python error sending mail with amazon ses with aws lambda

0
votes

I am new to aws lambda. I am trying to send mail with aws ses with aws lambda, without any triggers. Here is my code 

import boto3
from botocore.exceptions import ClientError

ses = boto3.client('ses')

email_from = '[email protected]'
email_to = '[email protected]'
emaiL_subject = 'Subject'
email_body = 'Body'


def lambda_handler(event, context):
    response = ses.send_email(
        Source = email_from,
        Destination={
            'ToAddresses': [
                email_to,
            ],
        },
        Message={
            'Subject': {
                'Data': emaiL_subject
            },
            'Body': {
                'Text': {
                    'Data': email_body
                }
            }
        }
    )

I've created a custome role with simple microservices permission. The event is set to hello world. I saved and clicked on test, it shows this errors 

{
  "errorMessage": "An error occurred (AccessDenied) when calling the SendEmail operation: User `arn:aws:sts::990458801115:assumed-role/basic-lambda-role/sendmail' is not authorized to perform `ses:SendEmail' on resource `arn:aws:ses:us-east-1:990458801115:identity/[email protected]'",
  "errorType": "ClientError",
  "stackTrace": [
    [
      "/var/task/lambda_function.py",
      28,
      "lambda_handler",
      "'Data': email_body"
    ],
    [
      "/var/runtime/botocore/client.py",
      314,
      "_api_call",
      "return self._make_api_call(operation_name, kwargs)"
    ],
    [
      "/var/runtime/botocore/client.py",
      612,
      "_make_api_call",
      "raise error_class(parsed_response, operation_name)"
    ]
  ]
}

I wrote the code from here, it runs perfectly locally.

2
pythonamazon-web-servicesaws-lambdaamazon-ses
Can you show your IAM Role/Policy document?Rafal Wiliński
Verify that the role "Trust Relationships" includes lambda. It should show: The identity provider(s) lambda.amazonaws.comJohn Hanley

2 Answers

2
votes

The Lambda function you're running this code in does not have permission to send messages using SES. You need to add the action ses:SendEmail to your basic-lambda-role IAM Role.

When you run the code locally you will be communicating with SES using your own developer credentials, which probably have higher permissions.

0
votes

It seems that the role you're using doesn't have the relevant policies regarding the SES service.

Step 1: Create a custom policy - For example: SES-SendEmail-Policy and provide it with the following JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ses:SendEmail",  <--- This is the action that was missing
            ],
            "Resource": "*"
        }
    ]
}

Step 2: Attach the SES-SendEmail-Policy to the basic-lambda-role role.