Skip to content

Commit

Permalink
sns_topic - Fix Permission Issue for Cross Account Subscriptions (#1418
Browse files Browse the repository at this point in the history 
…) (#1701)

[PR #1418/de21c4bd backport][stable-5] sns_topic - Fix Permission Issue for Cross Account Subscriptions

This is a backport of PR #1418 as merged into main (de21c4b).
SUMMARY

sns_topic currently fails with the following error if it has any cross account subscriptions:
Couldn't get subscription attributes for subscription arn:aws:sns:us-east-1:123412341234:my-sns-topic-name:555950dc-7c5f-416c-8f8e-e8f38eabfa54: An error occurred (AuthorizationError) when calling the GetSubscriptionAttributes operation: Not authorized to access this subscription

This happens, for example, when a Lambda function in account A is subscribed to an SNS topic in account B, as described here.
I believe this was caused by #640.
I am not sure how to write a test for this specific situation as it would require multiple AWS accounts.

ISSUE TYPE


Bugfix Pull Request

COMPONENT NAME

sns_topic
ADDITIONAL INFORMATION



- community.aws.sns_topic:
    name: my-sns-topic-in-account-123412341234
    subscriptions:
      - endpoint: "arn:aws:lambda:us-east-1:567856785678:function:my-lambda-function-in-account-567856785678"
        protocol: lambda
    state: present

Reviewed-by: Mark Chappell <None>
  • Loading branch information
@patchback
patchback[bot] authored Feb 3, 2023
1 parent 27b849d commit 287672c
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 2 deletions.
2 changes: 2 additions & 0 deletions changelogs/fragments/sns_topic-cross-account.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
bugfixes:
- sns_topic - avoid fetching attributes from subscribers when not setting them, this can cause permissions issues (https://github.com/ansible-collections/community.aws/pull/1418).
4 changes: 2 additions & 2 deletions plugins/modules/sns_topic.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -519,8 +519,8 @@ def _set_topic_subs_attributes(self):
for sub in list_topic_subscriptions(self.connection, self.module, self.topic_arn):
sub_key = (sub['Protocol'], sub['Endpoint'])
sub_arn = sub['SubscriptionArn']
if sub_key not in self.desired_subscription_attributes:
# subscription isn't defined in desired, skipping
if not self.desired_subscription_attributes.get(sub_key):
# subscription attributes aren't defined in desired, skipping
continue

try:
Expand Down

0 comments on commit 287672c

Please sign in to comment.