Support » Plugin: WP Offload SES Lite » [SOLVED] IAM permissions required for key validation

  • Resolved oskapt

    (@oskapt)


    Howdy, all. This post is for those of you following the IAM best practices for limiting access to SES. If you followed the instructions and created a user just for SES access and then gave it limited permissions to send email, you’ve probably only granted it SendEmail and SendRawEmail. This is not enough.

    When validating addresses, the plugin calls ListVerifiedEmailAddresses. If this call fails, you will see the errors reporting that your keys aren’t active and that your email address has not been verified. It’s a frustrating error, as other posts here demonstrate.

    In the permissions policy for your user, make sure that you have all of the following:

    • ses:SendEmail
    • ses:SendRawEmail
    • ses:ListVerifiedEmailAddresses
    • ses:ListIdentities

    The last one is necessary because ListVerifiedEmailAddresses has been deprecated since 2012, replaced with ListIdentities. I’ll notify the plugin author in another topic that the code needs an update before AWS stops accepting calls to ListVerifiedEmailAddresses.

    https://wordpress.org/plugins/wp-ses/

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Contributor Sylvain Deaure

    (@sylvaindeaure)

    Hi,

    Thanks, a lot, for that info.

    That will solve a lot of concerns here.

    I’ll add that to the faq, and take take of the deprecated call.

    Thanks again,

    Sylvain

    Can you show me what the policy should look like? This is what I have:

    {
        "Version": "2008-10-17",
        "Statement": [
            {
                "Sid": "xxxxxxx",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::xxxxxxxx:user/xxxxxx"
                },
                "Action": [
                    "ses:SendEmail",
                    "ses:SendRawEmail"
                ],
                "Resource": "arn:aws:ses:us-east-1:xxxxxxx:identity/xxxxxxxx"
            }
        ]
    }

    When I try to add any of those other actions mentioned in the first post, it says they’re not valid or something.

    When I click the “add this email” I get this at the top:

    Error : [512] SimpleEmailService::VerifyEmailIdentity(): Sender – AccessDenied: User: arn:aws:iam::xxxx:user/xxxxx is not authorized to perform: ses:VerifyEmailIdentity Request Id: f67bc95a-f79a-11e5-822c-21b92055a5cc

    A confirmation request has been sent. You will receive at the stated email a confirmation request from amazon SES. You MUST click on the provided link in order to confirm your sender Email.
    SES Answer – id false

    I got an email that said this:

    Congratulations! The Amazon SES verification process for the domain xxxxxx.com in region US East (N. Virginia) is now complete. You are now able to send email through Amazon SES from any address within this domain. For more information, please refer to the Amazon SES Developer Guide. Thank you for using Amazon SES.

    On the top of the plugin settings, it says:

    sender Email is set
    Amazon API Keys are valid
    Sender Email has not been confirmed yet.
    Plugin is active.
    You can check your sending limits and stats under Dashboard -> SES Stats

    So I’m completely lost as to what I need to do, or not do to get this working. It’s really really complicated for me.

    Should the identity policy be for the domain or for the email address?

    The plugin settings screen shows:
    Make sure you give it at least the following permissions : ListIdentities, SendEmail, SendRawEmail.
    You should also allow : VerifyEmailIdentity, DeleteIdentity, Remove GetSendQuota, GetSendStatistics

    How do you add in all those other permissions (in addition to sendemail, sendrawemail) when the policy editor says they’re invalid when I try to insert them?

    For example, I try to add ses:VerifyEmailIdentity to the action list in the policy and when I try to apply the changes it says:

    Error while applying policy: Invalid action ‘ses:VerifyEmailIdentity’

    Do I first need to give the IAM user
    AmazonSESReadOnlyAccess and AmazonSESFullAccess permission policies? I tried that, it had no effect on the actions available when creating the identity policy for the email address.

    I can’t believe I’ve been trying to get this to work for 3 hours with no success =(

    Ok wow, I finally figured it out! For anyone pulling their hair out like me, you have to create an Inline Policy for your IAM user. It’s under the Permissions tab and it will look like this:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Stmtxxxxxxxx",
                "Effect": "Allow",
                "Action": [
                    "ses:DeleteIdentity",
                    "ses:GetSendStatistics",
                    "ses:ListIdentities",
                    "ses:ListVerifiedEmailAddresses",
                    "ses:VerifyEmailIdentity"
                ],
                "Resource": [
                    "*"
                ]
            }
        ]
    }

    Now everything is working!

    Plugin Contributor Sylvain Deaure

    (@sylvaindeaure)

    Sorry for the hairs 🙂
    AWS can be a pain…

    You got it right.
    There is also some kind of graphical editor for Inline policy, that lets you select those permissions via dropdown.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘[SOLVED] IAM permissions required for key validation’ is closed to new replies.