User `arn:aws:sts::427373581819:assumed-role/amazon-workmail-mailing-agent-us-east-1/...' is not authorized to perform `ses:SendRawEmail' on resource

Question

My email service suddenly stopped working today. I have not changed my authorization policies. I can still receive email, but get the error below when sending:

` User arn:aws:sts::427373581819:assumed-role/amazon-workmail-mailing-agent-us-east-1/aws-workmail.example.com' is not authorized to perform ses:SendRawEmail on resource`

I have granted SendRawEmail permissions to `arn:aws:iam::427373581819:user/amazon-workmail-us-east-1` and it still does not work.

robinkaws · Answer

Hi,

I'm sorry to hear you're experiencing problems sending mail from your Workmail organization. The problem is that the required policy on your domain that allows WorkMail to send email with your domain was removed.

There is an easy fix for this: Add your domain again in the WorkMail console. No need to remove it first. Adding the domain again will trigger checks to correct any problems. This will fix the missing policy on your domain.

Kind regards,
Robin

halkony · Answer

I found a temporary workaround. I added a policy with the "AWS" principal set to "*", like so:

```
{
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*" // this is the line you will have to change
            },
            "Action": [
                "ses:SendEmail",
                "ses:SendRawEmail"
            ],
            "Resource": ...  // your domain ARN here
        }
    ]
}
```

This seems like poor security to me. Does anyone have an alternative solution?

User `arn:aws:sts::427373581819:assumed-role/amazon-workmail-mailing-agent-us-east-1/...' is not authorized to perform `ses:SendRawEmail' on resource

Add your answer

Relevant content