AWS Cannot subscribe to SNS Topic: CognitoIdentityCredentials is not authorized to perform: SNS:Subscribe

Question

I am attempting to subscribe an iOS endpoint to a SNS topic using this code:

    let sns = AWSSNS.defaultSNS()
    let request = AWSSNSCreatePlatformEndpointInput()
    request.token = deviceTokenString
    request.platformApplicationArn = SNSPlatformApplicationArn

    sns.createPlatformEndpoint(request).continueWithExecutor(AWSExecutor.mainThreadExecutor(), withBlock: { (task: AWSTask!) -> AnyObject! in
        if task.error != nil {
            print(task.error)
        } else {
            let createEndpointResponse = task.result as! AWSSNSCreateEndpointResponse

            // Subscribe to the topic
            let subscribeTopicInput = AWSSNSSubscribeInput()
            subscribeTopicInput.endpoint = createEndpointResponse.endpointArn
            subscribeTopicInput.protocols = "application"
            subscribeTopicInput.topicArn = MyTopicARN
            sns.subscribe(subscribeTopicInput).continueWithExecutor(AWSExecutor.mainThreadExecutor(), withBlock: { (topicTask: AWSTask!) -> AnyObject! in

                if topicTask.error != nil {
                    // Authorization error prints here
                    print(topicTask.error)
                }

                return nil
            })

        }

        return nil
    })

I receive an error when attempting to subscribe to a topic:

UserInfo={Type=Sender, Message=User: arn:aws:its::000000000000:assumed-role/appname_unauth_MOBILEHUB_000000000/CognitoIdentityCredentials is not authorized to perform: SNS:Subscribe on resource:...

The author of this answer explains that you must grant access to sns:Subscribe in your Cognito roles to allow your application to make this call. My Cognito user has been granted AmazonSNSFullAccess, which allows access to all sns actions (e.g. sns:*). Why is my Cognito user being denied access? My topic policy is set so that only the topic owner can subscribe... but the topic owner appears to be the same as my Cognito user.

Answer 1

I had used Amazon Mobile Hub to configure push notifications for me. I did not realize that Mobile Hub created three roles as part of that process:

1. appname_consolepush_MOBILEHUB_000000000
2. appname_unauth_MOBILEHUB_000000000
3. MobileHub_Service_Role

The iOS app was connecting using the appname_unauth_MOBILEHUB_00000000 role, not a user that I manually created. This role did not allow sns:Subscribe.

To resolve, either:

1. Grant AmazonSNSFullAccess to the appropriate role
2. Create an inline policy to allow sns:Subscribe to all resources (better IMO)

Example:

{
    "Effect": "Allow",
    "Action": [
        "sns:Subscribe"
    ],
    "Resource": [
        "*"
    ]
}