Lambda function permissions not reflecting execution role

I have a lambda function, which is being deployed by Serverless. The Servlerless Framework user is called “Serverless-user”, and the function deploys without error. I believe I have set the permissions for the Serverless-user account correctly, and from what I can see everything deploys fine.

The lambda function needs to send an email, so I have added the following to the serverless.yml file:
- Effect: “Allow”
- ses:SendEmail
- ses:SendRawEmail

When the function runs, I receive an error:
AccessDenied: User arn:aws:iam::1234:user/serverless-user' is not authorized to perform ses:SendEmail’.

It seems like the function is running with the credentials of the Serverless-user and not the lambda-execution role.

I have confirmed that the execution role has been successfully created and attached to the function. The role has the appropriate permissions.

If I grant Serverless-user the same SES permissions as the lambda role, then the error goes away and the function works fine, but I thought it should work with the permissions being set at the execution role level only.

The IAM user I use as the Visual Studio AWS profile seems to need certain permissions to do this, but I couldn’t find which these were. I’ve ended up giving this user the ‘AdministratorAccess’ policy for now until I get it figured out. Probably overkill and dangerous, but I’m just playing with the free tier for now Nox Vidmate VLC.