1
votes

I am new to AWS, I was trying to deploy Springboot application in AWS EC2 instance using Elastic beanstalk. I wanted to make use of AWS SES service to send notifications to the subscribed application users.

As part of this, with the help of AWS SDK SES API and the IAM credentials I was able to send the email for verified user emails using springboot application, but I wanted to send the emails for non-verified users as well, So I have requested AWS support team to get my IAM user out of AWS SES Sandbox and increase daily limit of sending emails and AWS support team honored the request.

After moving my IAM user out of SES Sandbox, when I have tried to send the email for verified and non-verified users I am getting following error.

org.springframework.mail.MailSendException: Failed messages: com.amazonaws.services.simpleemail.model.AmazonSimpleEmailServiceException:
 User `arn:aws:sts::4***436****2:assumed-role/aws-elasticbeanstalk-ec2-role/i-066edeefc2ed72b10' is not authorized to perform 
 `ses:SendRawEmail' on resource `arn:aws:ses:ap-south-1:4***436****2:identity/ra******[email protected]' 
 (Service: AmazonSimpleEmailService; Status Code: 403; Error Code: AccessDenied; Request ID: 5eeb1f17-a283-4d9f-bca9-ac981ee546c4; 
 Proxy: null); message exception details (1) are:

Failed message 1:
com.amazonaws.services.simpleemail.model.AmazonSimpleEmailServiceException: 
User `arn:aws:sts::4***436****2:assumed-role/aws-elasticbeanstalk-ec2-role/i-066edeefc2ed72b10' is not authorized to perform 
`ses:SendRawEmail' on resource `arn:aws:ses:ap-south-1:4***436****2:identity/ra******[email protected]@gmail.com' 
(Service: AmazonSimpleEmailService; Status Code: 403; Error Code: AccessDenied; Request ID: 5eeb1f17-a283-4d9f-bca9-ac981ee546c4; Proxy: null)

pom.xml:

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-aws</artifactId>
    <version>2.2.1.RELEASE</version>
</dependency>
<dependency>
    <groupId>com.amazonaws</groupId>
    <artifactId>aws-java-sdk-ses</artifactId>
    <version>1.11.777</version>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-mail</artifactId>
    <version>2.2.6.RELEASE</version>
</dependency>

AWS Mail Configuration class:

import org.springframework.cloud.aws.mail.simplemail.SimpleEmailServiceJavaMailSender;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.mail.javamail.JavaMailSender;

import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper;
import com.amazonaws.regions.Regions;
import com.amazonaws.services.simpleemail.AmazonSimpleEmailService;
import com.amazonaws.services.simpleemail.AmazonSimpleEmailServiceClientBuilder;

@Configuration
public class AwsMailConfig {

  // Used to fetch AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
  private CustomPropertyConfig customPropertyConfig;

  public AwsMailConfig(final CustomPropertyConfig customPropertyConfig) {
    this.customPropertyConfig = customPropertyConfig;
  }

  @Profile("prod")
  @Bean("AWSCredentialsProvider")
  public AWSCredentialsProvider amazonAWSCredentialsProviderProduction() {
      return new EC2ContainerCredentialsProviderWrapper();
  }

  @Bean
  @Profile("prod")
  public AmazonSimpleEmailService amazonSimpleEmailServiceProduction() {

    return AmazonSimpleEmailServiceClientBuilder.standard()
        .withRegion(Regions.AP_SOUTH_1)
        .build();
  }

  @Bean
  public JavaMailSender javaMailSender(AmazonSimpleEmailService amazonSimpleEmailService) {
    return new SimpleEmailServiceJavaMailSender(amazonSimpleEmailService);
  }
}

Email Sender service class:

import java.nio.charset.StandardCharsets;

import javax.mail.MessagingException;
import javax.mail.internet.MimeMessage;

import org.springframework.mail.javamail.JavaMailSender;
import org.springframework.mail.javamail.MimeMessageHelper;
import org.springframework.scheduling.annotation.Async;
import org.springframework.stereotype.Service;

import com.ebike.aws.emailutil.Mail;

@Service
public class AWSEmailSenderService {

    private JavaMailSender javaMailSender;

    public AWSEmailSenderService(JavaMailSender javaMailSender) {
        this.javaMailSender = javaMailSender;
    }

    @Async
    public void sendEmail(Mail mail) throws MessagingException {

        try {

            MimeMessage message = getMimeMessage(mail);
            javaMailSender.send(message);

        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    private MimeMessage getMimeMessage(Mail mail) throws MessagingException {

        MimeMessage message = javaMailSender.createMimeMessage();

        MimeMessageHelper helper = new MimeMessageHelper(message, MimeMessageHelper.MULTIPART_MODE_MIXED_RELATED,
                StandardCharsets.UTF_8.name());

        String html = mail.getEmailBody();

        helper.setTo(mail.getTo());
        helper.setText(html, true);
        helper.setSubject(mail.getSubject());
        helper.setFrom(mail.getFrom());
        return message;
    }
}

Mail.java has a method to get Mail Object

public Mail getMail() {
    Mail mail = new Mail();
    mail.setFrom(fromEmailID);
    mail.setTo(toEmailId);
    mail.setSubject(subject);
    mail.setEmailBody(emailBody);
    return mail;
}

After getting IAM user is not authorized to perform `ses:SendRawEmail' Exception, I have tried adding policy to grant all possible permissions but I know I have to modify in policy itself but after searching for a while I couldn't figure out and I have gone through this link but it didn't help or I was not able to understand.

Currently IAM User has following AWS policies:

enter image description here

I don't know, is the following is proper place to apply custom policy or not

enter image description here

Please help me to know to send emails for non-verified email-IDs using AWS SES and granting all possible permissions or policy for IAM user.

1

1 Answers

4
votes

This error is not about your IAM user, but about aws-elasticbeanstalk-ec2-role role for Elastic Beanstalk.

Thus you have to go to IAM roles, find the role in question, and add the required permissions to it.