2
votes

I'm trying to run the following PHP code on my server:

require 'aws_sdk_php/aws-autoloader.php';
use Aws\Ses\SesClient;

echo 'teste1';
$client = SesClient::factory(array(
    'key' => 'xxxxx',
    'secret' => 'yyyyy',
    'region' => 'us-east-1'
));
echo 'teste2';
echo $client->listIdentities();
echo 'teste3';
echo $client->verifyEmailIdentity(array(
    'EmailAddress' => '[email protected]'
));

I created a user with permission to send emails using SMTP (ses:SendRawEmail) and it works just fine. However the "listIdentities" and "verifyEmailIdentity" calls only works when I grant SES Full Access permission or use full credentials for the account.

If I add only "ses:ListIdentities" and "ses:VerifyEmailIdentity" to the same user, I get a 403 error saying the signature not match. Anybody have any idea what's going on? Do I have to add other permissions/policies to grant access to this calls?

I also ran this permissions on the IAM Policy Simulator and they passed when they were set, but I received a "denied" after I removed them.

Thanks!


Update: According to this SES AWS Error Code: SignatureDoesNotMatch, Status Code: 403 MAYBE the fix is I should adjust the time on my EC2 server, but how can I found out what time is it on SES servers since I don't have access to them?


Update2: Doesn't seem like a case of diferent time, as I ran the code on a server on North Virginia and got the same results. Permissions passed on the simulator. Any suggestions?

1
What version of the AWS SDK for PHP are you using?Steffen Opel
The version I'm using has this on SesClient.php file: const LATEST_API_VERSION = '2010-12-01';Vini.g.fer

1 Answers

1
votes

[...] MAYBE the fix is I should adjust the time on my EC2 server, but how can I found out what time is it on SES servers since I don't have access to them?

The "clock skew" mentioned in Jeremy Lindblom's answer means that the time on your server isn't sufficiently synchronized with Coordinated Universal Time (UTC) after subtracting the timezone offset, i.e. you do not actually need to know the time on the Amazon SES servers (which most certainly is simply UTC though), rather just ensure that your own system is synchronized with UTC too (no matter what timezone you are in) - see my answer to synchronize local Debian time with amazon Debian instances (RDS) MDT to UTC for more details on the subject and how to resolve this for a Debian/GNU resp. Ubuntu system:

[...] This is easily remedied by installing a Network Time Protocol (NTP) daemon to Set the time automatically as explained in Debian's DateTime, which boils down to sudo apt-get install ntp and editing /etc/ntp.conf to target more local NTP server sources for optimal results.