docs(sns): add IAM action details to grantPublish and grantSubscribe

syukawa-dev · syukawa-dev · commit 50c613a743a2 · 2026-03-23T18:42:22.000+09:00
Added details about which IAM actions are granted by grantPublish (sns:Publish + KMS permissions for encrypted topics) and grantSubscribe (sns:Subscribe) to help users understand the exact permissions being granted. Closes #35736
diff --git a/packages/aws-cdk-lib/aws-sns/lib/topic-base.ts b/packages/aws-cdk-lib/aws-sns/lib/topic-base.ts
@@ -70,12 +70,18 @@ export interface ITopic extends IResource, notifications.INotificationRuleTarget
   addToResourcePolicy(statement: iam.PolicyStatement): iam.AddToResourcePolicyResult;
 
   /**
-   * Grant topic publishing permissions to the given identity
+   * Grant topic publishing permissions to the given identity.
+   *
+   * This grants the `sns:Publish` action on this topic. If the topic is encrypted
+   * with a customer-managed KMS key, it also grants `kms:Decrypt` and
+   * `kms:GenerateDataKey*` on the key.
    */
   grantPublish(identity: iam.IGrantable): iam.Grant;
 
   /**
-   * Grant topic subscribing permissions to the given identity
+   * Grant topic subscribing permissions to the given identity.
+   *
+   * This grants the `sns:Subscribe` action on this topic.
    */
   grantSubscribe(identity: iam.IGrantable): iam.Grant;
 }
@@ -224,7 +230,11 @@ export abstract class TopicBase extends Resource implements ITopic, IEncryptedRe
   }
 
   /**
-   * Grant topic publishing permissions to the given identity
+   * Grant topic publishing permissions to the given identity.
+   *
+   * This grants the `sns:Publish` action on this topic. If the topic is encrypted
+   * with a customer-managed KMS key, it also grants `kms:Decrypt` and
+   * `kms:GenerateDataKey*` on the key.
    *
    * The use of this method is discouraged. Please use `grants.publish()` instead.
    *
@@ -235,7 +245,9 @@ export abstract class TopicBase extends Resource implements ITopic, IEncryptedRe
   }
 
   /**
-   * Grant topic subscribing permissions to the given identity
+   * Grant topic subscribing permissions to the given identity.
+   *
+   * This grants the `sns:Subscribe` action on this topic.
    *
    * The use of this method is discouraged. Please use `grants.subscribe()` instead.
    *

Original file line number	Diff line number	Diff line change
`@@ -70,12 +70,18 @@ export interface ITopic extends IResource, notifications.INotificationRuleTarget`
`70`	`70`	`addToResourcePolicy(statement: iam.PolicyStatement): iam.AddToResourcePolicyResult;`
`71`	`71`
`72`	`72`	`/**`
`73`		`- * Grant topic publishing permissions to the given identity`
	`73`	`+ * Grant topic publishing permissions to the given identity.`
	`74`	`+ *`
	`75`	+ * This grants the `sns:Publish` action on this topic. If the topic is encrypted
	`76`	+ * with a customer-managed KMS key, it also grants `kms:Decrypt` and
	`77`	+ * `kms:GenerateDataKey*` on the key.
`74`	`78`	`*/`
`75`	`79`	`grantPublish(identity: iam.IGrantable): iam.Grant;`
`76`	`80`
`77`	`81`	`/**`
`78`		`- * Grant topic subscribing permissions to the given identity`
	`82`	`+ * Grant topic subscribing permissions to the given identity.`
	`83`	`+ *`
	`84`	+ * This grants the `sns:Subscribe` action on this topic.
`79`	`85`	`*/`
`80`	`86`	`grantSubscribe(identity: iam.IGrantable): iam.Grant;`
`81`	`87`	`}`
`@@ -224,7 +230,11 @@ export abstract class TopicBase extends Resource implements ITopic, IEncryptedRe`
`224`	`230`	`}`
`225`	`231`
`226`	`232`	`/**`
`227`		`- * Grant topic publishing permissions to the given identity`
	`233`	`+ * Grant topic publishing permissions to the given identity.`
	`234`	`+ *`
	`235`	+ * This grants the `sns:Publish` action on this topic. If the topic is encrypted
	`236`	+ * with a customer-managed KMS key, it also grants `kms:Decrypt` and
	`237`	+ * `kms:GenerateDataKey*` on the key.
`228`	`238`	`*`
`229`	`239`	* The use of this method is discouraged. Please use `grants.publish()` instead.
`230`	`240`	`*`
`@@ -235,7 +245,9 @@ export abstract class TopicBase extends Resource implements ITopic, IEncryptedRe`
`235`	`245`	`}`
`236`	`246`
`237`	`247`	`/**`
`238`		`- * Grant topic subscribing permissions to the given identity`
	`248`	`+ * Grant topic subscribing permissions to the given identity.`
	`249`	`+ *`
	`250`	+ * This grants the `sns:Subscribe` action on this topic.
`239`	`251`	`*`
`240`	`252`	* The use of this method is discouraged. Please use `grants.subscribe()` instead.
`241`	`253`	`*`