By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

ses cross account

0

I am trying to setup ses cross account and yet it seems when I call the lambda function it calls the local ses. The ses I want to use has verified my domain and has granted the authorization for other accounts to access it. however when I run the lambda function it seems to use the local ses setup which is sandbox and therefore I get an error that my to email is not verified. here is my lambda code:

import boto3 from botocore.exceptions import ClientError

def lambda_handler(event, context): # Create a new SES resource and specify a region. client = boto3.client('ses',region_name="us-east-2")

# Try to send the email.
try:
    #Provide the contents of the email.
    response = client.send_email(
        Destination={
            'ToAddresses': [
                '<HIDDEN>@<HIDDEN>.com',
            ],
        },
        Message={
            'Body': {
                'Html': {
                    'Charset': 'UTF-8',
                    'Data': 'This email was sent with Amazon SES.',
                },
            },
            'Subject': {
                'Charset': 'UTF-8',
                'Data': 'Amazon SES Test',
            },
        },
        SourceArn='arn:aws:ses:us-east-2:<HIDDEN>:identity/<HIDDEN>.com',    #I got this ARN from the central SES account I want to use
        ReturnPathArn='arn:aws:ses:us-east-2:<HIDDEN>:identity/<HIDDEN>.com', #I got this ARN from the central SES account I want to use
        Source='foo@<HIDDEN>.com',
        ReturnPath='foo@<HIDDEN>.com'
    )
# Display an error if something goes wrong.	
except ClientError as e:
    print(e.response['Error']['Message'])
else:
    print("Email sent! Message ID:"),
    print(response['ResponseMetadata']['RequestId'])
Topics
Front-End Web & MobileBusiness Applications
Tags
Amazon Simple Email Service
Language
English
olivierd
asked 9 months ago504 views
2 Answers
0
Accepted Answer

It looks like you are trying to use sending authorization to allow your delegate sender account to send email on behalf of your identity owner account.

In Overview of Amazon SES sending authorization there is a note that:

The AWS account of the delegate sender has to be removed from the sandbox before it can be used to send email to non-verified addresses.

and in Verifying an identity for Amazon SES sending authorization it says:

Before you or the delegate sender can send email to non-verified email addresses, you have to submit a request to have your account removed from the Amazon SES sandbox. For more information, see Moving out of the Amazon SES sandbox.

You said:

it seems to use the local ses setup which is sandbox and therefore I get an error that my to email is not verified.

It seems that you will need to move out of the sandbox in both the identity owner and delegate sender accounts before you will be able to send to unverified email addresses.

Geoff Baskwill
answered 9 months ago
  • olivierd
    9 months ago

    I believe that is the answer. I have asked to upgrade to production. it would make sense.

0

Emails need to be verified in the account from which the email is being sent via SES. You may need to create an IAM role in account that the domain is verified in with the appropriate assume role policy. Then, you configure your Lambda function to assume an IAM role in another AWS account. https://repost.aws/knowledge-center/lambda-function-assume-iam-role

AWS
Vardan Matevosyan AWS
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content