Cross Account SNS Subscribe to Lambda in second account

0
votes

I have used the below policy for the SNS topic to subscribe this SNS in Lambda with account number as 222222222222. I have also given access to my lambda with a similar policy adding it to the execution role of Lambda.

Getting the error below:

An error occurred when creating the trigger: User: arn:aws:sts::222222222222:assumed-role/TSI_Base_FullAccess/AXXXXXXXX is not authorized to perform: SNS:Subscribe on resource: arn:aws:sns:eu-west-1:111111111111:Story-5555 (Service: AmazonSNS; Status Code: 403; Error Code: AuthorizationError; Request ID: 1321942c-25c4-52a1-bacb-c2e9bd641067)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1582008007178",
      "Action": [
        "sns:GetSubscriptionAttributes",
        "sns:GetTopicAttributes",
        "sns:ListSubscriptions",
        "sns:ListSubscriptionsByTopic",
        "sns:ListTagsForResource",
        "sns:ListTopics",
        "sns:Publish",
        "sns:Subscribe"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:sns:eu-west-1:111111111111:Story-5555",
      "Condition": {
        "ArnEquals": {
          "aws:PrincipalArn": "arn:aws:lambda:eu-west-1:222222222222:function:New_Cross_SNS"
        }
      }
    }
  ]
}
1
amazon-web-servicesaws-lambdaamazon-sns
Shouldn't you pyt arn:aws:sts::222222222222:assumed-role/TSI_Base_FullAccess/AXXXXXXXX as primcipal in the policy?Robert Navado
Please provide function role too and cross account configRobert Navado

1 Answers

0
votes

According AWS Documentation you should specify principle additionally to the condition.

So your policy should resemble

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1582008007178",
      "Action": [
        "sns:GetSubscriptionAttributes",
        "sns:GetTopicAttributes",
        "sns:ListSubscriptions",
        "sns:ListSubscriptionsByTopic",
        "sns:ListTagsForResource",
        "sns:ListTopics",
        "sns:Publish",
        "sns:Subscribe"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:sns:eu-west-1:111111111111:Story-5555",
      "Principal": {
        "AWS": ["222222222222"]
      },
      "Condition": {
        "ArnEquals": {
          "aws:PrincipalArn": [
               "arn:aws:lambda:eu-west-1:222222222222:function:New_Cross_SNS",
               "arn:aws:sts::222222222222:assumed-role:TSI_Base_FullAccess:AXXXXXXXX"
          ]
        }
      }
    }
  ]
}

The way to be sure which ARN to specify in the condition section of the policy is to call (and print) get-caller-identity API from your function.