I am trying to programmatically create a workmail export job. I have access to a aws workmail organisation and everything I even created a role that would allow access to the s3 bucket to allow writing into it. I cannot figure out the response I get from the boto describe mailbox export job. It is basically failing but I cannot figure out why.
The questions i also need answered are:
- Where do the mailbox export jobs exist in the aws gui environment because I can get them via the sdk but not on aws console itself.
- What role needs to have the sts:AssumeRole policy? If it's workmail itself I added it to the trusted relationships as a principal but there is still nothing.
I have spent a lot of time changing configurations of the AWS IAM role to allow for different principals to be trusted by the role.
I have some thoughts about my program not having the correct permissions but I do have access to listing users in a mailbox and the like I don't know what I am missing.
Below is the state of the trusted relationships for the role...
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{My Account}:user/{The username associated with the account}",
"Service": [
"workmail.amazonaws.com",
"s3.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
The response for one of the jobs I started:
{'EntityId': '{entity id}',
'Description': 'Testing job for mailbox export.',
'RoleArn': 'arn:aws:iam::{Account}:role/ApiReadRole',
'KmsKeyArn': 'arn:aws:kms:us-west-2:{Account}:key/{arn Id}',
'S3BucketName': 'communications',
'S3Prefix': 'media/private/emails',
'S3Path': 'media/private/emails/{some id}.zip',
'EstimatedProgress': 0,
'State': 'FAILED',
'ErrorInfo': 'Unable to assume role "arn:aws:iam::{Account}:role/ApiReadRole"',
'StartTime': datetime.datetime(2022, 12, 2, 8, 48, 9, 642000, tzinfo=tzlocal()),
'EndTime': datetime.datetime(2022, 12, 2, 8, 48, 11, 121000, tzinfo=tzlocal()),
'ResponseMetadata': {'RequestId': '{some id}',
'HTTPStatusCode': 200,
'HTTPHeaders': {'x-amzn-requestid': '{some id}',
'content-type': 'application/x-amz-json-1.1',
'content-length': '616',
'date': 'Fri, 02 Dec 2022 06:48:53 GMT'},
'RetryAttempts': 0}
}
I followed this document and managed to execute the export job.
https://docs.aws.amazon.com/workmail/latest/adminguide/mail-export.html
But, I was also having a problem that I couldn't run the job successfully.
The reason was that I did not set up key policy on the KMS key which is required to encrypt the exported content on s3 bucket. Once I configure the key policy, the job ran successfully.
Be sure to have the key policy set up. This behavior of KMS key is also mentioned in the document below:
https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html