By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do I resolve an “authorization error" when attempting to view or modify a cross-account SQS subscription's attributes on the Amazon SNS console?

3 minute read
0

I subscribed my Amazon Simple Queue Service (Amazon SQS) queue to an Amazon Simple Notification Service (Amazon SNS) topic in a different AWS account. When viewing or editing my cross-account subscription’s attributes from the Amazon SNS console, I get an "authorization error" that I need to resolve.

Short description

If you create a SNS topic subscription for an SQS queue from an account that doesn't own the topic, then the account that owns the SQS queue owns the subscription. If you then view or edit SNS subscription attributes in the account that created the SNS topic, you get an authorization error.

Note: Subscription-related permissions to view and edit can't be included in SNS Topic Policy actions. Use the following solutions instead.

Resolution

Using the AWS console

  1. Open the Amazon SNS console in the account that owns the SNS topic.
  2. In the navigation pane, choose Topics.
  3. Choose the name of the topic. Then, from the Subscriptions tab, copy the Subscription ID of the SQS queue subscription.
  4. Open the Amazon SNS console in the account that owns the SQS queue.
  5. On the Subscriptions menu option, choose the Subscription ID that you copied in step 3.
  6. View and edit the subscription attributes as needed.

Using GetSubscriptionAttributes

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

View subscription attributes by using GetSubscriptionAttributes in the account that was used to create the subscription using the AWS Command Line Interface (AWS CLI) or the SDK. To run this command, the IAM user or role must have permissions for the SNS actions SetSubscriptionAttributes and GetSubscriptionAttributes.

The following example uses the GetSubscriptionAttributes from the AWS CLI, using SubscriptionArn as a request parameter. To retrieve SubscriptionArn, use ListSubscriptionsByTopic.

aws sns get-subscription-attributes --subscription-arn arn:aws:sns:eu-central-1:1234567890:TestTopicSubOwnerSQS:53XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
{
  "Attributes": {
    "Owner": "9876543210",
    "RawMessageDelivery": "false",
    "TopicArn": "arn:aws:sns:eu-central-1:1234567890:TestTopicSubOwnerSQS",
    "Endpoint": "example@amazon.com",
    "Protocol": "email",
    "PendingConfirmation": "false",
    "ConfirmationWasAuthenticated": "false",
    "SubscriptionArn": "arn:aws:sns:eu-central-1:1234567890:TestTopicSubOwnerSQS:53XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
   }
}

Delete and recreate the subscription

If you want the AWS account that owns the SNS topic to control the SNS topic subscription's attributes:

  1. Delete the existing subscription.
  2. Create the same subscription from the account that owns the SNS topic.

The AWS account that owns the SNS topic is now the owner of the created subscription resource.

Related information

How do I recreate a "Deleted" Amazon SNS topic subscription for an Amazon SQS queue in another AWS account?

How do I resolve authorization errors when trying to add subscribers to an Amazon SNS topic?

How do I resolve HTTP 400 “AccessDeniedException” errors from Amazon SNS?

How can I get my Amazon SQS subscription to successfully receive a notification from my Amazon SNS topic?

Why do I get an authorization error when I try to subscribe my Lambda function to my Amazon SNS topic?

Topics
Application Integration
Tags
Amazon Simple Notification Service (SNS)
Language
English

Related videos

Watch Arnav's video to learn more (3:18)
Watch Arnav's video to learn more (3:18)
AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago
No comments

Relevant content