I want to to send an email using the AWS Amplify backend using Simple Email Service (SES) but I keep on getting AccessDenied and many other answers here on SO and around the internet says to set the IAM permissions for sendmail and sendrawemail, which I have done.
This is the error message:
2020-08-30T02:19:20.544Z f3980a87-cac0-4f51-9024-d2f92a8a3596 ERROR { AccessDenied: User `arn:aws:sts::mynumericalusernumber:assumed-role/myamplifyappCreateAuthChallenge-sampledev/myamplifyappCreateAuthChallenge-sampledev' is not authorized to perform `ses:SendEmail' on resource `arn:aws:ses:us-west-2:mynumericalusernumber:identity/theaddressiamtryingtosendto@gmail.com'
at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/query.js:50:29)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:688:14)
at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:690:12)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
message:
'User `arn:aws:sts::mynumericalusernumber:assumed-role/myamplifyappCreateAuthChallenge-sampledev/myamplifyappCreateAuthChallenge-sampledev\' is not authorized to perform `ses:SendEmail\' on resource `arn:aws:ses:us-west-2:mynumericalusernumber:identity/theaddressiamtryingtosendto@gmail.com\'',
code: 'AccessDenied',
time: 2020-08-30T02:19:20.541Z,
requestId: 'ab8175a1-af65-443f-9114-248e240ce7f8',
statusCode: 403,
retryable: false,
retryDelay: 14.074425708542204 } 'AccessDenied: User `arn:aws:sts::mynumericalusernumber:assumed-role/myamplifyappCreateAuthChallenge-sampledev/myamplifyappCreateAuthChallenge-sampledev\' is not authorized to perform `ses:SendEmail\' on resource `arn:aws:ses:us-west-2:mynumericalusernumber:identity/theaddressiamtryingtosendto@gmail.com\'\n at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/query.js:50:29)\n at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)\n at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)\n at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:688:14)\n at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)\n at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)\n at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10\n at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)\n at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:690:12)\n at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18)'
2020-08-30T02:19:20.544Z f3980a87-cac0-4f51-9024-d2f92a8a35
It is in a create auth challenge for an OTP (One Time Password) that this happens and here is the code
/* tslint:disable */
/* eslint-disable */
const AWS = require('aws-sdk');
exports.handler = (event, context, callback) => {
//Create a random number for otp
const challengeAnswer = Math.random().toString(10).substr(2, 6);
const phoneNumber = event.request.userAttributes.phone_number;
sendEmail('theaddressiamtryingtosendto@gmail.com', challengeAnswer)
//For Debugging
console.log(event, context);
//set return params
event.response.privateChallengeParameters = {};
event.response.privateChallengeParameters.answer = challengeAnswer;
event.response.challengeMetadata = 'CUSTOM_CHALLENGE';
console.log("My log");
callback(null, event);
};
function sendEmail(emailAddress, secretLoginCode) {
console.log(emailAddress, secretLoginCode);
// Load the AWS SDK for Node.js
// Set the region
AWS.config.update({region: 'us-west-2'});
// Create sendEmail params
var params = {
Destination: {
ToAddresses: [
emailAddress
]
},
Message: {
Body: {
Html: {
Charset: "UTF-8",
Data: `<html><body><p>This is your OTP login code:</p>
<h3>${secretLoginCode}</h3></body></html>`
},
Text: {
Charset: "UTF-8",
Data: `Your OTP login code: ${secretLoginCode}`
}
},
Subject: {
Charset: "UTF-8",
Data: "OTP code"
}
},
Source: "noreply@my-own-verified-domain.com"
};
// Create the promise and SES service object
var sendPromise = new AWS.SES({apiVersion: '2010-12-01'}).sendEmail(params).promise();
// Handle promise's fulfilled/rejected states
sendPromise.then(
function(data) {
console.log(data.MessageId);
}).catch(
function(err) {
console.error(err, err.stack); // This is where the error shown is from
console.log(params);
});
}
My IAM permissions for the user
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource": "*"
}
]
}
I still got the same error so I added this
Domain verification for says
The SES is in sandbox mode and I have verified theaddressiamtryingtosendto@gmail.com and the test email reaches the inbox.
I feel that I have done everything correctly so what am I missing for this to work?
@Marcin lead me to the solution and should have the salute for solving this
I had attached IAM permissions to the IAM user and not to the lambda/role. When this was done it just started working.
I am still unsure if I need the same permissions in both IAM user and the role. A little bit afraid of doing changes to this now but if anyone knows please comment.