Amplify-cli: Amplify-cli doesn't add the correct permissions for using the Pinpoint API to send template email

Created on 15 Jul 2020 · 6Comments · Source: aws-amplify/amplify-cli

Describe the bug
I've created a "sendEmail" lambda function which will send all of my transactional emails based on a Pinpoint email template. I've added the Analytics permissions via the CLI when adding the function. Can we get the required permissions added, when enabling the function to have access to pinpoint, to send templated emails. I'm going to probably have to hack this into a CF resource for now but it would be great if you guys can support this feature.

Amplify CLI Version
4.24.1

To Reproduce

Add a new function for sending email
Add permissions for analytics (pinpoint) access.
Create a basic html template for sending an email in the lambda function

    var pinpointemail = new AWS.PinpointEmail({apiVersion: '2018-07-26'});
    var params = {
      Content: { /* required */
        Template: {
          TemplateArn: 'ARN of template',
          TemplateData: JSON.stringify({
              name: "Elon Musk"
          })
        }
      },
      Destination: { /* required */
        ToAddresses: [
          '[email protected]',
        ]
      },
      FromEmailAddress: '[email protected]',
      ReplyToAddresses: [
        '[email protected]',
      ]
    };
    await pinpointemail.sendEmail(params).promise();

I get the following response in CloudWatch logs:

 "AccessDeniedException: User `arn:aws:sts::458325423128:assumed-role/appLambdaRole93f0f918-develop/sendEmailFunction-develop' is not authorized to perform `ses:SendTemplatedEmail' on resource `arn:aws:ses:us-east-1:app:identity/[email protected]'",
        "    at Object.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:51:27)",
        "    at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/rest_json.js:55:8)",

Expected behavior
ses:SendTemplatedEmail permissions added when enabling the analytics stack permission for your lambda function.

Desktop (please complete the following information):

OS:Ubuntu 18.04
12

analytics bug pending-review

Source

kylekirkby

All 6 comments

Looks I should be using the Pinpoint API instead of PinpointEmail to send messages! Updating now and will close if achievable with the other API.

kylekirkby on 15 Jul 2020

After switching over to the Pinpoint API I'm now facing basically the same issue:

{
  "errorType": "AccessDeniedException",
  "errorMessage": "User: arn:aws:sts::eeeeeee:assumed-role/eeeeepLambdaRole93f0f918-develop/sendEmailFunction-develop is not authorized to perform: mobiletargeting:SendMessages on resource: arn:aws:mobiletargeting:us-east-1:458325423128:apps/eeeee/messages",

Which is really strange since the function permissions state:

    Allow: mobiletargeting:Put*
    Allow: mobiletargeting:Create*
    Allow: mobiletargeting:Send*
    Allow: mobiletargeting:Get*
    Allow: mobiletargeting:List*
    Allow: mobiletargeting:Update*

With the same pinpoint app id...

kylekirkby on 15 Jul 2020

The Pinpoint resource ARN's match apart from the /messages bit that is added to the end by the Pinpoint API:
arn:aws:mobiletargeting:us-east-1:eeeee:apps/xxxxxx
arn:aws:mobiletargeting:us-east-1:eeeee:apps/xxxxxx/messages

kylekirkby on 15 Jul 2020

We need to update the amplify-lambda-execution-policy to include the /* resource for the pinpoint API to work correctly. I've edited by hand for now but will need add another cloud formation resource for a simple /* if not added natively to the Amplify CLI.

kylekirkby on 15 Jul 2020

Thanks for logging the issue.
The PR looks good too.