node.jsamazon-web-servicesamazon-snsamazon-rekognition

AWS Video Rekognition is not publishing results to SNS Topic


Running some nodejs aws rekognition to detect labels in mp4 video, but it will not publish to the specified SNS topic when complete. I don't get any permission errors when submitting the request with the topic/ROLE arns.

const AWS = require('aws-sdk');
AWS.config.update(
    {
        region: 'us-west-2',
        accessKeyId: "asdfadsf",
        secretAccessKey: "asdfasdfasdfasd1234123423"
    }
);


const params = {
    Video: {
        S3Object: {
            Bucket: 'myvidebucket',
            Name: '5d683b81760ec59c2015.mp4'
        }
    },
    NotificationChannel: {
        RoleArn: 'arn:aws:iam::xxxxxxxxxxxxx:role/AmazonRekognitionSNSSuccessFeedback',
        SNSTopicArn: 'arn:aws:sns:us-west-2:xxxxxxxxxxxxx:recoknize',
    },
    MinConfidence: 60
};


rekognition.startLabelDetection(params).promise().then(data => {
    console.log(JSON.stringify(data));
}).catch(error => {
    console.log(error);
});

That code executes with no errors, and I get back a job id. My SNS topic subscription is confirmed, and supposed to post to my HTTPS endpoint. But nothing ever arrives, and there are no error logs anywhere in AWS console about this.

When I manually access the rekogniztion by jobid, the data comes back fine so I know it finished correctly. Something strange has to be going on with IAM permissions.


Solution

  • I have reviewed and tested your nodejs code successfully and I don't see anything wrong with it.

    Since, the code returns the AWS Rekognition "JobId" successfully, you can review your SNS configuration and check if it matches the following:

    1. On your SNS topic ('arn:aws:sns:us-west-2:xxxxxxxxxxxxx:recoknize'), navigate to the access policy and check if you have a policy similar to the following :

    {
      "Version": "2008-10-17",
      "Id": "__default_policy_ID",
      "Statement": [
        {
          "Sid": "__default_statement_ID",
          "Effect": "Allow",
          "Principal": {
            "Service": "rekognition.amazonaws.com"
          },
          "Action": [
            "SNS:GetTopicAttributes",
            "SNS:SetTopicAttributes",
            "SNS:AddPermission",
            "SNS:RemovePermission",
            "SNS:DeleteTopic",
            "SNS:Subscribe",
            "SNS:ListSubscriptionsByTopic",
            "SNS:Publish",
            "SNS:Receive"
          ],
          "Resource": "arn:aws:sns:us-west-2:XXXXXXXXXXXX:AmazonRekognitionTopic"
        }
      ]
    }
    

    2. On your IAM role ('arn:aws:iam::xxxxxxxxxxxxx:role/AmazonRekognitionSNSSuccessFeedback'), make sure of the following:

    (i) The "Trust relationship" of your role has the following statement :

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service":"rekognition.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
    

    (ii) The role has an attached policy document similar to one given below:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "sns:publish"
                ],
                "Resource": "*"
            }
        ]
    }
    

    The successful published message from Amazon Rekognition to SNS topic should output something similar to:

    "JobId":"8acd9edd6edfb0e4985f8cd269e4863e54f7fcd451af6aafe10b32996dedbdba","Status":"SUCCEEDED","API":"StartLabelDetection","Timestamp":1568544553927,"Video":{"S3ObjectName":"final.mp4","S3Bucket":"syumak-rekognition"}}
    

    Hope this helps.