The best practice for setting up our marketplace is to use a separate account for hosting this template.
We created and have an approved offering in our billing account and we have setup a cross-account role and tested it to access the marketplace sns topic.
How ever the Cloud formation template does not seem to support this.
we chatted with premium support but needhelp modifying the steps we are taking or the cloudformation to use our cross account role.
This is what support said:
You were having issues deploying the ‘Serverless integration for SaaS products’ sample CloudFormation stack [1]. You are receiving the following errors:
—
User: arn:aws:iam::232109169367:user/dilip-marketplace is not authorized to perform: SNS:Subscribe on resource: arn:aws:sns:us-east-1:287250355862:aws-mp-entitlement-notification-e4p71lg2jqw2dh4sjkxbcyuyo
Invalid parameter: TopicArn Reason: An ARN must have at least 6 elements, not 1
—
You are trying to subscribe to the SNS topic with an IAM role in another AWS Account which is whitelisted for the subscription. A previous Engineer Eman suggested to use a Lambda custom resource to first assume the whitelisted IAM role then subscribe to the SNS topic programmatically using the assumed role [2]. You mentioned in the chat that you had made changes in the stack to assume the role but you were still receiving the same errors. Please correct me if my understanding is wrong.
When deploying a CloudFormation stack, it will assume the IAM role that made the deploy API call (unless a Service Role is specified) to create the underlying CloudFormation resources. In this case, IAM user ‘dilip-marketplace’ is being assumed by CloudFormation to create the resources. However, when it attempts to create resource ‘SubscriptionSQSHandlerMySQSEvent’, the SNS topic sees that ‘dilip-marketplace’ role is in an AWS Account that has not been whitelisted and rejects the subscription attempt.
I can see you were working with an IAM Support Engineer to create the IAM role ‘arn:aws:iam::865330066347:role/marketplace-cross-account-role’ that should have cross account role access to subscribe to the SNS topic. With this in mind, we need a way of assuming the role ‘marketplace-cross-account-role’ in CloudFormation to perform the SNS subscription.
There is no native functionality in CloudFormation to individually assume roles for each resource. However, an ’AWS::CloudFormation::CustomResource’ [3] can be used to replace the ‘AWS::SNS::Subscription’ resource type with a Lambda function that first assumes the role ‘arn:aws:iam::865330066347:role/marketplace-cross-account-role’ then uses that assumed role to subscribe to the SNS topic using AWS SDK that calls the ‘subscribe’ API call [4].
Therefore, ‘SubscriptionSQSHandlerMySQSEvent’ resource needs to be replaced with a custom resource that uses a Lambda function to assume the role ‘arn:aws:iam::865330066347:role/marketplace-cross-account-role’ and make the subscribe API call.
It’s likely that the ‘EntitlementSNSTopic’ will also need to be replaced with a custom Lambda resource so it can assume the ‘marketplace-cross-account-role’ IAM role and subscribe to the SNS topic.
The best practice for setting up our marketplace is to use a separate account for hosting this template.
We created and have an approved offering in our billing account and we have setup a cross-account role and tested it to access the marketplace sns topic.
How ever the Cloud formation template does not seem to support this.
we chatted with premium support but needhelp modifying the steps we are taking or the cloudformation to use our cross account role.
This is what support said:
You were having issues deploying the ‘Serverless integration for SaaS products’ sample CloudFormation stack [1]. You are receiving the following errors:
— User: arn:aws:iam::232109169367:user/dilip-marketplace is not authorized to perform: SNS:Subscribe on resource: arn:aws:sns:us-east-1:287250355862:aws-mp-entitlement-notification-e4p71lg2jqw2dh4sjkxbcyuyo
Invalid parameter: TopicArn Reason: An ARN must have at least 6 elements, not 1 —
You are trying to subscribe to the SNS topic with an IAM role in another AWS Account which is whitelisted for the subscription. A previous Engineer Eman suggested to use a Lambda custom resource to first assume the whitelisted IAM role then subscribe to the SNS topic programmatically using the assumed role [2]. You mentioned in the chat that you had made changes in the stack to assume the role but you were still receiving the same errors. Please correct me if my understanding is wrong.
When deploying a CloudFormation stack, it will assume the IAM role that made the deploy API call (unless a Service Role is specified) to create the underlying CloudFormation resources. In this case, IAM user ‘dilip-marketplace’ is being assumed by CloudFormation to create the resources. However, when it attempts to create resource ‘SubscriptionSQSHandlerMySQSEvent’, the SNS topic sees that ‘dilip-marketplace’ role is in an AWS Account that has not been whitelisted and rejects the subscription attempt.
I can see you were working with an IAM Support Engineer to create the IAM role ‘arn:aws:iam::865330066347:role/marketplace-cross-account-role’ that should have cross account role access to subscribe to the SNS topic. With this in mind, we need a way of assuming the role ‘marketplace-cross-account-role’ in CloudFormation to perform the SNS subscription.
There is no native functionality in CloudFormation to individually assume roles for each resource. However, an ’AWS::CloudFormation::CustomResource’ [3] can be used to replace the ‘AWS::SNS::Subscription’ resource type with a Lambda function that first assumes the role ‘arn:aws:iam::865330066347:role/marketplace-cross-account-role’ then uses that assumed role to subscribe to the SNS topic using AWS SDK that calls the ‘subscribe’ API call [4].
Therefore, ‘SubscriptionSQSHandlerMySQSEvent’ resource needs to be replaced with a custom resource that uses a Lambda function to assume the role ‘arn:aws:iam::865330066347:role/marketplace-cross-account-role’ and make the subscribe API call.
It’s likely that the ‘EntitlementSNSTopic’ will also need to be replaced with a custom Lambda resource so it can assume the ‘marketplace-cross-account-role’ IAM role and subscribe to the SNS topic.