How to Give Amazon SES Permission to Write to Your Amazon S3 Bucket

P

6

15

I want my SES(AWS) can receive emails, so I follow the following tutorial, http://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-getting-started-receipt-rule.html

When I am at last step - creating rule, it comes with following error, Could not write to bucket: "email-receiving"

I google and found this information on (http://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-permissions.html) can fix the issue.

However, when adding my policy statement, it comes with an error - This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies.

My policy statement is,

{ "Version": "2012-10-17", "Statement": [ { "Sid": "GiveSESPermissionToWriteEmail", "Effect": "Allow", "Principal": { "Service": [ "ses.amazonaws.com" ] }, "Action": [ "s3:PutObject" ], "Resource": "arn:aws:s3:::mybulketname/*", "Condition": { "StringEquals": { "aws:Referer": "my12accountId" } } } ] }

If I take off

"Principal": { "Service": [ "ses.amazonaws.com" ] }

Validate policy will pass.

Thanks

Prospective answered 24/1, 2017 at 3:0 Comment(2)

Where are you trying to create this policy? – Ulcerate 24/1, 2017 at 3:55

In the IAM. The problem has been fixed. The policy should be created on the bucket on S3 not in the IAM. – Prospective 25/1, 2017 at 3:34

U

20

Find bucket->permission->bucketPolicy

{
    "Version": "2012-10-17",
    "Statement": [
       {
           "Sid": "AllowSESPuts",
           "Effect": "Allow",
           "Principal": {
               "Service": "ses.amazonaws.com"
           },
           "Action": "s3:PutObject",
           "Resource": "arn:aws:s3:::BUCKEN_NAME/*",
           "Condition":{
              "StringEquals":{
                 "AWS:SourceAccount":"111122223333",
                 "AWS:SourceArn": "arn:aws:ses:region:111122223333:receipt-rule-set/rule_set_name:receipt-rule/receipt_rule_name"
              }
           }
       }
   ]
}

To find your AWS account ID number on the AWS Management Console, choose Support on the navigation bar on the upper-right, and then choose Support Center. Your currently signed-in account ID appears in the upper-right corner below the Support menu.

Unwept answered 28/6, 2018 at 1:16 Comment(7)

This solution worked for me, however it did take me some time to get right. After noticing others mention that removing the Condition section works, I determined this is where my error was. In fact, the issue was using dashes in my account ID. Do not enter your account ID into the policy formatted like this: "aws:Referer": "####-####-####-####". Instead, enter the account ID without dashes like this: "aws:Referer": "################". – Genie 29/1, 2019 at 6:28

The link that I provide for Finding Your AWS Account ID does show the account ID without dashes. Where did you find it with dashes? – Unwept 29/1, 2019 at 21:40

sure, the link shows an account ID without dashes but if you’re the account owner (and not under an alias) and follow the instructions at the link to find your ID within the AWS web console it displays your ID with dashes. – Genie 30/1, 2019 at 1:22

I'm the account owner and I follow instruction that I put in the answer and I see my account number without any dashes, however it is not in the upper-right corner, it is rather upper-left corner, but the image in the documentation is the same as in reality. – Unwept 30/1, 2019 at 8:13

I see what happened now. I was not following your instructions to find my account ID. Insead I was following some AWS documentation that led me here: docs.aws.amazon.com/general/latest/gr/acct-identifiers.html Notice that the section titled Finding Your AWS Account ID describes a different method to find your account ID than your instructions. The account ID obtained following the instructions I linked contains dashes. Sorry for the confusion but at least this is all documented now! ;) – Genie 2/2, 2019 at 22:16

Thank you. Glad my answer worked for you even if you did not follow it :) – Unwept 4/2, 2019 at 0:44

Thanks @Yevgeniy. Note to others that if you get this error: Error: Action does not apply to any resource(s) in statement then you need to add the /* to the Resource string, as shown in the answer above. When I generated my policy from scratch, I missed the fact that you must specify a key_name, which can just be a * wildcard. – Chough 15/4, 2019 at 12:11

G

8

I follow this advice but I was still having the issue. After much debugging, I realized that SES was failing to write because I had default server-side encryption (on the bucket) set to "AWS-KMS"

I did a 5 minute google search and couldn't find this incompatibility documented anywhere.

You can work around this by updating your default encryption setting on the target bucket to either "AES-256" or "None".

Gittern answered 27/3, 2019 at 21:15 Comment(4)

This! This was the issue that I was seeing. Thank you for making this note. – Thomasson 26/6, 2019 at 1:30

Got to the same issue today. Thx for mentioning. – Pyrrho 17/3, 2020 at 18:36

This did it for me. The example on the hashicorp site mentions kms, and is probably the cause of many people failing. – Guillot 28/1, 2021 at 17:45

This was a life saver, thank you! – Viniculture 8/8, 2023 at 19:14

P

0

This problem has been resolved.
Create the policy on the bucket you want to grant the SES permission, not in the IAM

Prospective answered 25/1, 2017 at 3:38 Comment(0)

D

0

Note, I continued to have this error even after correctly specifying permissions. If you are using cross-region (e.g. SES is in N Virginia and S3 Bucket is in Africa) then you either need to specify the bucket name with the region or else just make the bucket in the same region.

Dramatize answered 19/1, 2021 at 10:5 Comment(0)

W

0

I also encountered the same issue. In my case, SES lacked permission to access the KMS key for the bucket:

https://docs.aws.amazon.com/ses/latest/dg/receiving-email-permissions.html#receiving-email-permissions-s3

Weatherman answered 12/8 at 23:36 Comment(0)

U

-2

I have the same problem, if I only delete the "Condition" the policy passes and the "RuleSet" is Ok:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GiveSESPermissionToWriteEmail",
            "Effect": "Allow",
            "Principal": {
                "Service": "ses.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::mybulketname/*"
        }
    ]
}

Urochrome answered 3/4, 2018 at 18:27 Comment(3)

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSESPuts", "Effect": "Allow", "Principal": { "Service": "ses.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::mybulketname/*", "Condition": { "StringEquals": { "aws:Referer": "myIdAccount" } } } ] } – Urochrome 3/4, 2018 at 21:26

this /* in Resource field is critical – Unwept 28/6, 2018 at 0:59

removing the condition is not a good idea as it allows others in different accounts to configure ses to add things to your bucket... this could happen if someone typos a bucket name – Gittern 27/3, 2019 at 23:9

Recommended topics

Hot tags