SES Send Email fails with permission denied (only on Netlify, works on other site with same credentials & code)

Hey there,

both projects are nearly the same code base (Gatsby + Netlify) and both have a similar function to send emails using SES. Same AWS credentials even. And the code to send emails via SES is the same.

However, on one site everything works as expected, on the other site the Netlify functions return:

AccessDenied: User `arn:aws:sts::XXXXXXXXX:assumed-role/aws-lambda-execute/YYYYY' is not authorized to perform `ses:SendEmail' on resource `arn:aws:ses:eu-west-1:XXXXXXX:identity/EMAIL@TLD.COM"

Is it possible that the Lambda function in the background for sending emails is missing ses:SendEmail as permission?

The code works locally (same credentials) as well, so it’s really something related to the hosting.

Thanks in advance!

Hi @rmehner, I’m not sure that you can use SES directly with Netlify Lambda Functions since Lambda Functions aren’t deployed to your own account. Can you give a bit more details on what you said it working? Are you deploying your function using Netlify or are you deploying directly using AWS?

Hey there and thank you for your reply!

we’re already using SES on a Netlify Lambda function and it works fine. We’re authenticating with credentials set in the ENV. We’re deploying our function via Netlify. As I’ve said: It works on one project on Netlify, but for the other one it doesn’t, even though the code and the credentials are the same.

The code in question is this. The environment variables are the same for both projects.

AWS.config.update({
  region: 'eu-west-1',
  credential: new AWS.EnvironmentCredentials('AMAZON'),
})
const ses = new AWS.SES()
const charset = 'UTF-8'
const fromEmail = 'mail@example.org'
const toEmail = 'mail@example.org'

const params = {
  Source: fromEmail,
  Destination: {
    ToAddresses: [toEmail],
  },
  Message: {
    Subject: {
      Data: 'Subject',
      Charset: charset,
    },
    Body: {
      Text: {
        Data: 'Body',
        Charset: charset,
      },
    },
  },
}

ses.sendEmail(params, (err, data) => {
  if (err) {
    console.error(err)
  } else {
    console.log(data)
  }
})

Hey @rmehner,
Would you mind sharing the Netlify url where you’re running into this so we can keep digging?

And without having confirmed with our backend engineers who are mostly out for the holiday weekend, I would hazard a guess that, yes, it’s possible that the default lambda function you have access to through Netlify does not ship with ses:SendEmail permissions… though, again, would need to confirm!

But weird that one production function would send email and the other wouldn’t.

Hey @Jen, thanks for investigating. Can I share the link somewhere private?

You can private message (PM) that to one of our support staff and I’ve confirmed that PMs are enabled for your community login. Note, that only one person can see the PM and this will likely mean a slower reply than posting the information publicly. Please feel free to reply to however you prefer though.