I am trying to send an email using Amazon SES in AWS Lambda function, For this i am facing the following error.
AccessDenied: User
arn:aws:sts::XXXXX:assumed-role/lambda_basic_execution/awslambda_XXXX' is not authorized to performses:SendEmail' on resource `arn:aws:ses:us-west-2:XXX:identity/[email protected]'
I have granted permission for
"ses:SendEmail", "ses:SendRawEmail" for the IAM role.
So, I was also having the same problem which Rakesh has explained but couldn't understand the steps he was saying to do so here is a detailed explanation with steps.
You need to do the following Security, Identity & Compliance -> IAM -> Roles -> select your lambda function -> then edit policy -> open it in JSON and add the below part
{
"Effect":"Allow",
"Action":[
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource":"*"
}
or you can do as per requirement from these policy examples https://docs.aws.amazon.com/ses/latest/DeveloperGuide/control-user-access.html#iam-and-ses-examples-email-sending-actions also, you need to verify the email address first so don't forget that. Hope this helps everyone.
After a long debugging i got the issue, "lambda_basic_execution" role need to be granted with permission to access "ses:SendEmail", "ses:SendRawEmail".
Where i was trying to grant permission for the new IAM role i have created, but lambda function is mapped to "lambda_basic_execution" so there is a mismatch.
If you are configuring policies for a SAM Lambda or using a YAML configuration file, you would use something like this:
template.yaml
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: 'your-email-lambda'
Resources:
YourEmailFunction:
Type: AWS:Serverless::Function
Properties:
Policies:
- Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'ses:SendEmail'
- 'ses:SendRawEmail'
Resource: '*'
As what others said you should add this two permissions: ses:SendEmail,ses:SendRawEmail
I just want to add explaination for those who use Serverless framework
In serverless.yml:
provider:
name: aws
stage: dev
runtime: nodejs10.x
region: us-west-1
iamRoleStatements:
- Effect: Allow
Action:
- dynamodb:Query
- dynamodb:Scan
- dynamodb:GetItem
- dynamodb:PutItem
- dynamodb:UpdateItem
- dynamodb:DeleteItem
- lambda:InvokeFunction
- ses:SendEmail # add this
- ses:SendRawEmail # add this
Resource: '*' # add this
You have to create a policy in order to relate your IAM user with your email sender.
First you have to create the SMTP credentials. In your Account Dashboard go down and select Create SMTP Credentials Well, now you have the IAM user you are going to use it to send emails with SES. Copy the user ARN (something like this: arn:aws:iam::601688880060:user/ses-smtp-user.20227405-2043453), you will need it in the next step.
In your AWS SES account select your verified email you are going to use to send. Go to the Authorization tab. Create a Policy using the policy generator. There you have to paste there the user ARN. Check the options you want, apply policy.
To finish, add the credentials in your code. (you can also use a file named "credentials" in the ".aws" root directory)
$SesClient = new SesClient([
'version' => '2010-12-01',
'region' => 'us-east-2',
'credentials' => [
'key' => 'AKIAYYFKAU4OPBNUTIII',
'secret' => '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',
],
]);
That's it, good luck !
https://www.lazydeveloper.tech/aws/aws-using-ses-to-send-email-within-a-lambda-function/
