AuthorizationError when confirming SNS subscription over HTTP

 

I'm writing a simple SNS client that is meant to subscribe itself to an SNS topic and then listen for notifications. I can successfully submit a sns.subscribe request, but when I pick up the SubscriptionConfirmation POST message from AWS and try and respond using sns.confirmSubscription I get an AuthorizationError returned: 

[AuthorizationError: User: arn:aws:iam::xxx:user/mv-user is not authorized to perform: SNS:ConfirmSubscription on resource: arn:aws:sns:us-east-1:xxx:*]

If I use exactly the same Token and TopicArn in a GET query to the server the subscription confirmation works fine, with no authentication.

Any ideas why it's not working? My SNS topic is wide open with publish/subscribe permissions set to 'Everyone'.

For reference, my code is something like this: 


        var params = {
            TopicArn: topicArn,  // e.g. arn:aws:sns:us-east-1:xxx:yyy
            Token: token         // long token extracted from POST body
        };

        sns.confirmSubscription(params, function (err, data) {
            if (err) {
                // BOOOM - keep getting here with AuthorizationError
            } else {
                // Yay. Worked, but never seem to get here :(
            }
        });

However, if I navigate to the URL similar to this in a browser (ie completely unauthenticated), it works perfectly: 

http://sns.us-east-1.amazonaws.com/?Action=ConfirmSubscription&Token=<token>&TopicArn=arn%3Aaws%3Asns%3Aus-east-1%3Axxx%3Ayyy&Version=2010-03-31

The only differences seem to be the inclusion of 'Authorization' and 'Signature' headers in the programmatic version (checked using Wireshark).

Any ideas? Thanks in advance!

Update

In my code, if I just programatically do a simple GET request to the SubscribeURL in the SubscriptionConfirmation message this works fine. Just seems odd that the confirmSubscription API call doesn't work. Will probably stick to this workaround for now.

Update 2

Also get the same error when calling sns.unsubscribe although, again, calling the UnsubscribeURL in each notification works. Seems other people have run into that issue too but can't find any solutions.

The error says it all: 

[AuthorizationError: User: arn:aws:iam::xxx:user/mv-user is not authorized to perform: SNS:ConfirmSubscription on resource: arn:aws:sns:us-east-1:xxx:*]

is basically telling you that the IAM user you're using to call ConfirmSubscription doesn't have the proper permissions to do so. Best bet is to update the permissions for that IAM user, specifically adding ConfirmSubscription permissions.

(Based on your comments, even though the documentation says otherwise, the error is pretty specific... might be worth following up directly with AWS about this issue, since either the error message or documentation is incorrect).

I faced a similar issue while developing my application. The way I ended up solving it is the following:

  • go to IAM and click on your user
  • go to the permissions tab and click on "Attach Policy"
  • use the filter to filter for "AmazonSNSFullAccess"
  • Attach the above policy to your user.

    • The above should take care of it.

    If you wanna be fancy you can create a custom policy that is based on "AmazonSNSFullAccess" and apply it to you user instead.

    The custom policy would be something similar to the following: 

    {
"Version": "2012-10-17",
"Statement": [
    {
        "Action": [
            "sns:ConfirmSubscription"
        ],
        "Effect": "Allow",
        "Resource": "YOUR_RESOURCE_ARN_SHOULD_BE_HERE"
    }
]
}
    链接地址: http://www.djcxy.com/p/24284.html

    上一篇: Cython Metaclass .pxd:我应该如何实现`

    下一篇: 通过HTTP确认SNS订阅时发生AuthorizationError