Boto3 SNS Publish to a wildcard Topic ARN

1
votes

Background

AWS services are regional (e.g. us-west-2, us-east-1) and the boto3 library requires you to set a default region before accessing the Client or Resources. However, the documentation here shows that you can have an SNS Topic ARN with a wildcard substituted for the region. The documentation says:

Documentation: Amazon Simple Notification Service (Amazon SNS)

Syntax:

arn:aws:sns:region:account-id:topicname
arn:aws:sns:region:account-id:topicname:subscriptionid

Examples:

arn:aws:sns:*:123456789012:my_corporate_topic
arn:aws:sns:us-east-1:123456789012:my_corporate_topic:02034b43-fefa-4e07-a5eb-3be56f8c54ce

Code

When I use boto3's SNS Resource/Client to Publish to a Topic ARN (that has a wildcard for the region), I get the below error. When I don't have the wildcard for the region (e.g. I specify us-west-2), everything works. I looked into the boto3 library and it seems to just replace values in a JSON mapping (e.g. inserts Topic string) so I don't understand why this would be an invalid parameter if the documentation above shows that it's valid.

import boto3

client = boto3.client('sns', region_name='us-west-2')
client.publish(TopicArn='arn:aws:sns:*:123456789:some-topic', Message='SomeMessage')

Error Message

File "/Users/wliu/.virtualenvs/myenv/lib/python2.7/site-packages/botocore/client.py", line 548, in _make_api_call
raise ClientError(parsed_response, operation_name)
ClientError: An error occurred (InvalidParameter) when calling the Publish operation: Invalid parameter: TopicArn Reason: A * ARN must begin with arn:null, not arn:aws:sns:*:123456789:my_topic
1
amazon-web-servicesboto3

1 Answers

3
votes

The documentation does not show that it's valid for the context in which you are using it. You're misapplying or misinterpreting the documentation, confusing the applicability of patterns and literals. Publish requires a literal, and doesn't mention wildcards in the relevant section of the docs of the underlying API.

You can use wildcards as part of the resource ARN when specifing the resource to which an IAM policy statement applies, when the particular service supports resouce-level policies.

From the SNS-specific policy language documentation:

For Amazon SNS, topics are the only resource type you can specify in a policy. Following is the Amazon Resource Name (ARN) format for topics.

Example

If you had a topic named my_topic in each of the different Regions that Amazon SNS supports, you could specify the topics with the following ARN.

arn:aws:sns:*:123456789012:my_topic

http://docs.aws.amazon.com/sns/latest/dg/UsingIAMwithSNS.html#SNS_ARN_Format

However, this is all applicable only to policies, which also support patterns like arn:aws:sns:*:123456789012:bob_*, and such a pattern would (perhaps more intuitively) not be a valid topic for a Publish request.