https://serverless-stack.com/ logo
Join Slack
Powered by
:wave: How do I allow function to publish events v...
# help
b
👋 How do I allow function to publish events via SNS for a specific topic arn? I’ve tried to create a Topic via 
fromTopicArn
but cant figure out how to set the function/api to allow sns:Publish, I used to set default functio props to include in permissions [topic] 🙂 The error I get user with xxx cant publish to yyy topic Thanks!
t
Can you share the exact error?
b
sec, lemme run it and reproduce wasnt sure should I use
Copy code
new cdk.aws() -
    iam.PolicyStatement({
      actions: ["execute-api:Invoke"],
      effect: cdk.aws - iam.Effect.ALLOW,
      resources: [
        `arn:aws:execute-api:${region}:${account}:${api.httpApiId}/*`,
      ],
    }),
or get via arn the topic and pass it as permissions as well
It was something like this
Copy code
"errorMessage": "User: arn:aws:sts::xxxxxxxxxxxxxxxx:assumed-role/july7brole/july7b_face_detect is not authorized to perform: SNS:Publish on resource: +1xxxxxxxxx",
t
what you said earlier with 
permissions: [topic]
should work
so curious what the exact error is I can look at the role / target it's failing on
b
Copy code
'User: arn:aws:sts::XXXX:assumed-role/branko-pms-integrati-LalaApiLambdaANYmooo-TXXXX/branko-XXX is not authorized to perform: SNS:Publish on resource: arn:aws:sns:eu-central-1:XXXX:dev-xxx'
t
Can you try 
permissions: ["sns"]
and see if that works?
b
@thdxr did try, still the same.. is it because I’m setting it to default function props?
Copy code
const defaultFunctionProps = {
      srcPath: SRC_PATH, 
      permissions: ['sns', bucket],
    };

    new sst.Api(this, `${SERVICE_NAME}Api`, {
      defaultFunctionProps,
      httpApi: HttpApi.fromHttpApiAttributes(this, 'Api', {
        httpApiId,
      }),
      routes: {
        [`ANY ${routes.HSK_ROUTE_PREFIX}/{proxy+}`]: 'src/lambda.handler',
      },
    });
I get
Copy code
arn:aws:sts::XXXXX:assumed-role/branko-integrati-HskApiLambdaANYhousekeep-TU4459NAO7Q5/branko-integrati-HskApiLambdaANYhousekeep-xxxx
t
Permissions in api should get merged. Wondering if you found a bug - can you try defining the permission inside the route and see if that makes it work?
b
Yes, gimme sec!
t
example:
Copy code
"GET /": {
          permissions: ["sns", bucket],
          handler: "src/lambda.handler",
        },
b
Yeah, its the same, lemme just see whats set in the AWS lambda, - I’ve seen in policy
Copy code
{
  "Action": "sns:*",
  "Resource": "*",
  "Effect": "Allow"
}
but not sure why / which user its being used for executing it
Execution role has it but this in the error is not that one
Uugh, it might be due to being different AWS accounts that I’m testing this locally from 😭
t
We make sure that the lambda is executing against the role that was created for it using 
sst start
so typically permissions issue like that don't happen
Are you manually setting a default role anywhere?
b
Nope, all has been done with SST but I’m actually hitting another account’s Topic, so probably that is the issue, lemme try to create random one in the current one and see what happens
t
Ah it's likely in that other account you need to create a policy that allows this role. We don't get a lot of people using multi-accounts for seperate services so haven't built too much to enable those workflows
b
Yeah, for sure its not common 🙂 we used to have access key and secet key for the topic and tried to switch to conf but I was running from my local machine the stacks and hitting dev topic, I’ll let you know how it goes! Hows Prisma example going? I was having troubles running migrations and using npx prisma migrate under seed for some reason - most likely this one - https://github.com/prisma/prisma/issues/7234
t
I wrote somewhere deep in their issues on how I got their migrate cli working
I'll try to dig it up later - our example just has basic prisma working, no migrations. They really need to expose that programmatically
b
Haha found it - will try to check it up - aaah this is programatically https://github.com/prisma/prisma/issues/4703
Open in Slack
PreviousNext
Powered by