Why would this policy not work?

Question

I have added a policy in which I've allowed a service acct identity to use VerifyDomainDkim. The gist of the permission=
            "Effect": "Allow",
            "Action": "ses:VerifyDomainDkim",
            "Resource": "arn:aws:ses:*:[acct-number]:identity/*"
I am using the same policy to VerifyEmailIdentity and to SendEmails. Those are working but VerifyDomainDkim is not. Using the .Net SDK, I get (One or more errors occurred. (User: arn:aws:iam::[acct-number]:user/[serviceacct] is not authorized to perform: ses:VerifyDomainDkim because no identity-based policy allows the ses:VerifyDomainDkim action))

Answer

Based on https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonses.html#amazonses-identity it looks like the syntax for identity resource is 
arn:${Partition}:ses:${Region}:${Account}:identity/${IdentityName}
and I noticed yours is
"arn:aws:ses::acct-number:identity/"

Why would this policy not work?

相關內容