All SES related services using NestJS application in running on localhost, but whenever I deployed in AWS EKS as a NodePort service along with my other NodePort services in the same Kubernetes cluster, the SES access denied.
Although it seems everything running including the health-check of the service, I get the following errors in Postman for SES related command:
[
"Failed to list email templates",
{
"name": "AccessDenied",
"$fault": "client",
"$metadata": {
"httpStatusCode": 403,
"requestId": "99werewr43-we4-435f-563b-e3252sdfsf",
"attempts": 1,
"totalRetryDelay": 0
},
"Type": "Sender",
"Code": "AccessDenied",
"message": "User: arn:aws:sts::XXXXXXXXX:assumed-role/eksctl-demo-application-nodegroup-NodeInstanceRole-1HO2384034FJ/i-e390239328wwrer is not authorized to perform: ses:ListTemplates because no identity-based policy allows the ses:ListTemplates action"
}
]
My .env is as follows:
PORT=3003
SES_ACCESS_KEY=AWBFLDKLJFLKJKJDFDJKFJ
SES_SECRET_KEY=wqeriopisdfkjeroijfdsnlfierjiwejdfsdf/
SES_REGION=eu-west-2
[email protected]
SES client:
import { SESClient } from "@aws-sdk/client-ses";
const SES_CONFIG = {
credential: {
accessKeyId: process.env.SES_ACCESS_KEY,
secretAccessKey:process.env.SES_SECRET_KEY,
},
region: process.env.SES_REGION,
};
// Create SES service object.
// const sesClient = new SESClient({ region: process.env.SES_REGION });
const sesClient = new SESClient( SES_CONFIG );
export { sesClient };
IAM user role with the associated Access Key and Secret above
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:*"
],
"Resource": "*"
}
]
}
Kubernetes manifest for the deployment:
apiVersion: apps/v1
kind: Deployment
metadata:
name: demo-deployment
labels:
app: demo-app
spec:
replicas: 1
selector:
matchLabels:
app: demo-app
template:
metadata:
labels:
app: demo-app
spec:
containers:
- name: demo-app
image: XXXXXXX.dkr.ecr.eu-west-2.amazonaws.com/demo-app
imagePullPolicy: Always
env:
- name: SES_ACCESS_KEY
value: AWBFLDKLJFLKJKJDFDJKFJ
- name: SES_SECRET_KEY
value: 'wqeriopisdfkjeroijfdsnlfierjiwejdfsdf/'
- name: SES_REGION
value: eu-west-2
- name: SES_SENDER
value: [email protected]
---
apiVersion: v1
kind: Service
metadata:
name: demo-app-srv
labels:
app: demo-app
spec:
type: NodePort
selector:
app: demo-app
ports:
- name: demo-app
protocol: TCP
port: 3003
targetPort: 3003
I don't understand how can I give permission for the nodegroup mentioned in the error message:
"message": "User: arn:aws:sts::XXXXXXXXX:assumed-role/eksctl-demo-application-nodegroup-NodeInstanceRole-1HO2384034FJ/i-e390239328wwrer is not authorized to perform: ses:ListTemplates because no identity-based policy allows the ses:ListTemplates action"
Or is there anything I am missing. Any help would be highly appreciated.
I have fixed the issue with "AWS SNS access denied in AWS EKS, no identity-based policy allows the action". The key point here is the use of the Service Account.
I have found that there are some third-party agents used on each node in Kubernetes cluster and allows cluster users to associate IAM roles to Pods.
They are:
But AWS official documentation says that AWS new feature eliminates the need for third-party solutions such as kiam or kube2iam. So, that's a good news.
Now, anyone can use the following AWS IAM roles for service accounts. Just follow all the step by step guideline to enable IAM roles for service accounts: