Search code examples
amazon-web-servicesaws-cloudformationamazon-cognitoaws-userpools

AWS CloudFormation Script Fails - Cognito is not allowed to use your email identity

I am trying to build a CloudFormation script that sets up a Cognito User Pool and configures it to use a custom email for sending users their validation code in the signup process (i.e. FROM: noreply@mydomain.com).

I am getting this error when executing my AWS CloudFormation script:

"ResourceStatusReason": "Cognito is not allowed to use your email identity (Service: AWSCognitoIdentityProvider; Status Code: 400; Error Code: InvalidEmailRoleAccessPolicyException;

I have attached a Policy for Cognito to use my SES email identity e.g. noreply@mydomain.com. I have manually setup and validated this email identity in SES prior to running CloudFormation script.

Here is my CloudFormation configuration for the policy to allow Cognito to send emails on my behalf e.g. From noreply@mydomain.com:

  CognitoSESPolicy:
    Type: AWS::IAM::ManagedPolicy
    Description: "Allow Cognito the send email on behalf of email identity (e.g. noreply@example.org)"
    Properties:
      PolicyDocument:
        Version: 2012-10-17
        Statement:
        - Sid: "ucstmnt0001"
          Effect: "Allow"
          Action:
          - "ses:SendEmail"
          - "ses:SendRawEmail"
          Resource: !FindInMap [ environment, !Ref "Environment", emailARN ]

  SESRole:
    Type: AWS::IAM::Role
    Description: "An IAM Role to allow Cognito to send email on behalf of email identity"
    Properties:
      RoleName: uc-cognito-ses-role
      ManagedPolicyArns:
        - Ref: CognitoSESPolicy
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
            - sts:AssumeRole
            Principal:
              Service:
              - cognito-idp.amazonaws.com
    DependsOn: CognitoSESPolicy

I am not sure what I am doing wrong here...

Solution

  • Answering my own question for others' benefit. AWS SES has its own managed identity for emails, requiring a user to verify ownership of the email before it can be used by other AWS services. My solution was to manually setup the SES email account using AWS portal, verify the email account, then reference the ARN for the identity created in SES for email in my CloudFormation script. Maybe AWS will have a way in the future to create SES identity via CloudFormation scripts, but at this time it seems that manual process is required for initial setup.