问题描述
使用 AWS 开发工具包,我可以创建一个经过 SES 验证的电子邮件地址。但是我如何创建一个策略来为电子邮件提供 SendEmail 和 SendRawEmail 权限(就像在控制台中一样)?我的理解是 AwsCustomresource 策略属性授予 Lambda 函数创建资源的权限,而不是创建的资源本身。
const customresource = new cr.AwsCustomresource(this,'VerifyEmailIdentity',{
onCreate: {
service: 'SES',action: 'verifyEmailIdentity',parameters: {
EmailAddress: cognitoEmailAddress,},physicalResourceId: cr.PhysicalResourceId.of(`verify-${cognitoEmailAddress}`)
},onDelete: {
service: 'SES',action: 'deleteIdentity',parameters: {
Identity: cognitoEmailAddress
}
},policy: cr.AwsCustomresourcePolicy.fromStatements([
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,actions: ['ses:VerifyEmailIdentity','ses:DeleteIdentity'],resources: ['*']
})
])
});
解决方法
添加以下附加代码,该代码调用 SES putIdentityPolicy,允许(例如)将 Cognito 服务发送到 SendEmail 和 SendRawEmail。
import * as cr from '@aws-cdk/custom-resources';
import * as iam from '@aws-cdk/aws-iam';
const cognitoEmailAddress = 'myemail@mydomain.com';
const cognitoEmailAddressArn = `arn:aws:ses:${myRegion}:${myAccount}:identity/${cognitoEmailAddress}`;
const policy = {
Version: '2008-10-17',Statement: [
{
Sid: 'stmt1621717794524',Effect: 'Allow',Principal: {
Service: 'cognito-idp.amazonaws.com'
},Action: [
'ses:SendEmail','ses:SendRawEmail'
],Resource: cognitoEmailAddressArn
}
]
};
new cr.AwsCustomResource(this,'PutIdentityPolicy',{
onCreate: {
service: 'SES',action: 'putIdentityPolicy',parameters: {
Identity: cognitoEmailAddress,Policy: JSON.stringify(policy),PolicyName: 'CognitoSESEmail'
},physicalResourceId: cr.PhysicalResourceId.of(`policy-${cognitoEmailAddress}`)
},onDelete: {
service: 'SES',action: 'deleteIdentityPolicy',PolicyName: 'CognitoSESEmail'
}
},// There is a policy bug in the CDK for custom resources: https://github.com/aws/aws-cdk/issues/4533
// Use the following policy workaround. https://stackoverflow.com/questions/65886628/verify-ses-email-address-through-cdk
policy: cr.AwsCustomResourcePolicy.fromStatements([
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,actions: ['ses:PutIdentityPolicy','ses:DeleteIdentityPolicy'],resources: ['*']
})
])
});