问题描述
我有以下Python / boto3脚本,直接来自AWS documentation:
import boto3
from botocore.exceptions import ClientError
# Replace [email protected] with your "From" address.
# This address must be verified with Amazon SES.
SENDER = "[email protected]"
# Replace [email protected] with a "To" address. If your account
# is still in the sandBox,this address must be verified.
RECIPIENT = "[email protected]"
# If necessary,replace us-west-2 with the AWS Region you're using for Amazon SES.
AWS_REGION = "eu-central-1"
# The subject line for the email.
SUBJECT = "Amazon SES Test (SDK for Python)"
# The email body for recipients with non-HTML email clients.
BODY_TEXT = ("Amazon SES Test (Python)\r\n"
"This email was sent with Amazon SES using the "
"AWS SDK for Python (Boto).")
# The HTML body of the email.
BODY_HTML = """<html>
<head></head>
<body>
<h1>Amazon SES Test (SDK for Python)</h1>
<p>This email was sent with
<a href='https://aws.amazon.com/ses/'>Amazon SES</a> using the
<a href='https://aws.amazon.com/sdk-for-python/'>
AWS SDK for Python (Boto)</a>.</p>
</body>
</html>
"""
# The character encoding for the email.
CHARSET = "UTF-8"
# Create a new SES resource and specify a region.
client = boto3.client(
'ses',aws_access_key_id='AKIA[REDACTED]',aws_secret_access_key='[REDACTED]',region_name=AWS_REGION
)
# Try to send the email.
try:
# Provide the contents of the email.
response = client.send_email(
Destination={
'ToAddresses': [
RECIPIENT,],},Message={
'Body': {
'Html': {
'Charset': CHARSET,'Data': BODY_HTML,'Text': {
'Charset': CHARSET,'Data': BODY_TEXT,'Subject': {
'Charset': CHARSET,'Data': SUBJECT,Source=SENDER,)
# display an error if something goes wrong.
except ClientError as e:
print(e.response['Error']['Message'])
else:
print("Email sent! Message ID:"),print(response['MessageId'])
两个域(sender.com和receiver.com)均在SES中进行了验证; SES仍处于沙盒模式。我正在使用的AWS凭证适用于已附加以下策略(通过其组)的用户:
{
"Version": "2012-10-17","Statement": [
{
"Effect": "Allow","Action": "*","Resource": "*"
}
]
}
运行脚本时,出现以下错误:
User `arn:aws:iam::[REDACTED]:user/[REDACTED]' is not authorized to perform `ses:SendEmail' on resource `arn:aws:ses:eu-central-1:[REDACTED]:identity/receiver.com'.
在具有相同参数的AWS控制台中使用“发送测试电子邮件”时,一切正常。
这是什么问题?
解决方法
在我的情况下,该问题是由“强制多因素身份验证”策略产生的,类似于docs中的策略;该策略对控制台和API都强制执行MFA(即,使用长期凭据时),并拒绝任何缺少它的操作:
{
"Sid": "DenyAllExceptListedIfNoMFA","Effect": "Deny","NotAction": [
"iam:CreateVirtualMFADevice","iam:EnableMFADevice","iam:GetUser","iam:ListMFADevices","iam:ListVirtualMFADevices","iam:ResyncMFADevice","sts:GetSessionToken"
],"Resource": "*","Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
要解决此问题,可以将BoolIfExists更改为Bool,但也请参见this answer。
并始终全部查看您的IAM政策!