yas3fs icon indicating copy to clipboard operation
yas3fs copied to clipboard

Published 20 hours ago verified publisher icon danilop

SNS subscription

Open icunningham opened this issue 10 years ago • 2 comments

Hi - First, may I say: Great work on yas3fs! I have formed some policies to restrict IAM roles suitably so that yas3fs can only access the nominated SNS ARNs, and also used the yas3fs SQS naming convention to restricts its SQS access for specific mounts. It's not perfect, but I do try to restrict as much as possible. In debugging, I notice that when unmounting, yas3fs sends an unsubscribe request to ARN * for SNS under the account, rather than sending a specific unsubscribe for the subscription created on mount. It may be that I'm seeing a mis-reported error, but if not, I wondered if this was for some reason(s) by design? It seems to currently require unsubscribe action permissions to ARN * for the account in question.

-ic

icunningham avatar Oct 21 '14 11:10 icunningham

Just ran into this as well. The SNS unsubscribe permission is the only one that can't be tailored to a narrow IAM role.

Jud avatar Oct 28 '14 20:10 Jud

Has encountered this too, I think that's ought to be added to README.

Adding a blanket unsubscribe for the sns resource solves the issue.

{
            "Sid": "yourpolicysid",
            "Effect": "Allow",
            "Action": [
                "sns:Unsubscribe"
            ],
            "Resource": [
                "arn:aws:sns:us-east-1:12345678901234:*"
            ]
        },

Jaykah avatar Apr 20 '15 16:04 Jaykah