Closed scur-iolus closed 1 month ago
Thanks for the detailed report. I did test the suggested IAM policies before releasing SESv2 support, but it's possible something has changed since then (or that my original tests were wrong somehow).
This error is definitely not related to using/not using EmailMultiAlternatives. Your send_mail() code should work.
You do seem to be running into the "misleading IAM error messages" problem with the SES v2 APIs. (And I'm not sure whether the IAM policy simulator might be subject to the same confusion.)
Could you try this:
ses:SendRawEmail
action, without changing anything else. Give the change a moment to propagate.If 1 fails but 3 succeeds, we'll know Anymail's documentation is wrong. If both 1 and 3 fail, then there's some other problem (e.g., perhaps your test code isn't actually picking up the IAM policy you expected), and the misleading IAM error message is adding to the confusion.
I can confirm 1. fails but 3. succeeds. Actually that's what I had already tested yesterday, sorry if it wasn't clear.
OK, I've reproduced this with Anymail's SES test account. It seems like the permissions for SES v2 are… very confused:
ses:SendRawEmail
action, but not the ses:SendEmail
action. (At least when v2 SendEmail is called with the Content.Raw param, as Anymail does.)ses:SendBulkEmail
and ses:SendBulkTemplatedEmail
actions. (And while ses:SendBulkTemplatedEmail
can use Condition
limits, ses:SendBulkEmail
must be applied to "Resource": "*"
without any conditions.)I can't find any information about specific permissions for the SES API v2 send methods anywhere in the AWS docs. I'm guessing that the v2 API implementations actually call through to the original v1 APIs, and that permission validation occurs in v1.
I'll update Anymail's docs. Sorry for the confusion—I'm certain I had checked those policies when I originally documented SES v2 support in Anymail. And again, thanks for the clear issue report.
I've copy-pasted the AWS permissions suggested here. But when trying to send a basic email with the code below, I get an
AccessDeniedException
. Screenshot of the IAM policy simulator with the config raising the issue:When I update the permissions to add
ses:SendRawEmail
, then everything works as expected. But the doc states "Access toses:SendRawEmail
orses:SendBulkTemplatedEmail
can be removed" in v10 and v11 (see here). Screenshot of the updated settings:At the end of the day, is this
ses:SendRawEmail
permission required or not? Isn't there a mistake in the documentation? Have I misunderstood something?I am aware that "many Django email capabilities — and additional Anymail features — are only available when working with an
EmailMultiAlternatives
object": could it be related to my issue? In that case, I think that the documentation should be more explicit.v11.0
(latest to date)EMAIL_BACKEND = "anymail.backends.amazon_ses.EmailBackend"
(without v2 since it's the default in v11)AWS_ACCESS_KEY_ID
,AWS_SECRET_ACCESS_KEY
andAWS_DEFAULT_REGION
are set as environment variables.5.0.6
, requests2.32.3
, Python3.11