Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-cdk-lib/aws-stepfunctions-tasks: sesv2 task does not grant ses:SendEmail permission #30745

Closed
concavegit opened this issue Jul 3, 2024 · 5 comments
Closed

aws-cdk-lib/aws-stepfunctions-tasks: sesv2 task does not grant ses:SendEmail permission #30745

concavegit opened this issue Jul 3, 2024 · 5 comments
Assignees
@khushail
Labels
@aws-cdk/aws-lambda Related to AWS Lambda bug This issue is a bug. needs-reproduction This issue needs reproduction.

Comments

@concavegit
Copy link

Describe the bug

I am creating a state machine with a sesv2 task defined like

new tasks.CallAwsService(this, "placeholder", {
            service: "sesv2",
            action: "sendEmail",
            parameters: {
                FromEmailAddress: myEmailAddress,
                Destination: {
                    ToAddresses: recipients,
                },
                Content: {
                    Simple: {
                        Subject: {
                            Data: subject,
                        },
                        Body: {
                            Text: {
                                Data: body,
                            },
                        },
                    },
                },
            },
            iamResources: ["*"],
        });

If I try to run this step, I get the error

{
  "Error": "SesV2.SesV2Exception",
  "Cause": "User `<step_function_role>' is not authorized to perform `ses:SendEmail' on resource `<ses_identity_arn>' (Service: SesV2, Status Code: 403, Request ID: requestId)"
}

This is because the resulting step function CDK added this permission for the task

		{
			"Action": "sesv2:sendEmail",
			"Resource": "*",
			"Effect": "Allow"
		},

This should have been ses:sendEmail, which causes the error.

Expected Behavior

the sesv2 task successfully sends an email

Current Behavior

permission error since CDK does not grant the step function role ses:sendEmail permission.

Reproduction Steps

Define a step function with step

new tasks.CallAwsService(this, "placeholder", {
            service: "sesv2",
            action: "sendEmail",
            parameters: {
                FromEmailAddress: myEmailAddress,
                Destination: {
                    ToAddresses: recipients,
                },
                Content: {
                    Simple: {
                        Subject: {
                            Data: subject,
                        },
                        Body: {
                            Text: {
                                Data: body,
                            },
                        },
                    },
                },
            },
            iamResources: ["*"],
        });

You will find that the step function does not have ses:sendEmail permission and will run into the above error.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.130.0

Framework Version

No response

Node.js Version

6.14.17

OS

macOS

Language

TypeScript

Language Version

No response

Other information

No response
@concavegit concavegit added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jul 3, 2024
@github-actions github-actions bot added the @aws-cdk/aws-lambda Related to AWS Lambda label Jul 3, 2024
@khushail khushail self-assigned this Jul 3, 2024
@khushail khushail added needs-reproduction This issue needs reproduction. and removed needs-triage This issue or PR still needs to be triaged. labels Jul 3, 2024
@concavegit
Copy link
Author

Note that sesv2:sendEmail is not a valid permission

This was referenced Jul 8, 2024
Closed
Closed
@acbellini
Copy link

I think this is WAI. Both ses and sesv2 use the same actions, so you need to add:

iamAction: "ses:SendEmail"
to your definition. Per the iamAction docs:

Use in the case where the IAM action name does not match with the API service/action name

@concavegit
Copy link
Author

Got it, thanks!

@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 9, 2024

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@aws-cdk-automation
Copy link
Collaborator

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

@aws aws locked as resolved and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@khushail khushail

Labels
@aws-cdk/aws-lambda Related to AWS Lambda bug This issue is a bug. needs-reproduction This issue needs reproduction.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@acbellini @concavegit @aws-cdk-automation @khushail