Whenever you create an SNS topic by itself, the default access policy will look something like this: The default access policy shown as below is wrong and will not work.
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:Publish",
"SNS:RemovePermission",
"SNS:SetTopicAttributes",
"SNS:DeleteTopic",
"SNS:ListSubscriptionsByTopic",
"SNS:GetTopicAttributes",
"SNS:AddPermission",
"SNS:Subscribe"
],
"Resource": "arn:aws:sns:us-east-2:123456789012:my-sns-topic",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "123456789012"
}
}
}
]
}
The above is wrong and will not let your CodePipeline access the SNS topic (make it reachable/”Active”)! Change the Access policy for your SNS topic to the following instead:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "CodeNotification_publish",
"Effect": "Allow",
"Principal": {
"Service": "codestar-notifications.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-2:123456789012:my-sns-topic"
}
]
}
NOTE 1: Change 123456789012
to your AWS account ID, and my-sns-topic
to the name of your SNS topic.
NOTE 2: If your region is different than us-east-2
, then change that too in the above snippet.
NOTE 3: Both the SNS topic and the CodePipeline Notification rule should be in the same region, otherwise this won’t work.
Whenever you create a Notification Rule and then a Notification Rule Target, the only way possible for AWS to refresh the Notification target status is for you to delete the Notification rule target from CodePipeline -> Settings (on the left side bar) -> Notification rules -> Notification rule targets
(this is extremely important!).
NOTE: Deleting the Notification rule target from the notification rule itself won’t do anything; because of that, when you re-add it in that page, the Notification rule target will still be the old one and thus the Notification target status will remain “Unreachable”.