AuthorizationError when confirming SNS subscription over HTTP

Question

I'm writing a simple SNS client that is meant to subscribe itself to an SNS topic and then listen for notifications. I can successfully submit a sns.subscribe request, but when I pick up the SubscriptionConfirmation POST message from AWS and try and respond using sns.confirmSubscription I get an AuthorizationError returned:

[AuthorizationError: User: arn:aws:iam::xxx:user/mv-user is not authorized to perform: SNS:ConfirmSubscription on resource: arn:aws:sns:us-east-1:xxx:*]

If I use exactly the same Token and TopicArn in a GET query to the server the subscription confirmation works fine, with no authentication.

Any ideas why it's not working? My SNS topic is wide open with publish/subscribe permissions set to 'Everyone'.

For reference, my code is something like this:

        var params = {
            TopicArn: topicArn,  // e.g. arn:aws:sns:us-east-1:xxx:yyy
            Token: token         // long token extracted from POST body
        };

        sns.confirmSubscription(params, function (err, data) {
            if (err) {
                // BOOOM - keep getting here with AuthorizationError
            } else {
                // Yay. Worked, but never seem to get here :(
            }
        });

However, if I navigate to the URL similar to this in a browser (i.e. completely unauthenticated), it works perfectly:

http://sns.us-east-1.amazonaws.com/?Action=ConfirmSubscription&Token=<token>&TopicArn=arn%3Aaws%3Asns%3Aus-east-1%3Axxx%3Ayyy&Version=2010-03-31

The only differences seem to be the inclusion of 'Authorization' and 'Signature' headers in the programmatic version (checked using Wireshark).

Any ideas? Thanks in advance!

Update

In my code, if I just programatically do a simple GET request to the SubscribeURL in the SubscriptionConfirmation message this works fine. Just seems odd that the confirmSubscription API call doesn't work. Will probably stick to this workaround for now.

Update 2

Also get the same error when calling sns.unsubscribe although, again, calling the UnsubscribeURL in each notification works. Seems other people have run into that issue too but can't find any solutions.

Answer 1

I faced a similar issue while developing my application. The way I ended up solving it is the following:

1. go to IAM and click on your user
2. go to the permissions tab and click on "Attach Policy"
3. use the filter to filter for "AmazonSNSFullAccess"
4. Attach the above policy to your user.

The above should take care of it.

If you wanna be fancy you can create a custom policy that is based on "AmazonSNSFullAccess" and apply it to you user instead.

The custom policy would be something similar to the following:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Action": [
            "sns:ConfirmSubscription"
        ],
        "Effect": "Allow",
        "Resource": "YOUR_RESOURCE_ARN_SHOULD_BE_HERE"
    }
]
}