rtyley
commented
4 years ago Unfortunately this doesn't appear to have fully resolved the issue, though maybe improved things slightly. The credentials now appear to load, but the DynamoDB query fails):
User: arn:aws:sts::021353022223:assumed-role/Ophan-Housekeeper-ExecutionRole-BLAHBLAHBLAAH/Ophan-Housekeeper-Lambda-WOOWOOWOOO
is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:eu-west-1:021353022223:table/ophan-alerts
(Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException; Request ID: GOJ21AFDH19VNCQDNRGNCHE1QNVV4KQNSO5AEMVJF66Q9ASUAAJG):
com.amazonaws.services.dynamodbv2.model.AmazonDynamoDBExceptionOur cloudformation actually gives very permissive permissions to the Lambda, so I'm not sure why this is occurring, will investigate.
AWS placed our SES account under review (giving us notice that they could block our ability to send email :email: :skull: ) on Saturday 15th February:
This was due to AWS-credential-loading in the Ophan Housekeeper lambda being broken by commit 31cec53c65 back in October 2019 - with credential-loading broken, the lambda couldn't load the AWS credentials it needed to delete entries from the
ophan-alertsDynamoDB table, or post to the SNS topic.Perhaps surprisingly, the Ophan Housekeeper lambda only needs those AWS credentials when it's dealing with a permanently bouncing email - so there was no obvious problem until a permanent bounce occurred, starting at 13:26 on February 12th 2020):
As the lambda was broken, it wasn't able to decommission the relevant Ophan Alerts - so Trigr kept on sending them, and there were so many of them, bouncing permanently, that AWS placed our SES account under review.
What next?
Once this fix has been merged, it should hopefully resolve the issue - but note that AWS wants us to follow up with them and let them know what we've done before they take us out of review: