SES Send Email fails with permission denied (only on Netlify, works on other site with same credentials & code)

rmehner · June 25, 2020, 11:22am

Hey there,

both projects are nearly the same code base (Gatsby + Netlify) and both have a similar function to send emails using SES. Same AWS credentials even. And the code to send emails via SES is the same.

However, on one site everything works as expected, on the other site the Netlify functions return:

AccessDenied: User `arn:aws:sts::XXXXXXXXX:assumed-role/aws-lambda-execute/YYYYY' is not authorized to perform `ses:SendEmail' on resource `arn:aws:ses:eu-west-1:XXXXXXX:identity/EMAIL@TLD.COM"

Is it possible that the Lambda function in the background for sending emails is missing ses:SendEmail as permission?

The code works locally (same credentials) as well, so it’s really something related to the hosting.

Thanks in advance!

Dennis · June 29, 2020, 4:30pm

Hi @rmehner, I’m not sure that you can use SES directly with Netlify Lambda Functions since Lambda Functions aren’t deployed to your own account. Can you give a bit more details on what you said it working? Are you deploying your function using Netlify or are you deploying directly using AWS?

rmehner · June 29, 2020, 4:58pm

Hey there and thank you for your reply!

we’re already using SES on a Netlify Lambda function and it works fine. We’re authenticating with credentials set in the ENV. We’re deploying our function via Netlify. As I’ve said: It works on one project on Netlify, but for the other one it doesn’t, even though the code and the credentials are the same.

The code in question is this. The environment variables are the same for both projects.

AWS.config.update({
  region: 'eu-west-1',
  credential: new AWS.EnvironmentCredentials('AMAZON'),
})
const ses = new AWS.SES()
const charset = 'UTF-8'
const fromEmail = 'mail@example.org'
const toEmail = 'mail@example.org'

const params = {
  Source: fromEmail,
  Destination: {
    ToAddresses: [toEmail],
  },
  Message: {
    Subject: {
      Data: 'Subject',
      Charset: charset,
    },
    Body: {
      Text: {
        Data: 'Body',
        Charset: charset,
      },
    },
  },
}

ses.sendEmail(params, (err, data) => {
  if (err) {
    console.error(err)
  } else {
    console.log(data)
  }
})

jen · July 3, 2020, 5:32pm

Hey @rmehner,
Would you mind sharing the Netlify url where you’re running into this so we can keep digging?

jen · July 3, 2020, 5:48pm

And without having confirmed with our backend engineers who are mostly out for the holiday weekend, I would hazard a guess that, yes, it’s possible that the default lambda function you have access to through Netlify does not ship with ses:SendEmail permissions… though, again, would need to confirm!

But weird that one production function would send email and the other wouldn’t.

rmehner · July 13, 2020, 1:41pm

Hey @Jen, thanks for investigating. Can I share the link somewhere private?

luke · July 20, 2020, 5:20am

You can private message (PM) that to one of our support staff and I’ve confirmed that PMs are enabled for your community login. Note, that only one person can see the PM and this will likely mean a slower reply than posting the information publicly. Please feel free to reply to however you prefer though.

luke · April 11, 2022, 6:50am

A post was merged into an existing topic: SES permission denied error when sending emails

Mint_IT_Media · November 4, 2022, 3:04am

Hi Iuke, I’m facing similar issue

"AccessDenied: User `arn:aws:iam` is not authorized to perform `ses:SendEmail' on resource ...

Could you advice how to proceed?

Thanks.

hrishikesh · November 6, 2022, 2:19pm

This is being discussed here: SES Send Email fails with permission denied