Reputation: 321
How to Give Amazon SES Permission to Write to Your Amazon S3 Bucket
I want my SES(AWS) can receive emails, so I follow the following tutorial, http://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-getting-started-receipt-rule.html
When I am at last step - creating rule, it comes with following error, Could not write to bucket: "email-receiving"
I google and found this information on (http://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-permissions.html) can fix the issue.
However, when adding my policy statement, it comes with an error - This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies.
My policy statement is,
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GiveSESPermissionToWriteEmail", "Effect": "Allow", "Principal": { "Service": [ "ses.amazonaws.com" ] }, "Action": [ "s3:PutObject" ], "Resource": "arn:aws:s3:::mybulketname/*", "Condition": { "StringEquals": { "aws:Referer": "my12accountId" } } } ] }
If I take off
"Principal": { "Service": [ "ses.amazonaws.com" ] }
Validate policy will pass.
Thanks
Upvotes: 16
Views: 13408
Answers (6)
Reputation: 41360
Find bucket->permission->bucketPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSESPuts",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::BUCKEN_NAME/*",
"Condition":{
"StringEquals":{
"AWS:SourceAccount":"111122223333",
"AWS:SourceArn": "arn:aws:ses:region:111122223333:receipt-rule-set/rule_set_name:receipt-rule/receipt_rule_name"
}
}
}
]
}
Read more here https://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-permissions.html
To find your AWS account ID number on the AWS Management Console, choose Support on the navigation bar on the upper-right, and then choose Support Center. Your currently signed-in account ID appears in the upper-right corner below the Support menu.
Read more here https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html
Upvotes: 21
Reputation: 4419
I also encountered the same issue. In my case, SES lacked permission to access the KMS key for the bucket:
Upvotes: 0
Reputation: 2369
Note, I continued to have this error even after correctly specifying permissions. If you are using cross-region (e.g. SES is in N Virginia and S3 Bucket is in Africa) then you either need to specify the bucket name with the region or else just make the bucket in the same region.
Upvotes: 0
Reputation: 11
I have the same problem, if I only delete the "Condition" the policy passes and the "RuleSet" is Ok:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GiveSESPermissionToWriteEmail",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::mybulketname/*"
}
]
}
Upvotes: -2
Reputation: 8097
I follow this advice but I was still having the issue. After much debugging, I realized that SES was failing to write because I had default server-side encryption (on the bucket) set to "AWS-KMS"
I did a 5 minute google search and couldn't find this incompatibility documented anywhere.
You can work around this by updating your default encryption setting on the target bucket to either "AES-256" or "None".
Upvotes: 9
Reputation: 321
This problem has been resolved.
Create the policy on the bucket you want to grant the SES permission, not in the IAM
Upvotes: 0
Related Questions
- IAM rights to write in empty S3 bucket
- How to add write permissions to everyone for AWS s3 bucket
- Amazon S3 Folder Level Permissions
- aws s3 write permissions - access deined
- Amazon S3 Write Only access
- Granting write access for the Authenticated Users to S3 bucket
- S3 - grant access to create buckets
- AWS bucket policy- permission denied
- Granting permissions to an Amazon S3 bucket
- Bucket permissions on Amazon