Access Denied for SES::SendMail


#1

I’m trying to send an email from a function. Everything works fine locally (sls webpack invoke -f crawl) but after deployment, I find this error in the logs:

Error: AccessDenied: User `arn:aws:sts::812426996283:assumed-role/aws-nodejs-ecma-script-dev-eu-west-1-lambdaRole/aws-nodejs-ecma-script-dev-crawl' is not authorized to perform `ses:SendEmail' on resource `myResource'

serverless.yml

iamRoleStatements:
      - Effect: 'Allow'
        Action:
          - "ses:SendEmail"
        Resource:
          "myResource"

What am I missing here? The configuration seems to be correct. The specified profile is attached to AdministratorAccess policy.


#2

Hey @doque, where is your iamRoleStatements in serverless.yml? It’s supposed to be a field under provider, rather than a top-level block.

E.g.:

provider:
  iamRoleStatements:
    - Effect: 'Allow'
      Action:
        - "ses:SendEmail"
      Resource:
        "myResource"

If that doesn’t help, can you share more of your serverless.yml?


#3

Thank you! That was indeed it.


#4

Even better would be to define this on a function level, since probably not all of your functions need this role.