What's the correct terraform syntax to allow an external AWS role to subscribe and read from AWS SNS topic?

I want to create a policy so a specific aws role (not in the same account) let's say arn:aws:iam::123123123123:role/sns-read-role can subscribe and receive messages from my SNS topic in AWS.

From the official terraform docs about aws_sns_topic_policy example it would be

resource "aws_sns_topic" "test" {name = "my-topic-with-policy"}resource "aws_sns_topic_policy" "default" {arn = aws_sns_topic.test.arnpolicy = data.aws_iam_policy_document.sns_topic_policy.json}data "aws_iam_policy_document" "sns_topic_policy" {statement {actions = ["SNS:Subscribe","SNS:Receive"]condition {test = "StringEquals"variable = "AWS:SourceOwner"values = [123123123123]}effect = "Allow"principals {type = "AWS"identifiers = ["*"]}resources = [aws_sns_topic.test.arn]}}

But this would translate to arn:aws:iam::123123123123:root and filter only on account-id.

From AWS JSON policy elements: Principal I understand the AWS syntax is

"Principal": { "AWS": "arn:aws:iam::AWS-account-ID:role/role-name" }

Adding the role in the condition like this

condition {test = "StringEquals"variable = "AWS:SourceOwner"values = [arn:aws:iam::123123123123:role/sns-read-role]}

does not work.

It would make sense to add the role to the principal like this

principals {type = "AWS"identifiers = ["arn:aws:iam::123123123123:role/sns-read-role"]}

When I try to subscribe, I get an AuthorizationError: "Couldn't subscribe to topic..."

Do I need the condition together with the principal? Why even bother with the condition if you can use the principal in the first place?

1

Best Answer

After some experimenting, I found that I don't need the condition. This works for me:

resource "aws_sns_topic" "test" {name = "my-topic-with-policy"}resource "aws_sns_topic_policy" "default" {arn = aws_sns_topic.test.arnpolicy = data.aws_iam_policy_document.sns_topic_policy.json}data "aws_iam_policy_document" "sns_topic_policy" {statement {actions = ["SNS:Subscribe","SNS:Receive"]effect = "Allow"principals {type = "AWS"identifiers = ["arn:aws:iam::123123123123:role/sns-read-role"]}resources = [aws_sns_topic.test.arn]}}

In case you want to use parameters for your module:

principals {type = "AWS"identifiers = ["${var.account_arn}:role/${var.role}"]}

Random Posts

ASP.NET Core 6 : add multiple authentication schemes with multiple authorization policies along with dependency injectionHow to detect the currently pressed key?Python tkinter how to use grid stickyUse Python to determine if PDF was generated by Google DocsHow to bootstrap a function after taking a randomly drawn sample without replacementcan not find the spring boot plugin in intellij ideaWhat is the big-o notation for the `len()` function in Python? [duplicate]CRT file does not contain a privatekey [closed]How can I use numpy.correlate to do autocorrelation?Calculating power in pandasHow to fix "Attempted relative import in non-package" even with __init__.pyNuxt 3. Error running 'npm install' right after 'npx nuxi init <project name>'ffmpeg - 'No such file or directory' though the file existsTrust Store vs Key Store - creating with keytoolInstall docker on macos catalinaIs it possible to export an automation rule as a JSON file in Jira?What causes signal 'SIGILL'?Applying Mapping Function on DataFrameHow should I properly convert mp3 to byte array and then convert it back to mp3How to add a title to a html select tag