I am building a policy to attach to a user to create a work mail.
I am starting with allowing a user to create an organisation in work mail.
this is it
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "WorkMailUser",
"Effect": "Allow",
"Action": [
"ds:CreateIdentityPoolDirectory",
"ds:ListAuthorizedApplications",
"ds:DescribeDirectories",
"ds:CreateAlias",
"ds:AuthorizeApplication",
"workmail:CreateOrganization"
],
"Resource": "*"
},
{
"Sid": "WorkMailUser1",
"Effect": "Allow",
"Action": [
"ses:DescribeActiveReceiptRuleSet",
"ses:VerifyDomainIdentity"
],
"Resource": "*"
}
]
}
the error that is get is
arn:aws:iam::* is not authorized to perform ses:SetIdentityEmailNotificationEnabled
When i check for the Acction, I can't find it.
If I change to ses:* I can create the organization.
What permissions do I need to give my user to pass by the ses:SetIdentityEmailNotificationEnabled?
Update
Wehn I am using all 7 set actions from ses, it still does not work. Is this something related to slr roles?
Yeah, this one is weird. I've run into it before and can't tell you the cause. However, if you add exactly that permission to the policy:
ses:SetIdentityEmailNotificationEnabled, even if IAM complains, it should work and the AccessDenied will be cleared. I'm not sure why it doesn't show up in the IAM console. If you try to add it directly to the JSON policy in the IAM console, it will tell you that it doesn't exist. But, just ignore those warnings and add it anyway, IAM won't stop you. That should solve the issue or at least get you past this one permission error