3
votes

I have followed fully what you've spelt out on https://github.com/arithmetric/aws-lambda-ses-forwarder but am stuck. No amount of Google search or No playing with options either has helped. A client is about to terminate the contract - we've stuck at this error for too long.

I have verified my domain. I can receive email from anywhere through my verified address to my designated S3 bucket. I also changed the '"functionArn":xxx..."' to '"functionArn": "arn:aws:lambda:us-west-2:MY-ACCOUNT-ID:function:fnForwardEmailToGmail"'.

However the received emails are never forwarded and when I test the function using "SES Email Receiving" I get the error below.

START RequestId: 7f2cd5ed-83ea-11e7-913f-55748388c69f Version: $LATEST
2017-08-18T07:54:44.467Z    7f2cd5ed-83ea-11e7-913f-55748388c69f    { level: 'info',
  message: 'Fetching email at s3://MY-S3-BUCKET/MY-PREFIX/o3vrnil0e2ic28fgfdstrm7dfhrc2v0clambda4nbp0g1' }
2017-08-18T07:54:46.068Z    7f2cd5ed-83ea-11e7-913f-55748388c69f    { level: 'error',
  message: 'copyObject() returned error:',
  error: 
   { [AccessDenied: Access Denied]
     message: 'Access Denied',
     code: 'AccessDenied',
     region: null,
     time: Fri Aug 18 2017 07:54:46 GMT+0000 (UTC),
     requestId: 'A6285517D1AF2B9D',
     extendedRequestId: 'dfH3csS5kHLsYN4ZgIWVliYmuVb1OgCVl6KdUSdZdqwX2T+JdkfZwIyPa5KEgYFiJfZmrwXjXDI=',
     cfId: undefined,
     statusCode: 403,
     retryable: false,
     retryDelay: 32.49475641641766 },
  stack: 'AccessDenied: Access Denied
    at Request.extractError (/var/task/node_modules/aws-sdk/lib/services/s3.js:473:35)
    at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:105:20)
    at Request.emit (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
    at Request.emit (/var/task/node_modules/aws-sdk/lib/request.js:615:14)
    at Request.transition (/var/task/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/var/task/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /var/task/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:617:12)
    at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:115:18)' }
2017-08-18T07:54:46.127Z    7f2cd5ed-83ea-11e7-913f-55748388c69f    {"errorMessage":"Error: Could not make readable copy of email."}
END RequestId: 7f2cd5ed-83ea-11e7-913f-55748388c69f
REPORT RequestId: 7f2cd5ed-83ea-11e7-913f-55748388c69f  Duration: 1993.85 ms    Billed Duration: 2000 ms    Memory Size: 128 MB Max Memory Used: 32 MB

LAMBDA ROLE FUNCTION POLICY

{
    "Version": "2016-03-04",
    "Statement": [
       {
          "Effect": "Allow",
          "Action": [
             "logs:CreateLogGroup",
             "logs:CreateLogStream",
             "logs:PutLogEvents"
          ],
          "Resource": "arn:aws:logs:*:*:*"
       },
       {
          "Effect": "Allow",
          "Action": "ses:SendRawEmail",
          "Resource": "*"
       },
       {
          "Effect": "Allow",
          "Action": [
             "s3:GetObject",
             "s3:PutObject"
          ],
          "Resource": "arn:aws:s3:::MY-S3-BUCKET/*"
       }
    ]
}

I have added to my LAMBDA ROLE two managed roles "AmazonS3FullAccess" and "AmazonSESFullAccess".

S3 BUCKET POLICY

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "GiveSESPermissionToWriteEmail",
         "Effect": "Allow",
         "Principal": {
            "Service": "ses.amazonaws.com"
         },
         "Action": "s3:PutObject",
         "Resource": "arn:aws:s3:::MY-S3-BUCKET/*",
         "Condition": {
            "StringEquals": {
               "aws:Referer": "MY-ACCOUNT-ID"
            }
         }
      }
   ]
}

Where am I going wrong? Pls help!

2

2 Answers

0
votes

That copyObject() call seems be copying files in S3. You should add S3 permissions to your role.

0
votes

I had the same problem. After reviewing the GitHub setup instruction here, https://github.com/arithmetric/aws-lambda-ses-forwarder#set-up, I noticed that my IAM policy for S3 did not have any permission set.

S3 service should have "Limited: Read, Write" access level.

You need to modify the policy and ensure that there is a "/*" at the end. See example below:

"Resource": "arn:aws:s3:::S3-BUCKET-NAME/*"