如果没有针对所有域的 IAM 策略设置，则无法使用 AWS SES 和 Rails 的 Action Mailer 发送电子邮件

Question

I want to send emails using AWS SES via Action Mailer in Ruby on Rails (v6). AWS provides aws-sdk-rails gem, and it makes to be easy to configure using SES, but I realized that it needs sendable permissions such as ses:SendEmail to ALL domains in SES.

# config/initializers/aws-sdk.rb
Aws.config[:credentials] = Aws::Credentials.new(ENV["AWS_ACCESS_KEY_ID"], ENV["AWS_SECRET_ACCESS_KEY"])

Aws::Rails.add_action_mailer_delivery_method(:aws_sdk, region: "us-east-1")
Rails.application.config.action_mailer.delivery_method = :aws_sdk

# app/mailers/application_mailer.rb
class ApplicationMailer < ActionMailer::Base
  default from: "info@example.com"
end

An AWS IAM User has the following policy, which allows to send emails from only example.com domain.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ses:SendEmail",
        "ses:SendRawEmail"
      ],
      "Resource": [
        "arn:aws:ses:us-east-1:xxxxxxxxxxxx:identity/example.com"
      ],
      "Effect": "Allow"
    }
  ]
}

But I got an error like the following when workers send emails.

ERROR: Processor failed: User `arn:aws:iam::xxxxxxxxxxxx:user/my-group/my-iam-user' is not authorized to perform `ses:SendRawEmail' on resource `arn:aws:ses:us-east-1:xxxxxxxxxxxx:identity/other-domain.com'

I think the SDK verifies whether all domains have sendable permissions by default, but I couldn't find to specify a target domain. What should I do?

Answer 1

This is caused as a result of the domain being in a sandbox account. Within the SES documentation the following states are identified:

• You can only send mail to verified email addresses and domains, or to the Amazon SES mailbox simulator.
• You can only send mail from verified email addresses and domains.

To send emails to any email address you need to move your from domain(s) out of sandbox mode .