`ses:SendRawEmail` permission still required in v11 for Amazon SES when using `django.core.mail.send_mail`?

[scur-iolus]

I've copy-pasted the AWS permissions suggested here. But when trying to send a basic email with the code below, I get an AccessDeniedException. Screenshot of the IAM policy simulator with the config raising the issue:

When I update the permissions to add ses:SendRawEmail, then everything works as expected. But the doc states "Access to ses:SendRawEmail or ses:SendBulkTemplatedEmail can be removed" in v10 and v11 (see here). Screenshot of the updated settings:

At the end of the day, is this ses:SendRawEmail permission required or not? Isn't there a mistake in the documentation? Have I misunderstood something?

I am aware that "many Django email capabilities — and additional Anymail features — are only available when working with an EmailMultiAlternatives object": could it be related to my issue? In that case, I think that the documentation should be more explicit.

• Anymail version: v11.0 (latest to date)
• ESP: Amazon SES (production access granted)
• ANYMAIL settings: EMAIL_BACKEND = "anymail.backends.amazon_ses.EmailBackend" (without v2 since it's the default in v11) AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_DEFAULT_REGION are set as environment variables.
• Versions: Django 5.0.6, requests 2.32.3, Python 3.11
• Error message:

  
  AnymailAPIError: An error occurred (AccessDeniedException) when calling the SendEmail operation: User `arn:aws:iam::XXXXXX:user/my_user' is not authorized to perform `ses:SendRawEmail' on resource `arn:aws:ses:XXXXXX:XXXXXX:identity/mydomain.com'
  botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the SendEmail operation: User `arn:aws:iam::XXXXXX:user/my_user' is not authorized to perform `ses:SendRawEmail' on resource `arn:aws:ses:XXXXXX:XXXXXX:identity/mydomain.com'

- **Code** raising the error:
```python
import django
from django.core.mail import send_mail

django.setup()

send_mail(
    "Test django-anymail x Amazon SES",
    "Here is the message.",
    from_email=None,
    recipient_list=["MY_EMAIL_ADDRESS"],
    fail_silently=False,
    html_message="<h1>Here is the message.</h1>",
)

[medmunds]

Thanks for the detailed report. I did test the suggested IAM policies before releasing SESv2 support, but it's possible something has changed since then (or that my original tests were wrong somehow).

This error is definitely not related to using/not using EmailMultiAlternatives. Your send_mail() code should work.

You do seem to be running into the "misleading IAM error messages" problem with the SES v2 APIs. (And I'm not sure whether the IAM policy simulator might be subject to the same confusion.)

Could you try this:

1. Run your test code to reproduce the failure.
2. Then update the IAM policy used by your test code to allow the ses:SendRawEmail action, without changing anything else. Give the change a moment to propagate.
3. Run your test code again (so it's using the updated IAM policy).

If 1 fails but 3 succeeds, we'll know Anymail's documentation is wrong. If both 1 and 3 fail, then there's some other problem (e.g., perhaps your test code isn't actually picking up the IAM policy you expected), and the misleading IAM error message is adding to the confusion.

[scur-iolus]

I can confirm 1. fails but 3. succeeds. Actually that's what I had already tested yesterday, sorry if it wasn't clear.

[medmunds]

OK, I've reproduced this with Anymail's SES test account. It seems like the permissions for SES v2 are… very confused:

• SES v2 SendEmail requires the ses:SendRawEmail action, but not the ses:SendEmail action. (At least when v2 SendEmail is called with the Content.Raw param, as Anymail does.)
• SES v2 SendBulkEmail requires both of the ses:SendBulkEmail and ses:SendBulkTemplatedEmail actions. (And while ses:SendBulkTemplatedEmail can use Condition limits, ses:SendBulkEmail must be applied to "Resource": "*" without any conditions.)

I can't find any information about specific permissions for the SES API v2 send methods anywhere in the AWS docs. I'm guessing that the v2 API implementations actually call through to the original v1 APIs, and that permission validation occurs in v1.

I'll update Anymail's docs. Sorry for the confusion—I'm certain I had checked those policies when I originally documented SES v2 support in Anymail. And again, thanks for the clear issue report.