AWS 无法订阅 SNS 主题:CognitoIdentityCredentials 无权执行:SNS:Subscribe

AWS Cannot subscribe to SNS Topic: CognitoIdentityCredentials is not authorized to perform: SNS:Subscribe

我正在尝试使用以下代码将 iOS 端点订阅到 SNS 主题:

    let sns = AWSSNS.defaultSNS()
    let request = AWSSNSCreatePlatformEndpointInput()
    request.token = deviceTokenString
    request.platformApplicationArn = SNSPlatformApplicationArn

    sns.createPlatformEndpoint(request).continueWithExecutor(AWSExecutor.mainThreadExecutor(), withBlock: { (task: AWSTask!) -> AnyObject! in
        if task.error != nil {
            print(task.error)
        } else {
            let createEndpointResponse = task.result as! AWSSNSCreateEndpointResponse

            // Subscribe to the topic
            let subscribeTopicInput = AWSSNSSubscribeInput()
            subscribeTopicInput.endpoint = createEndpointResponse.endpointArn
            subscribeTopicInput.protocols = "application"
            subscribeTopicInput.topicArn = MyTopicARN
            sns.subscribe(subscribeTopicInput).continueWithExecutor(AWSExecutor.mainThreadExecutor(), withBlock: { (topicTask: AWSTask!) -> AnyObject! in

                if topicTask.error != nil {
                    // Authorization error prints here
                    print(topicTask.error)
                }

                return nil
            })

        }

        return nil
    })

我在尝试订阅主题时收到错误消息:

UserInfo={Type=Sender, Message=User: arn:aws:its::000000000000:assumed-role/appname_unauth_MOBILEHUB_000000000/CognitoIdentityCredentials is not authorized to perform: SNS:Subscribe on resource:...

this answer 的作者解释说,您必须在您的 Cognito 角色中授予对 sns:Subscribe 的访问权限,以允许您的应用程序进行此调用。我的 Cognito 用户已被授予 AmazonSNSFullAccess,允许访问所有 sns 操作(例如 sns:*)。为什么我的 Cognito 用户被拒绝访问?我的主题策略设置为只有主题所有者可以订阅...但主题所有者似乎与我的 Cognito 用户相同。

我曾使用 Amazon Mobile Hub 为我配置推送通知。我没有意识到 Mobile Hub 在该过程中创建了三个角色:

  1. appname_consolepush_MOBILEHUB_000000000
  2. appname_unauth_MOBILEHUB_000000000
  3. MobileHub_Service_Role

iOS 应用正在使用 appname_unauth_MOBILEHUB_00000000 角色连接,而不是我手动创建的用户。此角色不允许 sns:Subscribe.

要解决,可以:

  1. 授予AmazonSNSFullAccess适当的角色
  2. 创建内联策略以允许 sns:Subscribe 所有资源(更好的 IMO)

示例:

{
    "Effect": "Allow",
    "Action": [
        "sns:Subscribe"
    ],
    "Resource": [
        "*"
    ]
}