Do I need to also add a trigger after using AWS::SNS::Subscription?
I have an SNS topic defined as follows
SlmExceedenceTopic:
Type: AWS::SNS::Topic
Properties:
TopicName:
Fn::Sub: ${AWS::StackName}-slm-exceedence-topic
Tags:
- Key: Environment
Value: !Ref Environment
and I want a lambda function ExceedenceProcessor to be executed once we have a notification in the SNS. I have thus added the following Subscription
ExceedenceProcessorSubscription:
Type: AWS::SNS::Subscription
Properties:
Endpoint:
Fn::GetAtt: ExceedenceProcessor.Arn
Protocol: lambda
TopicArn: !Ref SlmExceedenceTopic
This correctly adds the subscription and I can even see it from the SNS subscription. However, my function is never executed. I can only get it to execute if I manually add a trigger to the Lambda function targetting the SNS.
Isn't adding just a Subscription be enough?
The "user" does not invoke the Lambda function. Rather, it is the Amazon SNS Service that invokes the Lambda function. That is why the error is saying User: sns.amazonaws.com is not authorized
You should add permissions in the Lambda function to allow Amazon SNS to invoke it:
If your CloudFormation template is creating the AWS Lambda function, it can add these permissions using AWS::Lambda::Permission - AWS CloudFormation.