Getting 403 error when trying to sendTemplatedEmail for template arn


Here is the policy for which I get 403 error when I tried to send email from X account on behalf of Y. The Y account has both idenity and template. X is able to access idenity but not template. this policy is added to lambda in account X { "Effect": "Allow", "Action": ["ses:SendTemplatedEmail", "ses:SendEmail"], "Resource": ["arn:aws:ses:${region}:${account_Y}:identity/${email_identity}", "arn:aws:ses:${region}:${account_Y}:template/TEMPLATE"] }

asked 5 months ago184 views
1 Answer

It's challenging to identify the root cause of the issue without having the specifics of your setup in both accounts. But typically, to authorize another account (Account X) to send emails on behalf of the identity that you own in another account (Account Y) you need to follow the Sending Authorization Process. This process relies on sending authorization policies. To enable a delegate sender to send emails on your behalf, you create a sending authorization policy and associate it with your identity using either the Amazon SES console or API. When the delegate sender attempts to send an email through Amazon SES on your behalf, the delegate sender passes the ARN of your identity in the request or in the header of the email.

When Amazon SES receives the request to send the email, it checks your identity's policy (if present) to determine if you have authorized the delegate sender to send on the identity's behalf. If the delegate sender is authorized, Amazon SES accepts the email; otherwise, Amazon SES returns an error message.

As a first step in troubleshooting, I recommend ensuring that you have followed the steps outlined in the following blog post:

profile pictureAWS
answered 4 months ago
profile picture
reviewed 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions