'SNS notification target rule is "unreachable" when tryin to send a notification from code pipeline

I am trying to set up a notification for the code pipeline using its notification rule which supporters SNS.

enter image description here

As you can see in the picture the status is "unreachable"

If I look at the link here aws troubleshoot

I have followed all the step even the step of adding of codestar-notifications in Acces policy of SNS topic.

{
      "Sid": "AWSCodeStarNotifications_publish",
      "Effect": "Allow",
      "Principal": {
        "Service": "codestar-notifications.amazonaws.com"
      },
      "Action": "SNS:Publish",
      "Resource": "arn:aws:codestar-notifications:us-east-1:272075499248:notificationrule/50d629524d433dceeafdb6c5fe136e404f29e9e5"
    }

But still, the status remains the same also tried with manually starting the pipeline but still not working.

Am I missing something? could anyone help me out of this?

EDIT:

 {
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:GetTopicAttributes",
        "SNS:SetTopicAttributes",
        "SNS:AddPermission",
        "SNS:RemovePermission",
        "SNS:DeleteTopic",
        "SNS:Subscribe",
        "SNS:ListSubscriptionsByTopic",
        "SNS:Publish",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:us-east-1:272075499248:develop",
      "Condition": {
        "StringEquals": {
          "AWS:SourceOwner": "272075499248"
        }
      }
    },
    {
      "Sid": "AWSCodeStarNotifications_publish",
      "Effect": "Allow",
      "Principal": {
        "Service": "codestar-notifications.amazonaws.com"
      },
      "Action": "SNS:Publish",
      "Resource": "arn:aws:sns:us-east-1:272075499248:develop"
    }
  ]
}
amazon-snsaws-codepipeline


Solution 1:[1]

One way to solve this is to use the CodePipeline user interface to create the Topic. This will set all of the required permissions for you. When creating the Notification Rule, under "Targets", select "Create Target" and enter the name of the Topic you wish to create. The topic will be created with permissions already set. You will just need to subscribe to the topic to receive the notifications.

Solution 2:[2]

The JSON file is correct, but you should delete and re-create the target rule

Solution 3:[3]

It could be that your pipeline’s IAM execution role doesn’t have the required permissions to publish messages to the topic. Make sure your pipeline can publish messages in both the IAM role and the SNS policy and give it another go. A telltale sign of this is the CodePipeline notification console showing “Unreachable” next to the SNS topic.

The SNS access policy will look like the following:

{
    "Version": "2008-10-17",
    "Id": "__default_policy_ID",
    "Statement": [
        {
            "Sid": "StatusNotificationsPolicy",
            "Effect": "Allow",
            "Principal": {
            "AWS": "arn:aws:iam::123456789123:root",
            "Service": "codestar-notifications.amazonaws.com"
            },
            "Action": "sns:Publish",
            "Resource": "arn:aws:sns:ap-southeast-2:123456789123:gimme-alerts"
        },
        {
            "Sid": "__default_statement_ID",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "SNS:GetTopicAttributes",
                "SNS:SetTopicAttributes",
                "SNS:AddPermission",
                "SNS:RemovePermission",
                "SNS:DeleteTopic",
                "SNS:Subscribe",
                "SNS:ListSubscriptionsByTopic",
                "SNS:Publish",
                "SNS:Receive"
            ],
            "Resource": "arn:aws:sns:ap-southeast-2:123456789123:gimme-alerts",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceOwner": "123456789123"
                }
            }
        }
    ]
}

https://www.stephengream.com/codepipeline-notifications

Solution 4:[4]

The following did work for me.

I followed the suggestion by Phil Gilligan in the other answer. It automatically created the access policy in sns topic when its created from CodeCommit itself.

Change the account id and repo name according to your own case.

There is no other rule just this one rule. It seems like the rules are evaluated and one rule overridden the other. I think if one rule is more restrictive it takes precedence over the other.

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "CodeNotification_publish",
      "Effect": "Allow",
      "Principal": {
        "Service": "codestar-notifications.amazonaws.com"
      },
      "Action": "SNS:Publish",
      "Resource": "arn:aws:sns:us-east-1:ACCOUNT_ID:REPO_NAME"
    }
  ]
}

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Phil Gilligan
Solution 2 ILIASS BEN
Solution 3 Charles Wei
Solution 4 muasif80

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

How to enable terraform module only with a specific workspace

AWS RDS Postgres: WAL_LEVEL not set to 'logical' after changing rds.logical_replication = 1

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Self stopping EC2 once task complete?

AWS - SWF - Asynchronous method

Why my cloudformation template is over 1 MB?

AWS elastic beanstalk - WARN install EACCES: permission denied, access '/tmp/.npm'

Aws step functions - Resume from failed step function activity instead of starting a new execution

Redirect Elastic Beanstalk URL to domain name

node-lambda - TypeError: handler is not a function