I have a lambda function, which is being deployed by Serverless. The Servlerless Framework user is called “Serverless-user”, and the function deploys without error. I believe I have set the permissions for the Serverless-user account correctly, and from what I can see everything deploys fine.
The lambda function needs to send an email, so I have added the following to the serverless.yml file:
- Effect: “Allow”
Action:
- ses:SendEmail
- ses:SendRawEmail
When the function runs, I receive an error:
AccessDenied: User arn:aws:iam::1234:user/serverless-user' is not authorized to perform ses:SendEmail’.
It seems like the function is running with the credentials of the Serverless-user and not the lambda-execution role.
I have confirmed that the execution role has been successfully created and attached to the function. The role has the appropriate permissions.
If I grant Serverless-user the same SES permissions as the lambda role, then the error goes away and the function works fine, but I thought it should work with the permissions being set at the execution role level only.