SNS topic using the AWS CLI

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.

1.    Configure your AWS CLI with an IAM user that belongs to the AWS account where your Lambda function is located:

aws configure --profile-name your_profile_name

Important: Make sure that you pass the AWS Access Key Id and Secret Key of your IAM user.

2.    Allow Lambda invocations from the SNS topic by adding the lambda:InvokeFunction permission from the principal service:sns.amazonaws.com:

aws lambda add-permission --function-name your_lambda_function_name --statement-id sns_invoke_permission --action lambda:InvokeFunction --principal sns.amazonaws.com --source-arn your_sns_topic_arn

3.    Subscribe your Lambda function to your SNS topic:

aws sns subscribe --topic-arn your_sns_topic_ARN --protocol lambda --notification-endpoint your_lambda_function_arn --profile your_profile_name_passed_on_#1

Note: If you receive the following error, you must grant Subscribe API action permissions to the IAM identity that you're using. For troubleshooting instructions, see the following article: How do I resolve authorization errors when trying to add subscribers to an Amazon SNS topic?

An error occurred (AuthorizationError) when calling the Subscribe operation: User: your_IAM_user_or_role is not authorized to perform: SNS:Subscribe on resource: your_SNS_topic_ARN

Make sure that the IAM identity that you're using has permissions to run the Lambda AddPermission and SNS Subscribe API operations

Review your IAM identity's identity-based policy. Make sure that the policy explicitly allows the IAM identity to run both of the following actions:
lambda:AddPermission
SNS:Subscribe

If the identity-based policy doesn't grant the required permissions, add the required permissions to the policy. Then, subscribe your Lambda function to the SNS topic from the AWS account that the function is in.


AWS OFICIAL
AWS OFICIALAtualizada há 2 anos