Cannot send emails using AWS SES and Rails' Action Mailer without IAM Policy settings for all domains

1
votes

I want to send emails using AWS SES via Action Mailer in Ruby on Rails (v6). AWS provides aws-sdk-rails gem, and it makes to be easy to configure using SES, but I realized that it needs sendable permissions such as ses:SendEmail to ALL domains in SES.

# config/initializers/aws-sdk.rb
Aws.config[:credentials] = Aws::Credentials.new(ENV["AWS_ACCESS_KEY_ID"], ENV["AWS_SECRET_ACCESS_KEY"])

Aws::Rails.add_action_mailer_delivery_method(:aws_sdk, region: "us-east-1")
Rails.application.config.action_mailer.delivery_method = :aws_sdk

# app/mailers/application_mailer.rb
class ApplicationMailer < ActionMailer::Base
  default from: "[email protected]"
end

An AWS IAM User has the following policy, which allows to send emails from only example.com domain.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ses:SendEmail",
        "ses:SendRawEmail"
      ],
      "Resource": [
        "arn:aws:ses:us-east-1:xxxxxxxxxxxx:identity/example.com"
      ],
      "Effect": "Allow"
    }
  ]
}

But I got an error like the following when workers send emails.

ERROR: Processor failed: User `arn:aws:iam::xxxxxxxxxxxx:user/my-group/my-iam-user' is not authorized to perform `ses:SendRawEmail' on resource `arn:aws:ses:us-east-1:xxxxxxxxxxxx:identity/other-domain.com'

I think the SDK verifies whether all domains have sendable permissions by default, but I couldn't find to specify a target domain. What should I do?

1
ruby-on-railsamazon-web-servicesamazon-ses
The SDK should not be validating against all domains, can you print out the mail sending options if this error occurs?Chris Williams
@ChrisWilliams I'm not sure that the SDK has a specification to validate all domains, but at least it requires permissions in them in my project... I've not written any configurations except for these codes because aws-sdk-rails is black box.user10247087
I just realized the error requires ses:SendRawEmail to arn:aws:ses:us-east-1:xxxxxxxxxxxx:identity/DESTINATION_EMAIL_ADDRESS . Is this correct behavior? otherwise, my configuration is wrong...user10247087
Hmm that is not correct, it should be the sending email domain not the target domain. Are they perhaps the wrong way round?Chris Williams
Yep, always forget that part about sandbox mode. I generally add a domain and immediately try to get out of sandbox mode :)Chris Williams

1 Answers

0
votes

This is caused as a result of the domain being in a sandbox account. Within the SES documentation the following states are identified:

  • You can only send mail to verified email addresses and domains, or to the Amazon SES mailbox simulator.
  • You can only send mail from verified email addresses and domains.

To send emails to any email address you need to move your from domain(s) out of sandbox mode.