Recently we were deploying a new SNS to our development environment. We use Azure Pipelines and yaml with serverless to run our deployments.
As usual, if something goes wrong with our build we check out Cloud Formation for errors during the process. The new SNS was giving the following error:
Resource handler returned message: "User: arn:aws:iam::NNNNNNNNN:user/my_user_ci_cd is not authorized to perform: SNS:TagResource on resource: arn:aws:sns:us-west-1:123456789:ExampleSNS-DEV because no identity-based policy allows the SNS:TagResource action (Service: Sns, Status Code: 403, Request ID: fa133f39-0f6x-5c23-cve-123456c2ed50)" (RequestToken: 1aa4f123-e24e-a4df-cf3c-123456cedfx32, HandlerErrorCode: AccessDenied)Luckily it says right in the error message what was missing. The strange part is we didn’t have any Tags set up on this SNS in the serverless. I imagine our Ops team must have added something to automatically add Tags during the process somewhere.
But to get past the error we needed to get to that policy. Here is how we fixed the user is not authorized to perform: SNS:TagResource on resource xxxxx.
Navigate to your IAM dashboard.
Select the user that you use for your deployment pipeline (filter if necessary). The username should be in the error message.
Make sure the Permissions tab is selected
Select the Policy you want to edit
-> This will open the IAM Policies page for this specific policy
Click Edit Policy
You can either use the visual Editor or just edit the policy in JSON
If using the Visual Editor
If SNS is not already on your list then click Add Additional Permissions
Choose the service SNS
Choose the Action TagResource (filter to Tag to help find it)
Specify the needed resources
If SNS is already on your list then add TagResource under Actions
If editing JSON
Under the Statement object, there should be a sub-object with Action
Add the following to the Action array:
“SNS:TagResource”
Once finished click on Review Policy
Verify all your changes and setting are correct
Then click Save Changes
I’m still investigating where the Tags came from on our SNS but at least we have the resource out there and available. And in the future, I know how to resolve this issue.