This error occurs when Terraform lacks the necessary IAM permissions to create or manage SNS topics in AWS. Fix it by ensuring your IAM user or role has sns:CreateTopic and sns:SetTopicAttributes permissions.
The AuthorizationError when creating SNS topics in Terraform indicates that the AWS credentials you're using don't have the required Identity and Access Management (IAM) permissions to create or configure SNS resources. When Terraform attempts to create an SNS topic, AWS validates the caller's permissions through IAM policies. If the policy doesn't explicitly allow the sns:CreateTopic action or related actions like sns:SetTopicAttributes, AWS returns an AuthorizationError instead of proceeding with the resource creation. This error commonly occurs in cross-account scenarios, when using restricted IAM roles, or when IAM policies haven't been properly configured with the necessary SNS permissions.
Verify that your AWS IAM user or role has the necessary SNS permissions. Log into the AWS console and navigate to the IAM dashboard to check the attached policies.
Look for an inline or managed policy that includes SNS permissions. The policy should contain:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:SetTopicAttributes",
"sns:GetTopicAttributes",
"sns:DeleteTopic"
],
"Resource": "*"
}
]
}If this policy doesn't exist, you'll need to add it in the next step.
If your IAM user or role lacks SNS permissions, attach the necessary policy. The simplest approach is to use the AWS managed policy, but a more restrictive approach is better for security.
For a minimally privileged policy, create an inline policy with the following (replace ACCOUNT_ID and TOPIC_NAMES with your values):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:SetTopicAttributes",
"sns:GetTopicAttributes",
"sns:DeleteTopic",
"sns:ListTopics",
"sns:ListSubscriptionsByTopic"
],
"Resource": "arn:aws:sns:*:ACCOUNT_ID:*"
}
]
}Or, attach the AWS managed policy AmazonSNSFullAccess for full access (less restrictive):
aws iam attach-user-policy \
--user-name your-username \
--policy-arn arn:aws:iam::aws:policy/AmazonSNSFullAccessAfter attaching the policy, wait 2-5 minutes for IAM changes to propagate.
Once you've added the SNS permissions, refresh your Terraform credentials and retry the deployment.
If using AWS CLI environment variables, re-export them:
export AWS_ACCESS_KEY_ID="your-key-id"
export AWS_SECRET_ACCESS_KEY="your-secret-key"
export AWS_DEFAULT_REGION="us-east-1"Then re-run Terraform:
terraform init
terraform plan
terraform applyThe SNS topic should now be created successfully.
If you're working with cross-account SNS topics, ensure both the assume role policy and the SNS topic policy allow the necessary permissions.
The assume role policy (trust relationship) must allow the Terraform role to be assumed:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::SOURCE_ACCOUNT:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "unique-external-id"
}
}
}
]
}The SNS topic policy must also explicitly grant permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::SOURCE_ACCOUNT:role/terraform-role"
},
"Action": [
"sns:CreateTopic",
"sns:SetTopicAttributes",
"sns:Subscribe",
"sns:Publish"
],
"Resource": "arn:aws:sns:*:ACCOUNT_ID:*"
}
]
}Search your IAM policies for any explicit deny statements that might override allow statements.
aws iam list-attached-user-policies --user-name your-username
aws iam get-user-policy --user-name your-username --policy-name policy-nameLook for any policy containing:
{
"Effect": "Deny",
"Action": "sns:*"
}If you find explicit denies, either remove them or add a condition to exclude your Terraform operations. Remember that explicit denies always override allows in AWS IAM.
Version-specific considerations: AWS Provider v5.94.0+ changed how SNS subscriptions are queried, requiring additional ListSubscriptionsByTopic permissions. If upgrading causes AuthorizationErrors, ensure your IAM policy includes this action.
ABAC (Attribute-Based Access Control): Some organizations use ABAC tags instead of traditional IAM policies. Ensure your ABAC tags grant the necessary SNS actions if your organization uses attribute-based policies.
Terraform State Lock: If using a remote state backend (S3, Terraform Cloud), ensure the backend credentials also have appropriate IAM permissions. Backend credential issues can appear as SNS-related errors in some cases.
IAM Policy Propagation: AWS IAM policy changes can take 2-5 minutes to fully propagate across all AWS regions and services. If you've just updated a policy, wait a few minutes before retrying.
Error: Error installing helm release: cannot re-use a name that is still in use
How to fix "release name in use" error in Terraform with Helm
Error: Error creating GKE Cluster: BadRequest
BadRequest error creating GKE cluster in Terraform
Error: External program failed to produce valid JSON
External program failed to produce valid JSON
Error: Unsupported argument in child module call
How to fix "Unsupported argument in child module call" in Terraform
Error: network is unreachable
How to fix "network is unreachable" in Terraform