1

I'm trying to create SNS platform application and enable delivery status feature for it by using AWS SDK (Java). As a first step I create necessary roles "SNSSuccessFeedback" and "SNSFailureFeedback". Sample code (Groovy):

AmazonIdentityManagementClient aimClient = getAimClient(/*credentials*/)

// create "SNSSuccessFeedback" role:
aimClient.createRole(new CreateRoleRequest().withRoleName("SNSSuccessFeedback")
        .withAssumeRolePolicyDocument('{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"sns.amazonaws.com"},"Action":"sts:AssumeRole"}]}'))
aimClient.putRolePolicy(new PutRolePolicyRequest().withRoleName("SNSSuccessFeedback")
        .withPolicyName("oneClick_SNSSuccessFeedback_1234567890")
        .withPolicyDocument('{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["logs:CreateLogGroup","logs:CreateLogStream","logs:PutLogEvents","logs:PutMetricFilter","logs:PutRetentionPolicy"],"Resource":["*"]}]}'))
// the same code for "SNSFailureFeedback" role

// get ARN for both "SNSSuccessFeedback" and "SNSFailureFeedback"

// create platform application:
AmazonSNSClient snsClient = getSnsClient(/*credentials*/)
snsClient.createPlatformApplication(new CreatePlatformApplicationRequest()
        .withName("myapp")
        .withPlatform("APNS")
        .withAttributes([PlatformPrincipal: "certificate", PlatformCredential: "key",
                SuccessFeedbackRoleArn: successRoleArn, FailureFeedbackRoleArn: failureRoleArn,
                SuccessFeedbackSampleRate: "100"]))

But for some reason I get error:

Invalid parameter: Attributes Reason: Invalid value for attribute: FailureFeedbackRoleArn: arn:aws:iam::1234567890:role/SNSFailureFeedback is not a valid role to allow SNS to write to Cloudwatch Logs (Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter; Request ID: c1dbd591-f044-584a-bbac-85fa9a0cbe8d)

If I just add delay (e.g. Thread.sleep(5000)) after roles creation and before platform application creation, then platform application will be created successfully without error.

So, what is a proper way to create roles and platform application with delivery status enabled?

Sergei Shushkevich
  • 1,356
  • 10
  • 14

1 Answers1

2

You are experiencing eventual consistency when creating a role. The time delay is allowing time for the role to be "visible" to the next API request. Instead of an arbitrary time delay you could enumerate the IAM roles to see if the role you need is "visible."

jzonthemtn
  • 3,344
  • 1
  • 21
  • 30
  • What to do if the role is not "visible"? – Sergei Shushkevich Oct 02 '16 at 21:51
  • Best to put in a check to see if that role is returned in a `listRoles()` request. If the role is not returned, wait a second and check again. That way you will be guaranteed that the role is available when the `createPlatformApplication()` call is made. – jzonthemtn Oct 02 '16 at 23:20
  • 1
    It may actually require a little more time than it takes for `listRoles()` to return it, since `listRoles()` is talking directly to IAM over the exposed API while the other request is talking to a different service that is talking to IAM over a potentially different (AWS/internal) interface, where there could be an additonal propagation delay. Potentially useful: [How long should I wait after applying an AWS IAM policy before it is valid?](http://stackoverflow.com/q/20156043/1695906) That question is about user policies+S3 rather than roles+SNS, but the answer should be equally applicable. +1 – Michael - sqlbot Oct 03 '16 at 02:05
  • 1
    @Michael-sqlbot That's interesting -- I hadn't considered that. Thanks for noting that. – jzonthemtn Oct 03 '16 at 23:05
  • 1
    I experienced this in AWS Console (well, SNS console) and, when I tried a second time, it worked. – Sam Critchley Jun 26 '17 at 20:18
  • I can vouch for @SamCritchley; I just experienced this in the AWS/SNS Console as well, and hitting "*Cancel*" and then trying a second time worked. Very strange! – smeeb Feb 28 '18 at 09:23