Access Denied while sending email from AWS SES in Lambda function
Solution 1
So, I was also having the same problem which Rakesh has explained but couldn't understand the steps he was saying to do so here is a detailed explanation with steps.
You need to do the following Security, Identity & Compliance -> IAM -> Roles -> select your lambda function -> then edit policy -> open it in JSON and add the below part
{
"Effect":"Allow",
"Action":[
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource":"*"
}
or you can do as per requirement from these policy examples https://docs.aws.amazon.com/ses/latest/DeveloperGuide/control-user-access.html#iam-and-ses-examples-email-sending-actions also, you need to verify the email address first so don't forget that. Hope this helps everyone.
Solution 2
After a long debugging i got the issue, "lambda_basic_execution" role need to be granted with permission to access "ses:SendEmail", "ses:SendRawEmail".
Where i was trying to grant permission for the new IAM role i have created, but lambda function is mapped to "lambda_basic_execution" so there is a mismatch.
Solution 3
If you are configuring policies for a SAM Lambda or using a YAML configuration file, you would use something like this:
template.yaml
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: 'your-email-lambda'
Resources:
YourEmailFunction:
Type: AWS:Serverless::Function
Properties:
Policies:
- Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'ses:SendEmail'
- 'ses:SendRawEmail'
Resource: '*'
Solution 4
As what others said you should add this two permissions: ses:SendEmail,ses:SendRawEmail
I just want to add explaination for those who use Serverless framework
In serverless.yml:
provider:
name: aws
stage: dev
runtime: nodejs10.x
region: us-west-1
iamRoleStatements:
- Effect: Allow
Action:
- dynamodb:Query
- dynamodb:Scan
- dynamodb:GetItem
- dynamodb:PutItem
- dynamodb:UpdateItem
- dynamodb:DeleteItem
- lambda:InvokeFunction
- ses:SendEmail # add this
- ses:SendRawEmail # add this
Resource: '*' # add this
Solution 5
IAM Policy fixed the issue. Policy summary will show if there are any warnings i.e. resource does not exist etc.
JSON needs following
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource": "*"
}
RakeshKalwa
Updated on January 13, 2022Comments
-
RakeshKalwa over 2 years
I am trying to send an email using Amazon SES in AWS Lambda function, For this i am facing the following error.
AccessDenied: User
arn:aws:sts::XXXXX:assumed-role/lambda_basic_execution/awslambda_XXXX' is not authorized to perform
ses:SendEmail' on resource `arn:aws:ses:us-west-2:XXX:identity/[email protected]'I have granted permission for
"ses:SendEmail", "ses:SendRawEmail" for the IAM role.