Getting AuthorizationErrorException while publish to a SNS topic that is owned by another AWS account

1
votes

I want to publish a message from my Aws account(111222333) ec2 instance to SNS topic owned by another AWS account(444555666), Topic owner gave the full permissions to my ec2 role. While publishing the message to topic I am getting the AuthorizationErrorException.

import boto3
import json

aws_region = 'us-east-1'
client = boto3.client('sns', region=aws_region)


message = {"foo": "bar"}

topic_arn = "arn:aws:sns:us-east-1:444555666:my_topic"

response = client.publish(
    TopicArn=topic_arn,
    Message=json.dumps({'default': json.dumps(message)}),
    MessageStructure='json'
)

botocore.errorfactory.AuthorizationErrorException: An error occurred (AuthorizationError) when calling the Publish operation: User: arn:aws:sts::111222333:assumed-role/ecsec2role/i-0121fggsfdf56 is not authorized to perform: SNS:Publish on resource: arn:aws:sns:us-east-1:444555666:my_topic.

Do I need to mention any where which role to use my ec2 instance to run my script ?*

1
amazon-web-servicesamazon-ec2boto3amazon-sns

1 Answers

2
votes

The ec2 instance assumes the role you attached with the instance profile. Boto3 uses this role by default. You can view the role attached inside the ec2 console, or change the role from their.

The role has to be part of an allow statement in the sns topic policy inside the other account!

But also on your side the role needs to have explicit permission to publish on sns (sns:publish)!