copyObject() returned error AccessDenied

[andy1723]

Hello,

I have a forwarder set up and SES can receive an email that goes to S3; however. it gives an error trying to actually forward it from S3.

I've got the following:

2020-12-20T02:31:20.643Z ba3e963c-5f0b-4ced-b76c-1317e4e9d726

INFO {
level: 'error',
message: 'copyObject() returned error:',
error: AccessDenied: Access Denied
at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/services/s3.js:700:35)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:688:14)
at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request. (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)
at Request. (/var/runtime/node_modules/aws-sdk/lib/request.js:690:12)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
code: 'AccessDenied',
region: null,
time: 2020-12-20T02:31:20.585Z,
requestId: 'F25E4F498D1C6244',
extendedRequestId: 'K2IliBX/07z9D+KGHNV9lLBuui5SYlNBrM7A+qJc4DEaouD+p8sLmZpWF84Go50SUCgkJbIoYw4=',
cfId: undefined,
statusCode: 403,
retryable: false,
retryDelay: 83.20931364167198 },
stack: 'AccessDenied: Access Denied\n' +
' at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/services/s3.js:700:35)\n' +
' at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)\n' +
' at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)\n' +
' at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:688:14)\n' +
' at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)\n' +
' at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)\n' +
' at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10\n' +
' at Request. (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)\n' +
' at Request. (/var/runtime/node_modules/aws-sdk/lib/request.js:690:12)\n' +
' at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18)'}

my function config: var defaultConfig = { fromEmail: "zzz@mydns.com", subjectPrefix: "", emailBucket: "ses-forwarding-bucket", emailKeyPrefix: "emails/", allowPlusSign: true, forwardMapping: { "zzz@mydns.com": [ "my@gmail.com" ] } };

function resource-based policy: { "Version": "2012-10-17", "Id": "default", "Statement": [ { "Sid": "allowSesInvoke", "Effect": "Allow", "Principal": { "Service": "ses.amazonaws.com" }, "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:us-east-1:77777777777:function:SesForwarder", "Condition": { "StringEquals": { "AWS:SourceAccount": "77777777777" } } } ] }

lambda basic execution role:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:::" }, { "Effect": "Allow", "Action": "ses:SendRawEmail", "Resource": "" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::ses-forwarding-bucket/*" } ] }

S3 permissions: { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSESPuts", "Effect": "Allow", "Principal": { "Service": "ses.amazonaws.com" }, "Action": [ "s3:PutObject", "s3:GetObject" ], "Resource": "arn:aws:s3:::ses-forwarding-hlw/*", "Condition": { "StringEquals": { "aws:Referer": "484134253961" } } } ] }

Any advice on how to troubleshoot will be appreciated.

[Cillu]

Hey, I'm not sure if you still need help with this, but I was also stuck on the same thing and it turns out it was because I deleted the 'emailKeyPrefix' attribute within index.js. Please refer to this old thread here: https://github.com/arithmetric/aws-lambda-ses-forwarder/issues/64#issuecomment-331426071

[andy1723]

Hi Cillu. Hey, thanks for posting this. I have my 'emailKeyPrefix' in place, and I've tried it empty as well as with "mail /" to no avail. Must be something else. Thank you anyway.

[ds00424]

I had same copyObject Access Denied issue. Turn out that in the policy for the Lambda role, I forgot to put in my S3 bucket name. Once I fixed that, it worked (well I moved on to the next issue having to do with still being sandboxed). HTH.

[davidbeckonline]

Politely reviving this thread: I am running into the issue described. Permissions for S3 and Lambda seem to be in line with the documentation. Attached below.

Any other ideas, what might be causing this issue?

===

1/ Config Section:

var defaultConfig = { fromEmail: "mail@some.one", subjectPrefix: "", emailBucket: "some-bucket-email", emailKeyPrefix: "emailsPrefix/", allowPlusSign: true, forwardMapping: { "mail@some.one": [ "someone@gmail.com" ] } };

---

2/ Policy for Lambda Execution Role:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:::" }, { "Effect": "Allow", "Action": "ses:SendRawEmail", "Resource": "" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::some-bucket-email/*" } ] }

---

3/ S3 Bucket Policy

{ "Version": "2012-10-17", "Statement": [ { "Sid": "GiveSESPermissionToWriteEmail", "Effect": "Allow", "Principal": { "Service": "ses.amazonaws.com" }, "Action": [ "s3:PutObject", "s3:GetObject" ], "Resource": "arn:aws:s3:::some-bucket-email/*", "Condition": { "StringEquals": { "aws:Referer": "123123123123" } } } ]

[ds00424]

Comparing to mine here are some differences I see. Not sure if any are causing your issue.

• Lambda Execution Role: your ses:SendRawEmail Resource is blank. Mine is "*" (maybe this is the issue?).
• Lambda Execution Role: along with ses:SendRawEmail my Action includes ses:SendEmail
• Lambda Execution Role: PutObject/GetObject Resource: Mine includes the emailPrefix. ie, "arn:aws:s3:::some-bucket-email/emailsPrefix/". But I think the "some-bucket-email/" should cover it.
• Your S3 Bucket policy as shown in the post is missing the last '}' - I assume just a copy/paste issue.
• S3 Bucket policy: I assume your aws:Referrer is correct and not "123123123123"

HTH

[davidbeckonline]

It turned out that the emailKeyPrefix in the config of the Lambda function caused the access issues. Thank you very much for that hint!

Below the setup (with prefix), which I am running successfully now. If you decide to use a prefix (as I do), this also needs to be considered in the SES Rule Set.

===

1/ Config Section:

var defaultConfig = { fromEmail: "mail@some.one", subjectPrefix: "", emailBucket: "someones-email", emailKeyPrefix: "emails/", allowPlusSign: true, forwardMapping: { "mail@some.one": [ "some.one@gmail.com" ] } };

2/ Policy for Lambda Execution Role:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:us-east-1:1234567:" }, { "Effect": "Allow", "Action": "ses:SendRawEmail", "Resource": "" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::someones-email/emails/*" } ] }