Access Denied while sending email from AWS SES in Lambda function

前端 未结 6 2032
暗喜
暗喜 2021-02-18 14:24

I am trying to send an email using Amazon SES in AWS Lambda function, For this i am facing the following error.

AccessDenied: User arn:aws:sts::XXXX

相关标签:
6条回答
  • 2021-02-18 14:42

    As what others said you should add this two permissions: ses:SendEmail,ses:SendRawEmail

    I just want to add explaination for those who use Serverless framework

    In serverless.yml:

    provider:
      name: aws
      stage: dev
      runtime: nodejs10.x
      region: us-west-1
      iamRoleStatements:
        - Effect: Allow
          Action:
            - dynamodb:Query
            - dynamodb:Scan
            - dynamodb:GetItem
            - dynamodb:PutItem
            - dynamodb:UpdateItem
            - dynamodb:DeleteItem
            - lambda:InvokeFunction
            - ses:SendEmail            # add this
            - ses:SendRawEmail         # add this
          Resource: '*'                # add this
    
    0 讨论(0)
  • 2021-02-18 14:49

    If you are configuring policies for a SAM Lambda or using a YAML configuration file, you would use something like this:

    template.yaml

    AWSTemplateFormatVersion: '2010-09-09'
    Transform: AWS::Serverless-2016-10-31
    Description: 'your-email-lambda'
    
    Resources:
      YourEmailFunction:
        Type: AWS:Serverless::Function
        Properties:
          Policies:
            - Version: '2012-10-17'
              Statement:
                - Effect: Allow
                  Action:
                    - 'ses:SendEmail'
                    - 'ses:SendRawEmail'
                  Resource: '*'
    
    0 讨论(0)
  • 2021-02-18 14:57

    So, I was also having the same problem which Rakesh has explained but couldn't understand the steps he was saying to do so here is a detailed explanation with steps.

    You need to do the following Security, Identity & Compliance -> IAM -> Roles -> select your lambda function -> then edit policy -> open it in JSON and add the below part

    {
      "Effect":"Allow",
      "Action":[
        "ses:SendEmail",
        "ses:SendRawEmail"
      ],
      "Resource":"*"
    }
    

    or you can do as per requirement from these policy examples https://docs.aws.amazon.com/ses/latest/DeveloperGuide/control-user-access.html#iam-and-ses-examples-email-sending-actions also, you need to verify the email address first so don't forget that. Hope this helps everyone.

    0 讨论(0)
  • 2021-02-18 14:57

    After a long debugging i got the issue, "lambda_basic_execution" role need to be granted with permission to access "ses:SendEmail", "ses:SendRawEmail".

    Where i was trying to grant permission for the new IAM role i have created, but lambda function is mapped to "lambda_basic_execution" so there is a mismatch.

    Reference - http://docs.aws.amazon.com/ses/latest/DeveloperGuide/control-user-access.html#iam-and-ses-examples-email-sending-actions

    0 讨论(0)
  • 2021-02-18 14:59

    IAM Policy fixed the issue. Policy summary will show if there are any warnings i.e. resource does not exist etc.

    JSON needs following

           {
                "Sid": "VisualEditor1",
                "Effect": "Allow",
                "Action": [
                    "ses:SendEmail",
                    "ses:SendRawEmail"
                ],
                "Resource": "*"
            }
    
    0 讨论(0)
  • 2021-02-18 15:00

    For Serverless Components yaml:

    ...
    inputs:
      name: ${name}-${stage}
      region: ...
      service: lambda.amazonaws.com
      policy:
        - Effect: Allow
          Action:
            - ses:SendEmail
            - ses:SendRawEmail
          Resource: '*'
    
    0 讨论(0)
提交回复
热议问题