'User is not authorized to perform: SNS:CreateTopic on resource

I wanted to monitor certain parameters (TotalErrorRate and Latency) with CloudWatch and I wanted a "Simple Notification Service" (SNS) to send me an email, when an (cloudWatch) alarm is thrown:

EscalationTopic:
  Type: "AWS::SNS::Topic"
  Properties:
    DisplayName: My Monitoring
    Subscription:
      - Endpoint: !Ref EmailForNotification
        Protocol: email

EscalationTopicEmailSubscriber:
  Type: "AWS::SNS::Subscription"
  Properties:
    Endpoint: !Ref EmailForNotification
    Protocol: email
    TopicArn: !Ref EscalationTopic

But I get this error: User is not authorized to perform: SNS:CreateTopic on resource(Service: AmazonSNS; Status Code: 403; Error Code: AuthorizationError (see screenshot) enter image description here

What I did to solve it, is creating a topicPolicy:

   SNSTopicPolicy:
     Type: 'AWS::SNS::TopicPolicy'
     Properties:
       Topics:
         - !Ref EscalationTopic
       PolicyDocument:
         Version: '2012-10-17'
         Statement:
           - Effect: Allow
             Action: 'sns:CreateTopic'
             Resource: !Ref EscalationTopic
             Principal:
               AWS: '*'

But the problem still persists.

EDIT: In the SNS console, I could manually create a new topic. Shouldn't it mean that I got the permission in order to createTopic?

amazon-snsamazon-cloudwatch


Solution 1:[1]

The error message states the problem quite accurately. The credentials used to create the CloudFormation stack (presumably your login credentials unless you specified a Role during stack creation) is not authorized to create an Amazon SNS topic.

You should look at the permissions associated with your IAM User and add the necessary permissions.

Adding an SNS Topic Policy will have no impact because it is used to give SNS a set of permissions, whereas you need permissions to create the Topic itself.

Solution 2:[2]

I had a similar issue with Amazon SES. Apparently my "AmazonSESFullAccess" permission wasn't enough and I solved it by adding the "AmazonSNSFullAccess" permission to my IAM user at https://console.aws.amazon.com/iam/home#/users/MY_IAM_USER_NAME_GOES_HERE

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 John Rotenstein
Solution 2 chimeraha

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

How to enable terraform module only with a specific workspace

AWS RDS Postgres: WAL_LEVEL not set to 'logical' after changing rds.logical_replication = 1

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Self stopping EC2 once task complete?

AWS - SWF - Asynchronous method

Why my cloudformation template is over 1 MB?

AWS elastic beanstalk - WARN install EACCES: permission denied, access '/tmp/.npm'

Aws step functions - Resume from failed step function activity instead of starting a new execution

Redirect Elastic Beanstalk URL to domain name

node-lambda - TypeError: handler is not a function