How do I resolve an “authorization error" when attempting to view or modify a cross-account SQS subscription's attributes on the Amazon SNS console?

Last updated: 2022-07-29

I subscribed my Amazon Simple Queue Service (Amazon SQS) queue to an Amazon Simple Notification Service (Amazon SNS) topic in a different AWS account. When viewing or editing my cross-account subscription’s attributes from the Amazon SNS console, I get an "authorization error." How can I fix this?

Short description

If you create a SNS topic subscription for an SQS queue from an account that doesn't own the topic, then the account that owns the SQS queue owns the subscription. If you then view or edit SNS subscription attributes in the account that created the SNS topic, you get an authorization error.

Note: Subscription-related permissions to view and edit can't be included in SNS Topic Policy actions. Use the following solutions instead.

Resolution

Using the AWS console

  1. Open the Amazon SNS console in the account that owns the SNS topic.
  2. In the navigation pane, choose Topics.
  3. Choose the name of the topic. Then, from the Subscriptions tab, copy the Subscription ID of the SQS queue subscription.
  4. Open the Amazon SNS console in the account that owns the SQS queue.
  5. On the Subscriptions menu option, choose the Subscription ID that you copied in step 3.
  6. View and edit the subscription attributes as needed.

Using GetSubscriptionAttributes

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

View subscription attributes by using GetSubscriptionAttributes in the account that was used to create the subscription using the AWS Command Line Interface (AWS CLI) or the SDK. To run this command, the IAM user or role must have permissions for the SNS actions SetSubscriptionAttributes and GetSubscriptionAttributes.

The following example uses the GetSubscriptionAttributes from the AWS CLI, using SubscriptionArn as a request parameter. To retrieve SubscriptionArn, use ListSubscriptionsByTopic.

aws sns get-subscription-attributes --subscription-arn arn:aws:sns:eu-central-1:1234567890:TestTopicSubOwnerSQS:53XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
{
  "Attributes": {
    "Owner": "9876543210",
    "RawMessageDelivery": "false",
    "TopicArn": "arn:aws:sns:eu-central-1:1234567890:TestTopicSubOwnerSQS",
    "Endpoint": "example@amazon.com",
    "Protocol": "email",
    "PendingConfirmation": "false",
    "ConfirmationWasAuthenticated": "false",
    "SubscriptionArn": "arn:aws:sns:eu-central-1:1234567890:TestTopicSubOwnerSQS:53XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
   }
}

Delete and recreate the subscription

If you want the AWS account that owns the SNS topic to control the SNS topic subscription's attributes:

  1. Delete the existing subscription.
  2. Create the same subscription from the account that owns the SNS topic.

The AWS account that owns the SNS topic is now the owner of the created subscription resource.