Search code examples
aws-lambdaamazon-ses

Use lambda function to trigger SES on different region

I have a lambda function on ap-southeast-1. Initially I set up a sandbox email address on the same region and my code worked.

Now I need to use the verified SES email address on eu-west-1 to trigger notifications. enter image description here

How can I achieve this?

My serverless.yml file looks like the following (unrelated parts omitted):

custom: ${file(env.yml)}

provider:
  name: aws
  runtime: go1.x
  stage: ${opt:stage, 'dev'}
  region: ${self:custom.REGION, 'ap-southeast-1'}
  environment: ${file(env.yml)}
  iamRoleStatements:
    - Effect: Allow
      Action:
        - dynamodb:DescribeTable
        - dynamodb:Query            
      Resource: "arn:aws:dynamodb:*:*:*"
    - Effect: Allow
      Action:
        - ses:SendEmail
        - ses:SendRawEmail
      Resource: "arn:aws:ses:${env:SES_REGION}:${env:ACCOUNT_ID}:identity/*"


functions:
  notify:
    handler: bin/notify
    events:
      - http:
          path: notify
          method: post
          cors: true
          authorizer:
            arn: "arn:aws:cognito-idp:${self:provider.region}:${self:custom.ACCOUNT_ID}:userpool/${self:custom.USER_POOL_ID}"

env.yml file (SES_REGION=eu-west-1):

AWS_PROFILE: ${env:AWS_PROFILE}
RELEASE_STAGE: ${env:RELEASE_STAGE}
REGION: ${env:REGION}
SES_REGION: ${env:SES_REGION}
ACCOUNT_ID: ${env:ACCOUNT_ID}
USER_POOL_ID: ${env:USER_POOL_ID}
MAIL_SENDER: ${env:MAIL_SENDER}

I'm getting the error:

"error_message":"AccessDenied: User `arn:aws:sts::41310816xxxx:assumed-role/xxx-remarks-api-dev-ap-southeast-1-lambdaRole/xxx-remarks-api-dev-notify' is not authorized to perform `ses:SendEmail' on resource `arn:aws:ses:ap-southeast-1:41310816xxxx:identity/noreply@xxx'

I notice that the error mentions ses resource on 'ap-southeast-1'. Is this the cause of the error? How can I force update my code if so?

Solution

  • Seems like your lambda not have required privilege to run SES

    Step 1: Go to IM role and edit policy then open JSON and add follwoing code

      {
   "Effect":"Allow",
   "Action":[
   "ses:SendEmail",
   "ses:SendRawEmail"
    ],
    "Resource":"*"
    }

    Step 2: On Top of your Lambda call following code, SES not available on all region so please make sure your region shoud support SES.

            var aws = require('aws-sdk');
        var lambda = new aws.Lambda({
         region: 'eu-west-1' //change to your region
        });