How should you configure the SNSClient?

[TWDBrob]

We use SNS for a list of topics to which a user can subscribe after logging using Cognito (we keep the subscription ARNs in a Cognito identity dataset). I was trying to list the topics and am getting an AuthorizationErrorException. Here's the code:

  const snsClient = new SNSClient({region: "us-east-1",
    credentials: fromCognitoIdentityPool({
      identityPoolId: appConfig.IdentityPoolId,
      logins: {
        [appConfig.Logins.cognito.identityProviderName]: jwt
      },
    })
  })
  const listTopicsInput = {}
  const listTopicsCommand = new ListTopicsCommand(listTopicsInput)
  const listTopicsResponse = await snsClient.send(listTopicsCommand)
  console.log("listTopicsResponse", listTopicsResponse)

The jwt token is created when the user logs in via Cognito and the IdentityPoolId is something like "us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx", if it matters. The error says AuthorizationErrorException: User: arn:aws:sts::xxxxxxxx:assumed-role/Cognito_xxxxxxxxAuth_Role/CognitoIdentityCredentials is not authorized to perform: SNS:ListTopics on resource: arn:aws:sns:us-east-1:xxxxx:* because no identity-based policy allows the SNS:ListTopics action. If that's the case, how should the request be authorized? I am rewriting some old code which used (I think) v2 and just called AWS.SNS() from the SDK to perform subscribe and unsubscribe actions. This is the only configuration I can see going on there:

        AWS.config.credentials = new AWS.CognitoIdentityCredentials({
          IdentityPoolId: appConfig.IdentityPoolId,
          Logins: {
            [appConfig.Logins.cognito.identityProviderName]: idToken
          }
        }, {
          region: 'us-east-1'
        })

By the way, why is the CreateTopicCommand used to access a Topic that already exists?

Thanks

[RanVaknin]

Hi @TWDBrob,

Does the role associated with your identity pool have a policy that allows for SNS:ListTopics?
Here are some steps you can do to verify your role has the right permissions:

1. find your pool's role:

$ aws cognito-identity get-identity-pool-roles --identity-pool-id us-east-1:REDACTED

{
    "IdentityPoolId": "us-east-1:REDACTED",
    "Roles": {
        "authenticated": "arn:aws:iam::REDACTED:role/REDACTED",
        "unauthenticated": "arn:aws:iam::REDACTED:role/REDACTED"
    }
}

2. Assuming your users are authenticated, inspect both attached role policies and managed policies for the authenticated role you got from step 1.

aws iam list-attached-role-policies --role-name Cognito_MyIdentityPoolAuth_Role
aws iam list-role-policies --role-name Cognito_MyIdentityPoolAuth_Role

This would tell you if the role has the necessary permission to run SNS:ListTopics

---

By the way, why is the CreateTopicCommand used to access a Topic that already exists?

Im not sure what you mean by "access" a topic. You can use ListTopicsCommand or GetTopicAttributesCommand depending on your use case.

Thanks,
Ran~

[TWDBrob]

When I inspect the IdentityPool at the command line, the fields it has are
"IdentityPoolId"
"IdentityPoolName"
"AllowUnauthenticatedIdentifiers": false
"CognitoIdentityProviders"
and
"IdentityPoolTags" which is an empty array, but no other information.

So it would appear to be lacking a role, but this code is a rewrite of an older version which uses AWS.SNS(). I am not sure why it works there if it's missing roles.

I had changed the code to this:

async (ars) => {
const snsClient = new SNSClient({
region: AWS.config.region,
credentials: AWS.config.credentials
})
const list = await snsClient.send(new ListTopicsCommand({}))
console.log("topics", list)
}

And am currently getting

User: arn:aws:sts::xxxxxxxxxxxxxxx:assumed-role/Cognito_myIdPoolAuth_Role/CognitoIdentityCredentials is not authorized to perform: SNS:ListTopics on resource: arn:aws:sns:us-east-1:xxxxxxxxxxxxx:* because no identity-based policy allows the SNS:ListTopics action

With respect to CreateTopicCommand, what I mean is that the command either creates a topic which doesn't exist or returns an existing one.

[RanVaknin]

Hi @TWDBrob

I had to create a pool and test that myself. There's a separate command for getting the roles.

$ aws cognito-identity get-identity-pool-roles --identity-pool-id us-east-1:REDACTED

{
    "IdentityPoolId": "us-east-1:REDACTED",
    "Roles": {
        "authenticated": "arn:aws:iam::REDACTED:role/REDACTED",
        "unauthenticated": "arn:aws:iam::REDACTED:role/REDACTED"
    }
}

My response was based on a cloudformation fields and not the actual response from that command. I amended my response.

With respect to CreateTopicCommand, what I mean is that the command either creates a topic which doesn't exist or returns an existing one.

I think this is because CreateTopic is an idempotent operation. So once its created you wont be able to re-write it. It would be helpful to understand your use case to better advise you on your use case.

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.