AWS Amplify SES sendmail 访问被拒绝
AWS Amplify SES sendmail AccessDenied
我想使用简单电子邮件服务 (SES) 使用 AWS Amplify 后端发送电子邮件,但我一直收到 AccessDenied 以及 SO 和互联网上的许多其他答案,说要为 sendmail 和sendrawemail,我已经做到了。
这是错误信息:
2020-08-30T02:19:20.544Z f3980a87-cac0-4f51-9024-d2f92a8a3596 ERROR { AccessDenied: User `arn:aws:sts::mynumericalusernumber:assumed-role/myamplifyappCreateAuthChallenge-sampledev/myamplifyappCreateAuthChallenge-sampledev' is not authorized to perform `ses:SendEmail' on resource `arn:aws:ses:us-west-2:mynumericalusernumber:identity/theaddressiamtryingtosendto@gmail.com'
at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/query.js:50:29)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:688:14)
at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:690:12)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
message:
'User `arn:aws:sts::mynumericalusernumber:assumed-role/myamplifyappCreateAuthChallenge-sampledev/myamplifyappCreateAuthChallenge-sampledev\' is not authorized to perform `ses:SendEmail\' on resource `arn:aws:ses:us-west-2:mynumericalusernumber:identity/theaddressiamtryingtosendto@gmail.com\'',
code: 'AccessDenied',
time: 2020-08-30T02:19:20.541Z,
requestId: 'ab8175a1-af65-443f-9114-248e240ce7f8',
statusCode: 403,
retryable: false,
retryDelay: 14.074425708542204 } 'AccessDenied: User `arn:aws:sts::mynumericalusernumber:assumed-role/myamplifyappCreateAuthChallenge-sampledev/myamplifyappCreateAuthChallenge-sampledev\' is not authorized to perform `ses:SendEmail\' on resource `arn:aws:ses:us-west-2:mynumericalusernumber:identity/theaddressiamtryingtosendto@gmail.com\'\n at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/query.js:50:29)\n at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)\n at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)\n at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:688:14)\n at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)\n at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)\n at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10\n at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)\n at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:690:12)\n at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18)'
2020-08-30T02:19:20.544Z f3980a87-cac0-4f51-9024-d2f92a8a35
这是在为 OTP(一次性密码)创建身份验证挑战时发生的,这是代码
/* tslint:disable */
/* eslint-disable */
const AWS = require('aws-sdk');
exports.handler = (event, context, callback) => {
//Create a random number for otp
const challengeAnswer = Math.random().toString(10).substr(2, 6);
const phoneNumber = event.request.userAttributes.phone_number;
sendEmail('theaddressiamtryingtosendto@gmail.com', challengeAnswer)
//For Debugging
console.log(event, context);
//set return params
event.response.privateChallengeParameters = {};
event.response.privateChallengeParameters.answer = challengeAnswer;
event.response.challengeMetadata = 'CUSTOM_CHALLENGE';
console.log("My log");
callback(null, event);
};
function sendEmail(emailAddress, secretLoginCode) {
console.log(emailAddress, secretLoginCode);
// Load the AWS SDK for Node.js
// Set the region
AWS.config.update({region: 'us-west-2'});
// Create sendEmail params
var params = {
Destination: {
ToAddresses: [
emailAddress
]
},
Message: {
Body: {
Html: {
Charset: "UTF-8",
Data: `<html><body><p>This is your OTP login code:</p>
<h3>${secretLoginCode}</h3></body></html>`
},
Text: {
Charset: "UTF-8",
Data: `Your OTP login code: ${secretLoginCode}`
}
},
Subject: {
Charset: "UTF-8",
Data: "OTP code"
}
},
Source: "noreply@my-own-verified-domain.com"
};
// Create the promise and SES service object
var sendPromise = new AWS.SES({apiVersion: '2010-12-01'}).sendEmail(params).promise();
// Handle promise's fulfilled/rejected states
sendPromise.then(
function(data) {
console.log(data.MessageId);
}).catch(
function(err) {
console.error(err, err.stack); // This is where the error shown is from
console.log(params);
});
}
我对用户的 IAM 权限
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource": "*"
}
]
}
我仍然遇到同样的错误,所以我添加了这个
says
的域验证
- 验证状态已验证
- DKIM 状态已验证
- 已启用发送是
SES 处于沙盒模式,我已经验证了地址 siamtryingtosendto@gmail.com 并且测试电子邮件已到达收件箱。
我觉得我已经正确地完成了所有事情,那么我还缺少什么才能让它发挥作用?
@Marcin 带我找到解决方案,应该向解决这个问题致敬
我已将 IAM 权限附加到 IAM 用户,而不是 lambda/role。完成后它才开始工作。
我仍然不确定我是否需要 IAM 用户和角色的相同权限。有点害怕现在对此进行更改,但如果有人知道请发表评论。
我想使用简单电子邮件服务 (SES) 使用 AWS Amplify 后端发送电子邮件,但我一直收到 AccessDenied 以及 SO 和互联网上的许多其他答案,说要为 sendmail 和sendrawemail,我已经做到了。
这是错误信息:
2020-08-30T02:19:20.544Z f3980a87-cac0-4f51-9024-d2f92a8a3596 ERROR { AccessDenied: User `arn:aws:sts::mynumericalusernumber:assumed-role/myamplifyappCreateAuthChallenge-sampledev/myamplifyappCreateAuthChallenge-sampledev' is not authorized to perform `ses:SendEmail' on resource `arn:aws:ses:us-west-2:mynumericalusernumber:identity/theaddressiamtryingtosendto@gmail.com'
at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/query.js:50:29)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:688:14)
at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:690:12)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
message:
'User `arn:aws:sts::mynumericalusernumber:assumed-role/myamplifyappCreateAuthChallenge-sampledev/myamplifyappCreateAuthChallenge-sampledev\' is not authorized to perform `ses:SendEmail\' on resource `arn:aws:ses:us-west-2:mynumericalusernumber:identity/theaddressiamtryingtosendto@gmail.com\'',
code: 'AccessDenied',
time: 2020-08-30T02:19:20.541Z,
requestId: 'ab8175a1-af65-443f-9114-248e240ce7f8',
statusCode: 403,
retryable: false,
retryDelay: 14.074425708542204 } 'AccessDenied: User `arn:aws:sts::mynumericalusernumber:assumed-role/myamplifyappCreateAuthChallenge-sampledev/myamplifyappCreateAuthChallenge-sampledev\' is not authorized to perform `ses:SendEmail\' on resource `arn:aws:ses:us-west-2:mynumericalusernumber:identity/theaddressiamtryingtosendto@gmail.com\'\n at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/query.js:50:29)\n at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)\n at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)\n at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:688:14)\n at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)\n at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)\n at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10\n at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)\n at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:690:12)\n at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18)'
2020-08-30T02:19:20.544Z f3980a87-cac0-4f51-9024-d2f92a8a35
这是在为 OTP(一次性密码)创建身份验证挑战时发生的,这是代码
/* tslint:disable */
/* eslint-disable */
const AWS = require('aws-sdk');
exports.handler = (event, context, callback) => {
//Create a random number for otp
const challengeAnswer = Math.random().toString(10).substr(2, 6);
const phoneNumber = event.request.userAttributes.phone_number;
sendEmail('theaddressiamtryingtosendto@gmail.com', challengeAnswer)
//For Debugging
console.log(event, context);
//set return params
event.response.privateChallengeParameters = {};
event.response.privateChallengeParameters.answer = challengeAnswer;
event.response.challengeMetadata = 'CUSTOM_CHALLENGE';
console.log("My log");
callback(null, event);
};
function sendEmail(emailAddress, secretLoginCode) {
console.log(emailAddress, secretLoginCode);
// Load the AWS SDK for Node.js
// Set the region
AWS.config.update({region: 'us-west-2'});
// Create sendEmail params
var params = {
Destination: {
ToAddresses: [
emailAddress
]
},
Message: {
Body: {
Html: {
Charset: "UTF-8",
Data: `<html><body><p>This is your OTP login code:</p>
<h3>${secretLoginCode}</h3></body></html>`
},
Text: {
Charset: "UTF-8",
Data: `Your OTP login code: ${secretLoginCode}`
}
},
Subject: {
Charset: "UTF-8",
Data: "OTP code"
}
},
Source: "noreply@my-own-verified-domain.com"
};
// Create the promise and SES service object
var sendPromise = new AWS.SES({apiVersion: '2010-12-01'}).sendEmail(params).promise();
// Handle promise's fulfilled/rejected states
sendPromise.then(
function(data) {
console.log(data.MessageId);
}).catch(
function(err) {
console.error(err, err.stack); // This is where the error shown is from
console.log(params);
});
}
我对用户的 IAM 权限
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource": "*"
}
]
}
我仍然遇到同样的错误,所以我添加了这个
says
的域验证- 验证状态已验证
- DKIM 状态已验证
- 已启用发送是
SES 处于沙盒模式,我已经验证了地址 siamtryingtosendto@gmail.com 并且测试电子邮件已到达收件箱。
我觉得我已经正确地完成了所有事情,那么我还缺少什么才能让它发挥作用?
@Marcin 带我找到解决方案,应该向解决这个问题致敬
我已将 IAM 权限附加到 IAM 用户,而不是 lambda/role。完成后它才开始工作。
我仍然不确定我是否需要 IAM 用户和角色的相同权限。有点害怕现在对此进行更改,但如果有人知道请发表评论。