我想使用AWS Amplify后端使用简单电子邮件服务(SES(发送电子邮件,但我一直收到AccessDenied,SO和互联网上的许多其他答案都说要设置sendmail和sendrawemail的IAM权限,我已经做到了。
这是错误消息:
2020-08-30T02:19:20.544Z f3980a87-cac0-4f51-9024-d2f92a8a3596 ERROR { AccessDenied: User `arn:aws:sts::mynumericalusernumber:assumed-role/myamplifyappCreateAuthChallenge-sampledev/myamplifyappCreateAuthChallenge-sampledev' is not authorized to perform `ses:SendEmail' on resource `arn:aws:ses:us-west-2:mynumericalusernumber:identity/theaddressiamtryingtosendto@gmail.com'
at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/query.js:50:29)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:688:14)
at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:690:12)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
message:
'User `arn:aws:sts::mynumericalusernumber:assumed-role/myamplifyappCreateAuthChallenge-sampledev/myamplifyappCreateAuthChallenge-sampledev' is not authorized to perform `ses:SendEmail' on resource `arn:aws:ses:us-west-2:mynumericalusernumber:identity/theaddressiamtryingtosendto@gmail.com'',
code: 'AccessDenied',
time: 2020-08-30T02:19:20.541Z,
requestId: 'ab8175a1-af65-443f-9114-248e240ce7f8',
statusCode: 403,
retryable: false,
retryDelay: 14.074425708542204 } 'AccessDenied: User `arn:aws:sts::mynumericalusernumber:assumed-role/myamplifyappCreateAuthChallenge-sampledev/myamplifyappCreateAuthChallenge-sampledev' is not authorized to perform `ses:SendEmail' on resource `arn:aws:ses:us-west-2:mynumericalusernumber:identity/theaddressiamtryingtosendto@gmail.com'n at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/query.js:50:29)n at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)n at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)n at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:688:14)n at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)n at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)n at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10n at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)n at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:690:12)n at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18)'
2020-08-30T02:19:20.544Z f3980a87-cac0-4f51-9024-d2f92a8a35
这是在OTP(一次性密码(的创建身份验证挑战中发生的,下面是代码
/* tslint:disable */
/* eslint-disable */
const AWS = require('aws-sdk');
exports.handler = (event, context, callback) => {
//Create a random number for otp
const challengeAnswer = Math.random().toString(10).substr(2, 6);
const phoneNumber = event.request.userAttributes.phone_number;
sendEmail('theaddressiamtryingtosendto@gmail.com', challengeAnswer)
//For Debugging
console.log(event, context);
//set return params
event.response.privateChallengeParameters = {};
event.response.privateChallengeParameters.answer = challengeAnswer;
event.response.challengeMetadata = 'CUSTOM_CHALLENGE';
console.log("My log");
callback(null, event);
};
function sendEmail(emailAddress, secretLoginCode) {
console.log(emailAddress, secretLoginCode);
// Load the AWS SDK for Node.js
// Set the region
AWS.config.update({region: 'us-west-2'});
// Create sendEmail params
var params = {
Destination: {
ToAddresses: [
emailAddress
]
},
Message: {
Body: {
Html: {
Charset: "UTF-8",
Data: `<html><body><p>This is your OTP login code:</p>
<h3>${secretLoginCode}</h3></body></html>`
},
Text: {
Charset: "UTF-8",
Data: `Your OTP login code: ${secretLoginCode}`
}
},
Subject: {
Charset: "UTF-8",
Data: "OTP code"
}
},
Source: "noreply@my-own-verified-domain.com"
};
// Create the promise and SES service object
var sendPromise = new AWS.SES({apiVersion: '2010-12-01'}).sendEmail(params).promise();
// Handle promise's fulfilled/rejected states
sendPromise.then(
function(data) {
console.log(data.MessageId);
}).catch(
function(err) {
console.error(err, err.stack); // This is where the error shown is from
console.log(params);
});
}
用户的我的IAM权限
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource": "*"
}
]
}
我仍然有同样的错误,所以我添加了这个
says 的域验证
- 验证状态已验证
- DKIM状态已验证
- 已启用发送是
SES处于沙箱模式,我已经验证theaddressiamtryingtosendto@gmail.com并且测试电子邮件到达收件箱。
我觉得我做的每件事都是正确的,那么我缺少什么来让它发挥作用呢?
@Marcin带领我找到解决方案,应该为解决这个而致敬
我已将IAM权限附加到IAM用户,而不是lambda/角色。当这项工作完成后,它才刚刚开始工作。
我仍然不确定IAM用户和角色是否需要相同的权限。现在有点害怕对此进行更改,但如果有人知道,请发表评论。