I would like to create Amazon SNS topics dynamically in code. I am using the AWS Mobile Hub sdk for iOS.
When I try to create a topic
…
AWSSNSCreateTopicInput* input = [AWSSNSCreateTopicInput new];
NSString* name = @"topic_name";
[input setName:name];
[[[[AWSSNS defaultSNS] createTopic:input] continueWithSuccessBlock:^id _Nullable(AWSTask<AWSSNSCreateTopicResponse *> * _Nonnull task)
…
I get an error from AWS:
<Message>User: (role/credentials) is not authorized to perform: SNS:CreateTopic on resource: (topic)</Message>
(role/credentials) represents the IAM role and its Cognito credentials. (topic) is the ARN of the topic I have requested by giving a topic name
AWS Mobile Hub created the following push policy for my Mobile Hub role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:CreatePlatformEndpoint",
"sns:GetEndpointAttributes",
"sns:SetEndpointAttributes"
],
"Resource": [
"(APN role arn)"
]
},
{
"Effect": "Allow",
"Action": [
"sns:Subscribe",
"sns:Publish",
"sns:Unsubscribe"
],
"Resource": [
"(dynamodb role arn)",
"(Mobile Hub Role arn)"
]
},
{
"Effect": "Allow",
"Action": [
"sns:ListTopics"
],
"Resource": [
"*"
]
}
]
}
I tried adding the line
"sns:CreateTopic",
to the middle set of permission (just above "sns:Subscribe") but that did not solve the error. From the error message and reading AWS docs it seems I have to attach a policy to each topic I create in order to use it. Here are 2 snippets from the AWS docs that may be relevant:
The following example shows the permissions that are automatically created by AWS Config for a new topic. This policy statement allows AWS Config to publish to a specified Amazon SNS topic.
If you want to use an existing SNS topic from another account or you set up your delivery channel using the API, make sure to attach the following policy to the SNS topic.
{
"Id": "Policy1415489375392",
"Statement": [
{
"Sid": "AWSConfigSNSPolicy20150201",
"Action": [
"SNS:Publish"
],
"Effect": "Allow",
"Resource": "arn:aws:sns:region:account-id:myTopic",
"Principal": {
"Service": [
"config.amazonaws.com"
]
}
}
]
}
and
IAM Role Policy for Amazon SNS Topic
Use this example policy as a model for granting AWS Config permissions to access your SNS topic:
{
"Version": "2012-10-17",
"Statement":
[
{
"Effect":"Allow",
"Action":"sns:Publish",
"Resource":"yourSNStopicARN"
}
]
}
This is all I've been able to find about creating topics using an sdk. Can anyone provide or point me to a complete example?
The AWS Forum for Amazon SNS (Simple Notification Service), the service backing mobile push, may be a better place to get help on this topic.
https://forums.aws.amazon.com/forum.jspa?forumID=72
The issue appears to be that the appropriate mobile app user IAM role does not have permission to create the topic. Mobile Hub does not give mobile app users permissions to create SNS topics by default. You should add the sns:CreateTopic permission to the statement that has sns:ListTopic, like this...
{
"Effect": "Allow",
"Action": [
"sns:ListTopics",
"sns:CreateTopic",
],
"Resource": [
"*"
]
}