6

I am trying to build a CloudFormation script that sets up a Cognito User Pool and configures it to use a custom email for sending users their validation code in the signup process (i.e. FROM: noreply@mydomain.com).

I am getting this error when executing my AWS CloudFormation script:

"ResourceStatusReason": "Cognito is not allowed to use your email identity (Service: AWSCognitoIdentityProvider; Status Code: 400; Error Code: InvalidEmailRoleAccessPolicyException;

I have attached a Policy for Cognito to use my SES email identity e.g. noreply@mydomain.com. I have manually setup and validated this email identity in SES prior to running CloudFormation script.

Here is my CloudFormation configuration for the policy to allow Cognito to send emails on my behalf e.g. From noreply@mydomain.com:

  CognitoSESPolicy:
    Type: AWS::IAM::ManagedPolicy
    Description: "Allow Cognito the send email on behalf of email identity (e.g. noreply@example.org)"
    Properties:
      PolicyDocument:
        Version: 2012-10-17
        Statement:
        - Sid: "ucstmnt0001"
          Effect: "Allow"
          Action:
          - "ses:SendEmail"
          - "ses:SendRawEmail"
          Resource: !FindInMap [ environment, !Ref "Environment", emailARN ]

  SESRole:
    Type: AWS::IAM::Role
    Description: "An IAM Role to allow Cognito to send email on behalf of email identity"
    Properties:
      RoleName: uc-cognito-ses-role
      ManagedPolicyArns:
        - Ref: CognitoSESPolicy
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
            - sts:AssumeRole
            Principal:
              Service:
              - cognito-idp.amazonaws.com
    DependsOn: CognitoSESPolicy

I am not sure what I am doing wrong here...

jzeron
  • 223
  • 3
  • 8
  • Even validating the email manually I'm getting the same error. Can you share a bigger snippet of your code so I see what I am doing wrong ? – Juan Rivillas Dec 18 '18 at 17:45

2 Answers2

7

Answering my own question for others' benefit. AWS SES has its own managed identity for emails, requiring a user to verify ownership of the email before it can be used by other AWS services. My solution was to manually setup the SES email account using AWS portal, verify the email account, then reference the ARN for the identity created in SES for email in my CloudFormation script. Maybe AWS will have a way in the future to create SES identity via CloudFormation scripts, but at this time it seems that manual process is required for initial setup.

jzeron
  • 223
  • 3
  • 8
  • thanks for sharing! Can you tell if the policy you posted above was still relevant or you had to create it manually via "Identity Policies" settings on SES page? – rinat.io Jan 29 '20 at 15:41
  • You still need to attach a policy that grants Cognito (or any other service that you want to send emails from) the required permissions to send emails using the SES service. for example: ``` # IAM: MANAGED POLICY IamManagedPolicySnsPublish: Type: "AWS::IAM::ManagedPolicy" Properties: Description: "Managed policy for permissions to publish SNS messages" PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - sns:Publish Resource: "*" ``` – jzeron Jan 30 '20 at 17:30
1

Recently ran into this issue and could not find a way to add it via Cloudformation still. Was able to use aws ses put-identity-policy instead.

ses_policy=$(cat << EOM
{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "cognito-idp.amazonaws.com"
            },
            "Action": [
                "ses:SendEmail",
                "ses:SendRawEmail"
            ],
            "Resource": "${email_arn}"
        }
    ]
}
EOM
)
aws ses put-identity-policy \
  --identity "${email_arn}" \
  --policy-name "${policy_name}" \
  --policy "${ses_policy}"

Instead of cat you can use read but my script was already using set -o errexit and not worth changing to be purist for no particular reason.

Thien
  • 672
  • 5
  • 12