Authorization when sending a text message using AmazonSNSClient

pulse00 picture pulse00 · Aug 10, 2016 · Viewed 13.8k times · Source

The official aws documentation on how to send a Textmessage with the aws SDK in java is pretty straightforward.

However, when sending a message like shown in the example at the bottom, I'm getting the error User: arn:aws:iam::xxx:user/sms-testing is not authorized to perform: SNS:Publish on resource: +999999999

Note that +999999999 is the phone number passed to the .withPhoneNumber() call, so the aws api complains about my IAM user not having the necessary permission to SNS:Publish a message to the resource with that phone number.

My question: How do I create an IAM user which is able to send SMS notifications through the java SDK? Currently, it looks like I would have to create a permission for each number I'm sending messages to, which seems weird and hard to maintain.

Answer

Dennis H picture Dennis H · Aug 12, 2016

The error is telling you that your IAM user "sms-testing" does not have permission to publish to SNS (SNS:Publish) to that resource. Your IAM user probably does not have the SNS:Publish permission at all, which means you can't publish anything. If that is the case, you just need to add the following IAM policy to your user OR add the policy to the IAM Group from which your IAM user belongs.

The link below should take you right to the IAM console to edit permissions for the "sms-testing" user. Also below is a sample policy allowing the IAM user to publish anything to SNS (SMS, Topics, Endpoints, etc..).

If you want to lock down permissions a bit, you would modify the "Resource" and specify a specific SNS resource like Topic or application arn. If you are unable to edit the IAM user policy, you'll need to get your administrator to add this policy for you.

Modify your IAM user: https://console.aws.amazon.com/iam/home?region=us-east-1#users/sms-testing

Sample policy for allowing SNS Publish to ALL resources:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sns:Publish"
            ],
            "Resource": "*"
        }
    ]
}

Since SNS does not have an SMS resource, you can do a bit of a hack and "Deny" all SNS publishing to Topics and Platform Applications and then allow publish to the rest which leaves only SMS (for now).

Here's a sample policy allowing only publish to SMS and denying publishing to topics and applications (push notifications):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "sns:Publish"
            ],
            "Resource": "arn:aws:sns:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sns:Publish"
            ],
            "Resource": "*"
        }
    ]
}

Hope that helps.

-Dennis