将AWS SES与从S3调用的Lambda函数（nodejs）一起使用

Question

My setup is the following:

• Lambda provides an API endpoint to a function which sends out an email via AWS SES
• API endpoint is called from static JS file on a S3 bucket

This works:

var exec = require('child_process').exec;

var aws = require('aws-sdk');
var ses = new aws.SES({
  "accessKeyId": "MY_ACCESS_KEY",
  "secretAccessKey": "MY_SECRET_ACCESS_KEY",
  "region": "A_REGION"
});

var ses = new aws.SES();

exports.handler = function(event, context) {
    ...code to send email...
};

I would like to remove the credentials from the function and rather let Lambda get them from somewhere else.

If I remove the credentials I get:

User `arn:aws:sts::1234567890:assumed-role/lambda_basic_execution/awslambda_1234567890\' is not authorized to perform `ses:SendEmail\' on resource `arn:aws:ses:us-region-123:1234567890:identity/my.identity@domain.com\'

I'm still trying to wrap my head around policies, roles and credentials. I first thought Lambda might be able to get the credentials from S3 environment variables, but I don't have a clue how to set these or if that's the correct approach anyway.

Would be great if someone could give me a hint how this might work. Or if it's not possible.

My main reason to remove the credentials form the Lambda function is that I want to add the function code to a git repo. And I feel bad about adding those credentials to the code repo.

Answer 1

When you created your lambda function, you created an IAM Role with sufficient permissions to execute the function itself, but not to perform actions on any other AWS services. From the documentation:

Regardless of how your Lambda function is invoked, AWS Lambda always executes the function. At the time of creating a Lambda function, you specify an IAM role that AWS Lambda can assume to execute your Lambda function on your behalf. This role is also referred to as the execution role. If your Lambda function accesses other AWS resources during execution (for example, to create an object in an Amazon S3 bucket, to read an item from a DynamoDB table, or to write logs to CloudWatch Logs), you need to grant the execution role permissions for the specific actions that you want to perform using your Lambda function.

Consequently, your new IAM role doesn't have permissions to perform SES send actions.

From the web console or CLI, you can find this IAM role and update the existing inline policy (or attach a new one) to allow Send Email actions:

{
    "Version": "2012-10-17",
    "Statement": [
    {
       "Effect": "Allow",
       "Action": ["ses:SendEmail", "ses:SendRawEmail"],
       "Resource":"*"
     }
    ]
 }

From my reading of your question, it seems that S3 is largely irrelevant to the execution role, if you're only using it for a static page hosted there with a link to the API endpoint. If you needed to list/get s3 objects from the function itself, you would likewise need to include those permissions in your IAM role.

Further Reading:

• AWS Documentation - Granting Permissions Using the Execution Role
• AWS Documentation - Controlling Access to Amazon SES