Amazon SES 异常:IAM 用户无权对资源执行“ses:SendRawEmail”
Amazon SES Exception: IAM User is not authorized to perform `ses:SendRawEmail' on resource
我是 AWS 的新手,我正在尝试使用 Elastic beanstalk 在 AWS EC2 实例中部署 Springboot 应用程序。我想利用 AWS SES 服务向订阅的应用程序用户发送通知。
作为其中的一部分,在 AWS SDK SES API 和 IAM 凭证的帮助下,我能够使用 springboot 应用程序为经过验证的用户电子邮件发送电子邮件,但我想为非- 也验证了用户,因此我已请求 AWS 支持团队将我的 IAM 用户从 AWS SES 沙箱中移除并增加每天发送电子邮件的限制,AWS 支持团队接受了请求。
将我的 IAM 用户移出 SES 沙盒后,当我尝试向已验证和未验证的用户发送电子邮件时,出现以下错误。
org.springframework.mail.MailSendException: Failed messages: com.amazonaws.services.simpleemail.model.AmazonSimpleEmailServiceException:
User `arn:aws:sts::4***436****2:assumed-role/aws-elasticbeanstalk-ec2-role/i-066edeefc2ed72b10' is not authorized to perform
`ses:SendRawEmail' on resource `arn:aws:ses:ap-south-1:4***436****2:identity/ra******ar@gmail.com'
(Service: AmazonSimpleEmailService; Status Code: 403; Error Code: AccessDenied; Request ID: 5eeb1f17-a283-4d9f-bca9-ac981ee546c4;
Proxy: null); message exception details (1) are:
Failed message 1:
com.amazonaws.services.simpleemail.model.AmazonSimpleEmailServiceException:
User `arn:aws:sts::4***436****2:assumed-role/aws-elasticbeanstalk-ec2-role/i-066edeefc2ed72b10' is not authorized to perform
`ses:SendRawEmail' on resource `arn:aws:ses:ap-south-1:4***436****2:identity/ra******ar@gmail.com@gmail.com'
(Service: AmazonSimpleEmailService; Status Code: 403; Error Code: AccessDenied; Request ID: 5eeb1f17-a283-4d9f-bca9-ac981ee546c4; Proxy: null)
pom.xml:
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-aws</artifactId>
<version>2.2.1.RELEASE</version>
</dependency>
<dependency>
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-ses</artifactId>
<version>1.11.777</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-mail</artifactId>
<version>2.2.6.RELEASE</version>
</dependency>
AWS 邮件配置 class:
import org.springframework.cloud.aws.mail.simplemail.SimpleEmailServiceJavaMailSender;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.mail.javamail.JavaMailSender;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper;
import com.amazonaws.regions.Regions;
import com.amazonaws.services.simpleemail.AmazonSimpleEmailService;
import com.amazonaws.services.simpleemail.AmazonSimpleEmailServiceClientBuilder;
@Configuration
public class AwsMailConfig {
// Used to fetch AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
private CustomPropertyConfig customPropertyConfig;
public AwsMailConfig(final CustomPropertyConfig customPropertyConfig) {
this.customPropertyConfig = customPropertyConfig;
}
@Profile("prod")
@Bean("AWSCredentialsProvider")
public AWSCredentialsProvider amazonAWSCredentialsProviderProduction() {
return new EC2ContainerCredentialsProviderWrapper();
}
@Bean
@Profile("prod")
public AmazonSimpleEmailService amazonSimpleEmailServiceProduction() {
return AmazonSimpleEmailServiceClientBuilder.standard()
.withRegion(Regions.AP_SOUTH_1)
.build();
}
@Bean
public JavaMailSender javaMailSender(AmazonSimpleEmailService amazonSimpleEmailService) {
return new SimpleEmailServiceJavaMailSender(amazonSimpleEmailService);
}
}
电子邮件发件人服务class:
import java.nio.charset.StandardCharsets;
import javax.mail.MessagingException;
import javax.mail.internet.MimeMessage;
import org.springframework.mail.javamail.JavaMailSender;
import org.springframework.mail.javamail.MimeMessageHelper;
import org.springframework.scheduling.annotation.Async;
import org.springframework.stereotype.Service;
import com.ebike.aws.emailutil.Mail;
@Service
public class AWSEmailSenderService {
private JavaMailSender javaMailSender;
public AWSEmailSenderService(JavaMailSender javaMailSender) {
this.javaMailSender = javaMailSender;
}
@Async
public void sendEmail(Mail mail) throws MessagingException {
try {
MimeMessage message = getMimeMessage(mail);
javaMailSender.send(message);
} catch (Exception e) {
e.printStackTrace();
}
}
private MimeMessage getMimeMessage(Mail mail) throws MessagingException {
MimeMessage message = javaMailSender.createMimeMessage();
MimeMessageHelper helper = new MimeMessageHelper(message, MimeMessageHelper.MULTIPART_MODE_MIXED_RELATED,
StandardCharsets.UTF_8.name());
String html = mail.getEmailBody();
helper.setTo(mail.getTo());
helper.setText(html, true);
helper.setSubject(mail.getSubject());
helper.setFrom(mail.getFrom());
return message;
}
}
Mail.java 有获取邮件对象的方法
public Mail getMail() {
Mail mail = new Mail();
mail.setFrom(fromEmailID);
mail.setTo(toEmailId);
mail.setSubject(subject);
mail.setEmailBody(emailBody);
return mail;
}
在获取 IAM 用户无权执行 `ses:SendRawEmail' 异常后,我尝试添加策略以授予所有可能的权限,但我知道我必须修改策略本身,但搜索了一段时间后我不能'想不通,我已经完成了这个 link 但它没有帮助,或者我无法理解。
当前 IAM 用户具有以下 AWS 策略:
我不知道,下面是否适合应用自定义策略
请帮助我了解如何使用 AWS SES 为未验证的电子邮件 ID 发送电子邮件,并为 IAM 用户授予所有可能的权限或策略。
此错误与您的 IAM 用户无关,而是与 Elastic Beanstalk 的 aws-elasticbeanstalk-ec2-role
角色有关。
因此您必须转到 IAM 角色,找到有问题的角色,并向其添加所需的权限。
我是 AWS 的新手,我正在尝试使用 Elastic beanstalk 在 AWS EC2 实例中部署 Springboot 应用程序。我想利用 AWS SES 服务向订阅的应用程序用户发送通知。
作为其中的一部分,在 AWS SDK SES API 和 IAM 凭证的帮助下,我能够使用 springboot 应用程序为经过验证的用户电子邮件发送电子邮件,但我想为非- 也验证了用户,因此我已请求 AWS 支持团队将我的 IAM 用户从 AWS SES 沙箱中移除并增加每天发送电子邮件的限制,AWS 支持团队接受了请求。
将我的 IAM 用户移出 SES 沙盒后,当我尝试向已验证和未验证的用户发送电子邮件时,出现以下错误。
org.springframework.mail.MailSendException: Failed messages: com.amazonaws.services.simpleemail.model.AmazonSimpleEmailServiceException:
User `arn:aws:sts::4***436****2:assumed-role/aws-elasticbeanstalk-ec2-role/i-066edeefc2ed72b10' is not authorized to perform
`ses:SendRawEmail' on resource `arn:aws:ses:ap-south-1:4***436****2:identity/ra******ar@gmail.com'
(Service: AmazonSimpleEmailService; Status Code: 403; Error Code: AccessDenied; Request ID: 5eeb1f17-a283-4d9f-bca9-ac981ee546c4;
Proxy: null); message exception details (1) are:
Failed message 1:
com.amazonaws.services.simpleemail.model.AmazonSimpleEmailServiceException:
User `arn:aws:sts::4***436****2:assumed-role/aws-elasticbeanstalk-ec2-role/i-066edeefc2ed72b10' is not authorized to perform
`ses:SendRawEmail' on resource `arn:aws:ses:ap-south-1:4***436****2:identity/ra******ar@gmail.com@gmail.com'
(Service: AmazonSimpleEmailService; Status Code: 403; Error Code: AccessDenied; Request ID: 5eeb1f17-a283-4d9f-bca9-ac981ee546c4; Proxy: null)
pom.xml:
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-aws</artifactId>
<version>2.2.1.RELEASE</version>
</dependency>
<dependency>
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-ses</artifactId>
<version>1.11.777</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-mail</artifactId>
<version>2.2.6.RELEASE</version>
</dependency>
AWS 邮件配置 class:
import org.springframework.cloud.aws.mail.simplemail.SimpleEmailServiceJavaMailSender;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.mail.javamail.JavaMailSender;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper;
import com.amazonaws.regions.Regions;
import com.amazonaws.services.simpleemail.AmazonSimpleEmailService;
import com.amazonaws.services.simpleemail.AmazonSimpleEmailServiceClientBuilder;
@Configuration
public class AwsMailConfig {
// Used to fetch AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
private CustomPropertyConfig customPropertyConfig;
public AwsMailConfig(final CustomPropertyConfig customPropertyConfig) {
this.customPropertyConfig = customPropertyConfig;
}
@Profile("prod")
@Bean("AWSCredentialsProvider")
public AWSCredentialsProvider amazonAWSCredentialsProviderProduction() {
return new EC2ContainerCredentialsProviderWrapper();
}
@Bean
@Profile("prod")
public AmazonSimpleEmailService amazonSimpleEmailServiceProduction() {
return AmazonSimpleEmailServiceClientBuilder.standard()
.withRegion(Regions.AP_SOUTH_1)
.build();
}
@Bean
public JavaMailSender javaMailSender(AmazonSimpleEmailService amazonSimpleEmailService) {
return new SimpleEmailServiceJavaMailSender(amazonSimpleEmailService);
}
}
电子邮件发件人服务class:
import java.nio.charset.StandardCharsets;
import javax.mail.MessagingException;
import javax.mail.internet.MimeMessage;
import org.springframework.mail.javamail.JavaMailSender;
import org.springframework.mail.javamail.MimeMessageHelper;
import org.springframework.scheduling.annotation.Async;
import org.springframework.stereotype.Service;
import com.ebike.aws.emailutil.Mail;
@Service
public class AWSEmailSenderService {
private JavaMailSender javaMailSender;
public AWSEmailSenderService(JavaMailSender javaMailSender) {
this.javaMailSender = javaMailSender;
}
@Async
public void sendEmail(Mail mail) throws MessagingException {
try {
MimeMessage message = getMimeMessage(mail);
javaMailSender.send(message);
} catch (Exception e) {
e.printStackTrace();
}
}
private MimeMessage getMimeMessage(Mail mail) throws MessagingException {
MimeMessage message = javaMailSender.createMimeMessage();
MimeMessageHelper helper = new MimeMessageHelper(message, MimeMessageHelper.MULTIPART_MODE_MIXED_RELATED,
StandardCharsets.UTF_8.name());
String html = mail.getEmailBody();
helper.setTo(mail.getTo());
helper.setText(html, true);
helper.setSubject(mail.getSubject());
helper.setFrom(mail.getFrom());
return message;
}
}
Mail.java 有获取邮件对象的方法
public Mail getMail() {
Mail mail = new Mail();
mail.setFrom(fromEmailID);
mail.setTo(toEmailId);
mail.setSubject(subject);
mail.setEmailBody(emailBody);
return mail;
}
在获取 IAM 用户无权执行 `ses:SendRawEmail' 异常后,我尝试添加策略以授予所有可能的权限,但我知道我必须修改策略本身,但搜索了一段时间后我不能'想不通,我已经完成了这个 link 但它没有帮助,或者我无法理解。
当前 IAM 用户具有以下 AWS 策略:
我不知道,下面是否适合应用自定义策略
请帮助我了解如何使用 AWS SES 为未验证的电子邮件 ID 发送电子邮件,并为 IAM 用户授予所有可能的权限或策略。
此错误与您的 IAM 用户无关,而是与 Elastic Beanstalk 的 aws-elasticbeanstalk-ec2-role
角色有关。
因此您必须转到 IAM 角色,找到有问题的角色,并向其添加所需的权限。