search

arithmetric / aws-lambda-ses-forwarder

Serverless email forwarding using AWS Lambda and SES
MIT License
1.7k stars 450 forks source link

This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, #106

Closed Zyles closed 5 years ago

Zyles commented 5 years ago

The policy on the tutorial does not work.

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "GiveSESPermissionToWriteEmail",
         "Effect": "Allow",
         "Principal": {
            "Service": "ses.amazonaws.com"
         },
         "Action": "s3:PutObject",
         "Resource": "arn:aws:s3:::S3-BUCKET-NAME/*",
         "Condition": {
            "StringEquals": {
               "aws:Referer": "AWS-ACCOUNT-ID"
            }
         }
      }
   ]
}
zmingxie commented 5 years ago

You need to update the following 2 lines to match your own account setup:

 "Resource": "arn:aws:s3:::S3-BUCKET-NAME/*",

and

"aws:Referer": "AWS-ACCOUNT-ID"
Zyles commented 5 years ago

I did, that is not the problem.

On Mon, Apr 8, 2019 at 6:03 PM Ming Xie notifications@github.com wrote:

You need to update the following 2 lines to match your own account setup:

"Resource": "arn:aws:s3:::S3-BUCKET-NAME/*",

and

"aws:Referer": "AWS-ACCOUNT-ID"

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/arithmetric/aws-lambda-ses-forwarder/issues/106#issuecomment-480894775, or mute the thread https://github.com/notifications/unsubscribe-auth/ABqTGRJvfIKyu3jPRmw3kAQJRaxm5nL9ks5ve2hcgaJpZM4chE27 .

zmingxie commented 5 years ago

Which AWS region are you trying this from?

bmizepatterson commented 5 years ago

I'm also having issues with the S3 bucket policy given in the docs. My SES rules successfully write incoming mail to the bucket, but the lambda function gets an 'Access Denied' error when trying to fetch it. The policy given appears to grant PutObject access to SES. Doesn't Lambda need GetObject access as well?

Further Reading:

AWS Access Policy Language Overview AWS Services That Work with IAM AWS Lambda Permissions

bmizepatterson commented 5 years ago

Nevermind! In my case the 403 Access Denied error was masking a 404 Not Found. Turns out I had a typo in my config that had it searching the wrong key prefix.

Since the Lambda role doesn't grant ListBucket access, S3 returns a 403 instead of a 404 when it the object it's requesting isn't found.

Regarding permissions: I realize now that GetObject access is granted to the Lambda function within the IAM role assigned to it, so it's not necessary to duplicate that grant within the S3 bucket policy.

Zyles commented 5 years ago

Got it to work.

planetahuevo commented 4 years ago

Can someone explain how you sort this out? I am having the same issue. Thanks