![](/img/trans.png)
[英]Amazon SES: User is not authorized to perform `ses:SendEmail' on resource
[英]AWS SES: User is not authorized to perform ses:SendEmail on resource
我有以下 Python/boto3 腳本,直接取自AWS 文檔:
import boto3
from botocore.exceptions import ClientError
# Replace sender@example.com with your "From" address.
# This address must be verified with Amazon SES.
SENDER = "mailman@sender.com"
# Replace recipient@example.com with a "To" address. If your account
# is still in the sandbox, this address must be verified.
RECIPIENT = "joe@receiver.com"
# If necessary, replace us-west-2 with the AWS Region you're using for Amazon SES.
AWS_REGION = "eu-central-1"
# The subject line for the email.
SUBJECT = "Amazon SES Test (SDK for Python)"
# The email body for recipients with non-HTML email clients.
BODY_TEXT = ("Amazon SES Test (Python)\r\n"
"This email was sent with Amazon SES using the "
"AWS SDK for Python (Boto).")
# The HTML body of the email.
BODY_HTML = """<html>
<head></head>
<body>
<h1>Amazon SES Test (SDK for Python)</h1>
<p>This email was sent with
<a href='https://aws.amazon.com/ses/'>Amazon SES</a> using the
<a href='https://aws.amazon.com/sdk-for-python/'>
AWS SDK for Python (Boto)</a>.</p>
</body>
</html>
"""
# The character encoding for the email.
CHARSET = "UTF-8"
# Create a new SES resource and specify a region.
client = boto3.client(
'ses', aws_access_key_id='AKIA[REDACTED]', aws_secret_access_key='[REDACTED]',
region_name=AWS_REGION
)
# Try to send the email.
try:
# Provide the contents of the email.
response = client.send_email(
Destination={
'ToAddresses': [
RECIPIENT,
],
},
Message={
'Body': {
'Html': {
'Charset': CHARSET,
'Data': BODY_HTML,
},
'Text': {
'Charset': CHARSET,
'Data': BODY_TEXT,
},
},
'Subject': {
'Charset': CHARSET,
'Data': SUBJECT,
},
},
Source=SENDER,
)
# Display an error if something goes wrong.
except ClientError as e:
print(e.response['Error']['Message'])
else:
print("Email sent! Message ID:"),
print(response['MessageId'])
兩個域(sender.com 和 receiver.com)都在 SES 中進行了驗證; SES 仍處於沙盒模式。 我使用的 AWS 憑證適用於附加了以下策略的用戶(通過其組):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
當我運行腳本時,出現以下錯誤:
User `arn:aws:iam::[REDACTED]:user/[REDACTED]' is not authorized to perform `ses:SendEmail' on resource `arn:aws:ses:eu-central-1:[REDACTED]:identity/receiver.com'.
當使用相同參數從 AWS 控制台使用“發送測試電子郵件”時,一切都按預期工作。
這里有什么問題?
我的問題是由“強制多因素身份驗證”政策產生的,類似於文檔中的政策; 此策略對控制台和 API 強制執行 MFA(即,當使用長期憑據時)並拒絕任何缺少它的操作:
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
要修復此BoolIfExists
可以更改為Bool
,但也請參閱此答案。
並始終檢查您的所有IAM 政策!
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.