Grant AWS Lambda Access to an SNS Topic

avatar

Borislav Hadzhiev

Wed Sep 29 20213 min read

banner

Photo by Paul Gilmore

Grant AWS Lambda Access to an SNS Topic #

In order to grant a Lambda function access to an SNS topic, we have to attach an IAM policy to the function's execution role. The policy should grant permissions for all the Actions the function needs to perform on the topic.

For example, the following policy grants permissions for the most commonly used SNS actions on a specific SNS topic.

The policy applies to a specific topic, therefore make sure to replace the YOUR_* placeholders in the Resource element with the real values.
example-sns-policy.json
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sns:Publish", "sns:Subscribe", "sns:CreateTopic", "sns:GetTopicAttributes", "sns:SetTopicAttributes", "sns:TagResource", "sns:UntagResource", "sns:ListTagsForResource", "sns:ListSubscriptionsByTopic" ], "Resource": [ "arn:aws:sns:YOUR_REGION:YOUR_ACCOUNT_NUMBER:YOUR_TOPIC_NAME" ] } ] }
If your lambda function only needs to publish messages to the SNS topic, you only need the sns:Publish action in the Action list of the policy.

The Resource element is simply the SNS topic's ARN, which you can copy from the AWS SNS console. It should look something like: arn:aws:sns:us-east-1:123456789:my-topic once the real values are in place.

The actions your lambda function needs to perform on the topic are use case dependent.

You could set "sns:*" for the Action element in the policy to grant full sns access to the lambda function. However, it's best practice to grant an entity the least permissions that get the job done.

You can view a full list of the sns Actions in the SNS actions table.

There is a Description column, which explains what each action does.

To attach a policy to the lambda function's execution role, you have to:

  1. Open the AWS Lambda console and click on your function's name
  2. Click on the Configuration tab and then click Permissions

click on function role

  1. Click on the function's role
  2. Click on Attach policies and click the Add inline policy button

add inline policy

  1. In the JSON editor paste the following policy.
Replace the YOUR_* placeholders and adjust the Actions your lambda function needs to execute.
The Resource element is simply the topic's ARN, which you can copy from the AWS SNS console.
example-sns-policy.json
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sns:Publish", "sns:Subscribe", "sns:CreateTopic", "sns:GetTopicAttributes", "sns:SetTopicAttributes", "sns:TagResource", "sns:UntagResource", "sns:ListTagsForResource", "sns:ListSubscriptionsByTopic" ], "Resource": [ "arn:aws:sns:YOUR_REGION:YOUR_ACCOUNT_NUMBER:YOUR_TOPIC_NAME" ] } ] }
  1. Click Review Policy and give your policy a name, then click Create policy

At this point the lambda function's role has been extended with a policy that grants access to some SNS actions on a specific topic.

It can take up to a minute until the IAM changes have been propagated and the policy is in effect.

Invoke your lambda function and verify whether it has access to the SNS topic.

If your function is still unable to access the SNS topic, try to increase the function's timeout by a second in the AWS console or simply add an extra print statement in the code and click the Deploy button.

If your lambda function still does not have access to the topic, expand the IAM policy you added to the function's role and edit it to look like the policy below.

edit policy

Replace the YOUR_* placeholders with real values.
sns-full-access.json
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sns:*" ], "Resource": [ "arn:aws:sns:YOUR_REGION:YOUR_ACCOUNT_NUMBER:YOUR_TOPIC_NAME" ] } ] }

The IAM policy above grants full access to an SNS topic. Your lambda function will be able to execute all SNS actions on the topic.

It's best practice to grant the least possible permissions, that enable you to get the job done, however the * symbol is useful when debugging.

After you've updated the policy, try to invoke your lambda function again, it should have permissions to execute any action on the SNS topic.

After you verify which actions your lambda needs to run, you can make the IAM policy less permissive.

Note that a policy statement with a Deny effect will always override any Allow statements.

Further Reading #

Join my newsletter

I'll send you 1 email a week with links to all of the articles I've written that week

Buy Me A Coffee