How do I troubleshoot cross-account pass role that’s not allowed when trying to subscribe Kinesis Firehose endpoint to the SNS topic?

2 minute read

I’m encountering the error message ‘Cross-account pass role is not allowed’ when subscribing the Amazon Kinesis Data Firehose to the Amazon Simple Notification Service (SNS) topic.

Short description

You've configured an Amazon Simple Notification Service (SNS) topic in account A and the Amazon Kinesis Data Firehose in account B. To create a cross-account subscription between SNS and the Kinesis Data Firehose, confirm the following:

The subscriptions are created in account B that also has the Kinesis Data Firehose.
The subscription has an AWS Identity and Access Management (IAM) role, with Kinesis permissions.
The IAM role's trust policy is updated to allow the SNS service assume the role.
The SNS topic's access policy in account A allows account B to perform the SNS:Subscribe action.

Resolution

Confirm that the subscription is created in account B that also has the Kinesis Data Firehose

Create the subscription in account B as follows:

Log in to the AWS Management Console and navigate to the Amazon SNS console.
Choose Subscriptions. Then, select Create Subscriptions.
Create an Amazon Data Firehose subscription. For more information, see Subscribing a Kinesis Data Firehose delivery stream to an Amazon SNS topic.

Confirm that the IAM role has the Kinesis permissions and the associated trust policy allows the SNS service to assume the role

The subscription requires an IAM role that trusts the Amazon SNS service principal and has permission to write to the delivery stream. At a minimum, the policy must provide permissions to run the PutRecord operation on a specific delivery stream. For more information, see Prerequisites for subscribing Kinesis Data Firehose delivery streams to Amazon SNS topics.

Confirm that the access policy of the SNS topic in account A allows account B to perform the SNS:Subscribe action

Account B needs the appropriate permissions to access the SNS topic in account A and perform the SNS:Subscribe action. For more information, see Grant AWS account access to a topic.
Note: You can update the access policy in account A to implement more stringent permissions and access conditions.

Topics

Application Integration

Relevant content

Could not access Kinesis Firehose Stream using IAM role
AWS-User-6373364
asked 2 years ago
Streaming data to an HTTP endpoint with Amazon Kinesis Data Firehose
UdAWS
asked 2 years ago
Can we publish SNS PushNotification to crossaccount endpoints?
AWS-User-5922847
asked 2 years ago
configservice subscribe requires sns-topic, but console does not
someawsuser1234
asked 5 years ago
Solution to subscribe to an SNS topic from different region - aws-managed-waf-rule-notifications
Accepted Answer
Andre
asked 5 months ago
Why do I get an authorization error when I try to subscribe my Lambda function to my Amazon SNS topic?
AWS OFFICIALUpdated 2 years ago
How do I resolve authorization errors when trying to add subscribers to an Amazon SNS topic?
AWS OFFICIALUpdated 5 months ago
How do I troubleshoot an Amazon SNS topic that’s not receiving notifications from AWS Cost Anomaly Detection?
AWS OFFICIALUpdated 10 months ago
How do I troubleshoot issues when I subscribe an HTTP(S) endpoint to my Amazon SNS topic?
AWS OFFICIALUpdated 4 months ago
How do I find the SMTP clients using deprecated TLS versions?
EXPERT
Jonathan_D
published 6 months ago