Access Denied while sending email from AWS SES in Lambda function

问题

I am trying to send an email using Amazon SES in AWS Lambda function, For this i am facing the following error.

AccessDenied: User arn:aws:sts::XXXXX:assumed-role/lambda_basic_execution/awslambda_XXXX' is not authorized to performses:SendEmail' on resource `arn:aws:ses:us-west-2:XXX:identity/example@example.com'

I have granted permission for

"ses:SendEmail", "ses:SendRawEmail" for the IAM role.

回答1:

So, I was also having the same problem which Rakesh has explained but couldn't understand the steps he was saying to do so here is a detailed explanation with steps.

You need to do the following Security, Identity & Compliance -> IAM -> Roles -> select your lambda function -> then edit policy -> open it in JSON and add the below part

{
  "Effect":"Allow",
  "Action":[
    "ses:SendEmail",
    "ses:SendRawEmail"
  ],
  "Resource":"*"
}

or you can do as per requirement from these policy examples https://docs.aws.amazon.com/ses/latest/DeveloperGuide/control-user-access.html#iam-and-ses-examples-email-sending-actions also, you need to verify the email address first so don't forget that. Hope this helps everyone.

回答2:

After a long debugging i got the issue, "lambda_basic_execution" role need to be granted with permission to access "ses:SendEmail", "ses:SendRawEmail".

Where i was trying to grant permission for the new IAM role i have created, but lambda function is mapped to "lambda_basic_execution" so there is a mismatch.

Reference - http://docs.aws.amazon.com/ses/latest/DeveloperGuide/control-user-access.html#iam-and-ses-examples-email-sending-actions

回答3:

If you are configuring policies for a SAM Lambda or using a YAML configuration file, you would use something like this:

template.yaml

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: 'your-email-lambda'

Resources:
  YourEmailFunction:
    Type: AWS:Serverless::Function
    Properties:
      Policies:
        - Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Action:
                - 'ses:SendEmail'
                - 'ses:SendRawEmail'
              Resource: '*'

回答4:

IAM Policy fixed the issue. Policy summary will show if there are any warnings i.e. resource does not exist etc.

JSON needs following

       {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "ses:SendEmail",
                "ses:SendRawEmail"
            ],
            "Resource": "*"
        }

回答5:

As what others said you should add this two permissions: ses:SendEmail,ses:SendRawEmail

I just want to add explaination for those who use Serverless framework

In serverless.yml:

provider:
  name: aws
  stage: dev
  runtime: nodejs10.x
  region: us-west-1
  iamRoleStatements:
    - Effect: Allow
      Action:
        - dynamodb:Query
        - dynamodb:Scan
        - dynamodb:GetItem
        - dynamodb:PutItem
        - dynamodb:UpdateItem
        - dynamodb:DeleteItem
        - lambda:InvokeFunction
        - ses:SendEmail            # add this
        - ses:SendRawEmail         # add this
      Resource: '*'                # add this

来源：https://stackoverflow.com/questions/34949316/access-denied-while-sending-email-from-aws-ses-in-lambda-function