Skip to content

Commit f86c019

Browse files
committed
Docs: Amazon SES: fix IAM policy recommendations
Correct IAM action permissions required for Amazon SES v2 API. Fixes #384
1 parent 2d9ca13 commit f86c019

File tree

2 files changed

+49
-22
lines changed

2 files changed

+49
-22
lines changed

CHANGELOG.rst

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,23 @@ Release history
2626
.. This extra heading level keeps the ToC from becoming unmanageably long
2727
2828
29+
v11.0.1
30+
-------
31+
32+
*2024-07-11*
33+
34+
(This release updates only documentation and package metadata; the code is
35+
identical to v11.0.)
36+
37+
Fixes
38+
~~~~~
39+
40+
* **Amazon SES (docs):** Correct IAM policies required for using
41+
the Amazon SES v2 API. See
42+
`Migrating to the SES v2 API <https://anymail.dev/en/stable/esps/amazon_ses/#amazon-ses-v2>`__.
43+
(Thanks to `@scur-iolus`_ for identifying the problem.)
44+
45+
2946
v11.0
3047
-----
3148

@@ -1681,6 +1698,7 @@ Features
16811698
.. _@puru02: https://github.com/puru02
16821699
.. _@RignonNoel: https://github.com/RignonNoel
16831700
.. _@sblondon: https://github.com/sblondon
1701+
.. _@scur-iolus: https://github.com/scur-iolus
16841702
.. _@sdarwin: https://github.com/sdarwin
16851703
.. _@sebashwa: https://github.com/sebashwa
16861704
.. _@sebbacon: https://github.com/sebbacon

docs/esps/amazon_ses.rst

Lines changed: 31 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -693,8 +693,8 @@ Anymail requires IAM permissions that will allow it to use these actions:
693693

694694
* To send mail:
695695

696-
* Ordinary (non-templated) sends: ``ses:SendEmail``
697-
* Template/merge sends: ``ses:SendBulkEmail``
696+
* Ordinary (non-templated) sends: ``ses:SendEmail`` and ``ses:SendRawEmail``
697+
* Template/merge sends: ``ses:SendBulkEmail`` and ``ses:SendBulkTemplatedEmail``
698698

699699
* To :ref:`automatically confirm <amazon-ses-confirm-sns-subscriptions>`
700700
webhook SNS subscriptions: ``sns:ConfirmSubscription``
@@ -717,7 +717,12 @@ This IAM policy covers all of those:
717717
"Version": "2012-10-17",
718718
"Statement": [{
719719
"Effect": "Allow",
720-
"Action": ["ses:SendEmail", "ses:SendBulkEmail"],
720+
"Action": [
721+
"ses:SendEmail",
722+
"ses:SendRawEmail",
723+
"ses:SendBulkEmail",
724+
"ses:SendBulkTemplatedEmail"
725+
],
721726
"Resource": "*"
722727
}, {
723728
"Effect": "Allow",
@@ -730,35 +735,41 @@ This IAM policy covers all of those:
730735
}]
731736
}
732737
733-
(Anymail does not need access to ``ses:SendRawEmail``
734-
or ``ses:SendBulkTemplatedEmail``. Those are SES v1 actions.)
735-
736738
737739
.. _amazon-ses-iam-errors:
738740

739-
.. note:: **Misleading IAM error messages**
741+
.. note:: **Confusing IAM error messages**
740742

741-
Permissions errors for the SES v2 API often refer to the equivalent SES v1 API name,
742-
which can be confusing. For example, this error (emphasis added):
743+
Permissions errors for the SES v2 API refer to both the v2 API "operation"
744+
and the underlying action whose permission is being checked. This can be
745+
confusing. For example, this error (emphasis added):
743746

744747
.. parsed-literal::
745748
746749
An error occurred (AccessDeniedException) when calling the **SendEmail** operation:
747750
User 'arn:...' is not authorized to perform **'ses:SendRawEmail'** on resource 'arn:...'
748751
749-
actually indicates problems with IAM policies for the v2 ``ses:SendEmail`` action,
750-
*not* the v1 ``ses:SendRawEmail`` action. (The correct action appears as the "operation"
751-
in the first line of the error message.)
752+
actually indicates problems with IAM policies for the ``ses:SendRawEmail``
753+
*action*, not the ``ses:SendEmail`` action. (Even though Anymail calls
754+
the SES v2 SendEmail API, not SendRawEmail.)
752755

753756
Following the principle of `least privilege`_, you should omit permissions
754757
for any features you aren't using, and you may want to add additional restrictions:
755758

756759
* For Amazon SES sending, you can add conditions to restrict senders, recipients, times,
757760
or other properties. See Amazon's `Controlling access to Amazon SES`_ guide.
758-
(Be aware that the SES v2 ``SendBulkEmail`` API does not support condition keys
759-
that restrict email addresses, and using them can cause misleading error messages.
760-
All other SES APIs used by Anymail *do* support address restrictions, including
761-
the SES v2 ``SendEmail`` API used for non-template sends.)
761+
But be aware that:
762+
763+
* The v2 ``ses:SendBulkEmail`` action does not support condition keys that
764+
restrict email addresses, and using them can cause misleading error messages.
765+
To restrict template sends, apply condition keys to ``ses:SendBulkTemplatedEmail``
766+
and then add a separate statement to allow ``ses:SendBulkEmail`` without conditions.
767+
* The v2 ``ses:SendRawEmail`` and ``ses:SendEmail`` actions used for non-template
768+
sends *do* support conditions to restrict addresses.
769+
* Technically, the v2 ``ses:SendEmail`` *action* does not seem to be required
770+
for the SES v2 SendEmail *API operation* as Anymail uses it (with the Content.Raw
771+
param), but including it seems prudent given Amazon's confusing error messages
772+
and incomplete documentation on the subject.
762773

763774
* For auto-confirming webhooks, you might limit the resource to SNS topics owned
764775
by your AWS account, and/or specific topic names or patterns. E.g.,
@@ -810,12 +821,10 @@ for status tracking webhooks or receiving inbound email.)
810821
Migrating to SES v2 requires minimal code changes:
811822

812823
1. Update your :ref:`IAM permissions <amazon-ses-iam-permissions>` to grant Anymail
813-
access to the SES v2 sending actions: ``ses:SendEmail`` for ordinary sends, and/or
814-
``ses:SendBulkEmail`` to send using SES templates. (The IAM action
815-
prefix is just ``ses`` for both the v1 and v2 APIs.)
816-
817-
Access to ``ses:SendRawEmail`` or ``ses:SendBulkTemplatedEmail`` can be removed.
818-
(Those actions are only needed for SES v1.)
824+
access to the SES v2 sending actions: ``ses:SendEmail`` *and* ``ses:SendRawEmail``
825+
for ordinary sends, and/or ``ses:SendBulkEmail`` *and* ``ses:SendBulkTemplatedEmail``
826+
to send using SES templates. (The IAM action prefix is just ``ses`` for both
827+
the v1 and v2 APIs.)
819828

820829
If you run into unexpected IAM authorization failures, see the note about
821830
:ref:`misleading IAM permissions errors <amazon-ses-iam-errors>` above.

0 commit comments

Comments
 (0)