I want to resolve AWS Identity and Access Management (IAM) authorization errors that I receive when I add subscribers to my Amazon Simple Notification Service (Amazon SNS) topic.
Short description
When an IAM entity tries to add a subscription to an Amazon SNS topic without Subscribe API action permissions, SNS returns the following error:
An error occurred (AuthorizationError) when calling the Subscribe operation: User: your_IAM_user_or_role is not authorized to perform: sns:Subscribe on resource: YOUR_SNS_TOPIC_ARN
Note: The IAM entity might be an IAM user or role.
To resolve the error, grant the IAM entity permission to run the Subscribe API action on the Amazon SNS topic.
If you receive a similar error that ends in an "explicit deny"
Remove any policy statements that explicitly deny the IAM entity access to the SNS resource.
Resolution
If the IAM entity and the SNS topic are in different AWS accounts
Do both of the following:
Attach an IAM policy statement to the IAM entity that allows entity to run the "sns:Subscribe" action
For instructions, see Adding and removing IAM identity permissions. Attach the following example IAM policy statement:
Important: Replace "YOUR_SNS_TOPIC_ARN" with your Amazon SNS topic's Amazon Resource Name (ARN).
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SNSSubscribePermission",
"Effect": "Allow",
"Action": "sns:Subscribe",
"Resource": "YOUR_SNS_TOPIC_ARN"
}
]
}
Attach an Amazon SNS policy statement to your topic's access policy that allows the IAM entity to run the "sns:Subscribe" action
For instructions, see How do I edit my Amazon SNS topic's access policy? Attach the following example Amazon SNS policy statement:
Important: Replace "YOUR_IAM USER/ROLE_ARN" with your IAM entity's ARN. Replace "YOUR_SNS_TOPIC_ARN" with your Amazon SNS topic's ARN.
{
"Sid": "AllowIAMEntity",
"Effect": "Allow",
"Principal": {
"AWS": "YOUR_IAM USER/ROLE_ARN "
},
"Action": "sns:Subscribe",
"Resource": "YOUR_SNS_TOPIC_ARN"
}
If the IAM entity and the SNS topic are in the same account
Do either of the following:
Attach an IAM policy statement to the IAM entity that allows entity to run the "sns:Subscribe" action.
-or-
Attach an Amazon SNS policy statement to your topic's access policy that allows the IAM entity to run the "sns:Subscribe" action.
For example policy statements, see the If the IAM entity and the SNS topic are in different AWS accounts section of this article.
Verify that neither the IAM entity's policy nor SNS topic's access policy explicitly denies access to the SNS resource
Review the IAM entity's policy and SNS topic's access policy. Then, remove any policy statements that explicitly deny the IAM entity access to the SNS resource.
For more information, see The difference between explicit and implicit denies.
Related information
Using identity-based policies with Amazon SNS