search

aws-samples / iam-identity-center-team

Open-source temporary elevated access solution for AWS IAM Identity Center.
https://aws-samples.github.io/iam-identity-center-team/
MIT No Attribution
295 stars 67 forks source link

Sending SES emails does not work when the SES service you wish to use is in a different region than the one TEAM is deployed to #200

Closed reidca closed 3 days ago

reidca commented 6 months ago

If you enable SES within the TEAM settings you can also specify that TEAM uses the SourceArn parameter. This allows TEAM to send emails using an existing implementation of SES that may already have the correct verified identities configured.

However, this does not work because the SES client created in the lambda function teamNotifications-main does not respect the environment variable supplied, nor is there any other way of setting an SES specific environment variable.

In my implementation, I have modified the lambda function code as such:

 # Fetch SES region from environment variable, default to session region if not set
    ses_region = os.getenv('REGION', session.region_name)

    if ses_region:
        ses_client = boto3.client("ses", region_name=ses_region)
        print(f"Creating SES client in specified region: {ses_region}")
    else:
        ses_client = session.client("ses")
        print(f"Creating SES client in default session region: {session.region_name}")

Although I think it would be better to have a new parameter "SES_REGION" entered in the parameters.sh and fed through from the start rather than simply use the REGION parameter. In our case SES is deployed to us-east-1 but Identity Centre and TEAM are deployed to eu-west-1 so even if the code respected the REGION env variable with does come from parameters.sh it would not work.

fatbasstard commented 6 months ago

Hi, we're running our SES setup in another region as well and are hitting the same issue, so would be nice if this can be implemented.

I'll take a look later, maybe it's easier/simpler to extract the region from the ARN (arn:aws:ses:<region>:<account>:identity/<domain>

It is already specified and doesn't require a redeploy if you want to configure the SES endpoint with a different identity (in another region)

reidca commented 6 months ago

Even if you use the source_arn to get the region, you would still need a redeploy since the lambda code to create the SES client would need to respect the region which it currently does not. Although this may be simpler since you would not need to add this as a parameter in the original setup.

github-actions[bot] commented 4 months ago

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 7 days it will automatically be closed.

reidca commented 4 months ago

@tawoyinfa is this one going to get added to the code?

tawoyinfa commented 4 months ago

@reidca yes currently reviewing it

github-actions[bot] commented 2 months ago

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 7 days it will automatically be closed.

fatbasstard commented 2 months ago

Poke

github-actions[bot] commented 1 week ago

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 7 days it will automatically be closed.