K
Q

iam ConfirmSubscription permissions error

8/23/2019

I have an app I am trying to move to a new k8s cluster, having a permissions issue when trying to ConfirmSubscription:

"sns confirmation failed. Reason: AuthorizationError: User: arn:aws:sts::-:assumed-role/-/- is not authorized to perform: 
SNS:ConfirmSubscription on resource: arn:aws:sns:-:-:topicname
status code: 403, request id: 000d2844-3a3d-5544-922a-7d9e3db07a16"

The app was able to execute a confirm subscription in the old cluster, so I assume it's an IAM issue, but the role policy it's assuming is:

{
"Version": "2012-10-17",
"Statement": [
{
  "Action": [
    "sns:ConfirmSubscription",
    "sns:Subscribe"
  ],
  "Effect": "Allow",
  "Resource": [
    "arn:aws:sns:::*"
  ]
}
]
}

I haven't been able to diagnose where the IAM issue is.

-- user3610360
amazon-iam
amazon-sns
kubernetes

Similar Questions

Transfer cert-manager certificate from one cluster to another for e2e tests
Spring Cloud Kubernetes: Can't read configMap with name
kubernetes nginx ingress socket.io 400 error continously
Adding an init-container to a pod in a standard Helm chart
Selectively apply nameprefix/namesuffix in kustomize

1 Answer

8/27/2019

I was able to get this working by fully qualifying the sns topic to which I wanted to confirm subscription:

{
  "Version": "2012-10-17",
  "Statement": [
{
  "Action": [
    "sns:ConfirmSubscription",
    "sns:Subscribe"
  ],
  "Effect": "Allow",
  "Resource": [
    "arn:aws:sns:us-east-1:000000000:full-topic-name-no-wildcard"
  ]
}
  ]
}
-- user3610360
Source: StackOverflow