- How to set up Amazon SNS Topic
- How to grant publish message permission to the IAM programmatic user on Amazon SNS Topic
- AWS account
Amazon Simple Notification Service is a regional service, please create the Amazon SNS Topic in the AWS region which is equals to the region of your BTP subaccount, so that we could minimize the lattency.
-
Open AWS Simple Notification Service Management Console, click Topics on the left panel, then click the Create Topic button
-
Select Standard Topic type, give the proper topic name and display name. In the Access Policy part, select Basic method, check Only the specified AWS accounts under the Define who can publish messages to the topic section, give your AWS account ID there. Click Create Topic
-
Goes into the newly created topic, note down the topic ARN, click the Create subscription button
-
In the Create Subscription page, select Email from Protocol drop down, give your email address in the Endpoint textbox, then click Create subscription button
This step is for end-to-end testing purpose, please give a working email address there so that once there is an business partner waiting for validate in the business application validation app, this email address will receive a email notification send out from Amazon SNS
You will receive an subscription confirmation email send out from AWS right after click the Create subscription button. Click the link in the email to confirm the subscription. After that, you will the subscription is confirmed in the Amazon SNS management console.
In this section, we will need to create a IAM programmatic user and grant only publish message permission to this IAM user. So that we could use this programmatic user's credential in the Business Partner Validation Application to send out Amazon SNS email notification.
In order to grant publish message permission to the IAM programmatic user, the best practice would be
- Create new IAM identity-based policy with allow publish message action
- Create new IAM user group, attach the policy to the group.
- Create new IAM programmatic user, add IAM programmatic user into the user group.
-
Open Identity and Access Management (IAM) management console, click Polices on the left panel, then click Create policy button.
-
In the Create Policy page, select JSON and follow below format to create the IAM Policy. Please give your Topic ARN in the Recource section, and only give sns:Publish in the Action section.
click next all the way down to the Review Policy page, give proper Name and Description, click Create Poliocy button.
Now we create the IAM identity-based policy which only grant publish message permission to the SNS Topic successfully.
-
Go back to the IAM console, click User groups on the left panel, click Create group button
In the create user group page, enter the proper user group name, then scrow down to the Attach permissions policie section, search and check the IAM policy we just created on the last step. Then click Create Group button
Now we have created a new IAM user group successfully. All the users in this group will have the permission to publish message to the Amazon SNS topic we just created.
-
Go back to the IAM console, click Users on the left panel, and click Add users button to create a new IAM user.
In the Add user page, give a proper user name, and check the Access key - Programmatic access checkbox in the Select AWS access type
In the Add user to group section, check the user group we created in previous step, click next button all the way down, and finally click Create User button
Make sure to write down the Access Key ID and Secret access key of your IAM programmatic user, this is really important since this is the last time to view the Access Key ID and Secret access key of your IAM programmatic user!
Now you have finish all the steps to configure Amazon SNS Topic and grant publish message permission. Please mark down below information as we will use those infortmation in the code of the Business Partner Validation Application.
- Amazon SNS Topic ARN
- Amazon SNS Topic Region
- IAM programmatic user Access Key ID
- IAM programmatic user Secret Access Key