0

I am new to aws lambda. I am trying to send mail with aws ses with aws lambda, without any triggers. Here is my code 

import boto3
from botocore.exceptions import ClientError

ses = boto3.client('ses')

email_from = '[email protected]'
email_to = '[email protected]'
emaiL_subject = 'Subject'
email_body = 'Body'


def lambda_handler(event, context):
    response = ses.send_email(
        Source = email_from,
        Destination={
            'ToAddresses': [
                email_to,
            ],
        },
        Message={
            'Subject': {
                'Data': emaiL_subject
            },
            'Body': {
                'Text': {
                    'Data': email_body
                }
            }
        }
    )

I've created a custome role with simple microservices permission. The event is set to hello world. I saved and clicked on test, it shows this errors 

{
  "errorMessage": "An error occurred (AccessDenied) when calling the SendEmail operation: User `arn:aws:sts::990458801115:assumed-role/basic-lambda-role/sendmail' is not authorized to perform `ses:SendEmail' on resource `arn:aws:ses:us-east-1:990458801115:identity/[email protected]'",
  "errorType": "ClientError",
  "stackTrace": [
    [
      "/var/task/lambda_function.py",
      28,
      "lambda_handler",
      "'Data': email_body"
    ],
    [
      "/var/runtime/botocore/client.py",
      314,
      "_api_call",
      "return self._make_api_call(operation_name, kwargs)"
    ],
    [
      "/var/runtime/botocore/client.py",
      612,
      "_make_api_call",
      "raise error_class(parsed_response, operation_name)"
    ]
  ]
}

I wrote the code from here, it runs perfectly locally.

Improve this question
2
  • 1
    Can you show your IAM Role/Policy document? Commented Sep 24, 2018 at 8:58
  • Verify that the role "Trust Relationships" includes lambda. It should show: The identity provider(s) lambda.amazonaws.com Commented Sep 24, 2018 at 17:44

2 Answers 2

Reset to default
3

The Lambda function you're running this code in does not have permission to send messages using SES. You need to add the action ses:SendEmail to your basic-lambda-role IAM Role.

When you run the code locally you will be communicating with SES using your own developer credentials, which probably have higher permissions.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

It seems that the role you're using doesn't have the relevant policies regarding the SES service.

Step 1: Create a custom policy - For example: SES-SendEmail-Policy and provide it with the following JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ses:SendEmail",  <--- This is the action that was missing
            ],
            "Resource": "*"
        }
    ]
}

Step 2: Attach the SES-SendEmail-Policy to the basic-lambda-role role.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.