framework icon indicating copy to clipboard operation
framework copied to clipboard

Published 20 hours ago verified publisher icon laravel

Unable to use AWS SES Sending Authorisation with verified identities in other accounts

Open mrtimp opened this issue 2 years ago • 2 comments

  • Laravel Version: 9.43.0
  • PHP Version: 8.1
  • Database Driver & Version: N/a

Description:

We have an AWS SES pattern where we have a verified identity in a common account and then other accounts within the organisation can use this identify for sending using sending authorisation. This pattern allows us to use an instance profile (temporary credentials) for an EC2 or ECS instance using the SES API (rather than SMTP) and avoids injecting long lived SES credentials in to the EC2/ECS instance.

Due to the verified identity existing in another account we need to use the FromArn or SourceArn parameters via the SendRawEmail API so that SES knows which identity to use.

It looks like there is a conflict between using the FromArn and the default Source parameter as we get "ERROR: Email address is not verified" returned from the API. If I comment out Source in SesTransport.php the emails are sent correctly.

It would be ideal if we could pass through an empty Source or somehow have it excluded if we are using the FromArn and/or SourceArn paramter. I have had a look at the source for SesTransport.php but I'm having a problem deciding on what the best non-breaking approach would be.

Steps To Reproduce:

  1. Create a target AWS account with SES in production mode and a verified identity (either email or domain)
  2. Create a source AWS account with SES in production mode (and no verified identities)
  3. Create an instance profile in the source account including the ses:SendRawEmail permission and associate the instance profile with the EC2 or ECS instance
  4. Copy the verified identities ARN from the target account and pass that in as an option in the SES configuration in config/mail.php
  5. Sending from the source account should result in and exception being thrown ERROR: Email address is not verified
  6. Comment out Source in SesTransport.php and send again from the source account and the email should be delivered

mrtimp avatar Dec 13 '22 20:12 mrtimp

Thank you for reporting this issue!

As Laravel is an open source project, we rely on the community to help us diagnose and fix issues as it is not possible to research and fix every issue reported to us via GitHub.

If possible, please make a pull request fixing the issue you have described, along with corresponding tests. All pull requests are promptly reviewed by the Laravel team.

Thank you!

github-actions[bot] avatar Dec 15 '22 09:12 github-actions[bot]

@mrtimp your repro involves a lot of manual work in AWS. I don't think many would do that in their spare time. You seem to have a very good idea of exactly what you want, you're only unsure about the best way of doing it without breaking things.

Why not send a PR and we can take a look?

abbood avatar Dec 23 '22 13:12 abbood

Closing this issue because it's inactive, already solved, old or not relevant anymore. Feel to open up a new issue if you're still experiencing this.

driesvints avatar Apr 03 '23 08:04 driesvints