I'm trying to use AWS's SNS with SSM but getting an error about roles.
Here's the error:
botocore.errorfactory.InvalidRole: An error occurred (InvalidRole) when calling the SendCommand operation: ServiceRoleArn is not valid: arn:aws:iam::<account #>:role/FullSNS
Here's the relevant code:
response = client.send_command(
InstanceIds=[
'<instance id>',
],
DocumentName='AWS-RunShellScript',
Parameters={
'commands': [
'<command>',
],
'workingDirectory': [
'<directory>'
]
},
OutputS3BucketName='<s3 bucket>',
ServiceRoleArn='arn:aws:iam::<account #>:role/FullSNS',
NotificationConfig={
'NotificationArn': 'arn:aws:sns:us-east-1:<account #>:MyTestTopic',
'NotificationEvents': [
'All',
],
'NotificationType': 'Command'
}
)
And here's the policy on that role:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sns:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
The above is with boto3 but I get the same error if I try it within the console.
I wish the AWS documentation was more clear on this point, but I also had to edit the trust relationship on that IAM role to look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}