sns_topic - Fix Permission Issue for Cross Account Subscriptions (#1418…

…) (#1701) [PR #1418/de21c4bd backport][stable-5] sns_topic - Fix Permission Issue for Cross Account Subscriptions This is a backport of PR #1418 as merged into main (de21c4b). SUMMARY sns_topic currently fails with the following error if it has any cross account subscriptions: Couldn't get subscription attributes for subscription arn:aws:sns:us-east-1:123412341234:my-sns-topic-name:555950dc-7c5f-416c-8f8e-e8f38eabfa54: An error occurred (AuthorizationError) when calling the GetSubscriptionAttributes operation: Not authorized to access this subscription This happens, for example, when a Lambda function in account A is subscribed to an SNS topic in account B, as described here. I believe this was caused by #640. I am not sure how to write a test for this specific situation as it would require multiple AWS accounts. ISSUE TYPE Bugfix Pull Request COMPONENT NAME sns_topic ADDITIONAL INFORMATION - community.aws.sns_topic: name: my-sns-topic-in-account-123412341234 subscriptions: - endpoint: "arn:aws:lambda:us-east-1:567856785678:function:my-lambda-function-in-account-567856785678" protocol: lambda state: present Reviewed-by: Mark Chappell <None>
ansible-collections · Feb 3, 2023 · 287672c · 287672c
1 parent 27b849d
commit 287672c
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/changelogs/fragments/sns_topic-cross-account.yml b/changelogs/fragments/sns_topic-cross-account.yml
@@ -0,0 +1,2 @@
+bugfixes:
+- sns_topic - avoid fetching attributes from subscribers when not setting them, this can cause permissions issues (https://github.com/ansible-collections/community.aws/pull/1418).
diff --git a/plugins/modules/sns_topic.py b/plugins/modules/sns_topic.py
@@ -519,8 +519,8 @@ def _set_topic_subs_attributes(self):
         for sub in list_topic_subscriptions(self.connection, self.module, self.topic_arn):
             sub_key = (sub['Protocol'], sub['Endpoint'])
             sub_arn = sub['SubscriptionArn']
-            if sub_key not in self.desired_subscription_attributes:
-                # subscription isn't defined in desired, skipping
+            if not self.desired_subscription_attributes.get(sub_key):
+                # subscription attributes aren't defined in desired, skipping
                 continue
 
             try:
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		bugfixes:
		- sns_topic - avoid fetching attributes from subscribers when not setting them, this can cause permissions issues (https://github.com/ansible-collections/community.aws/pull/1418).