如何通过具有临时SES专用凭据的SES发送电子邮件? [英] How do I send an email through SES with temporary SES-specific credentials?

问题描述

此页面显示如何使用SES发送电子邮件.该示例通过从~/.aws/credentials读取凭据(它们是根(至今共享" ??)凭据)来工作.

This page shows how to send an email using SES. The example works by reading the credentials from ~/.aws/credentials, which are the root (yet "shared"??) credentials.

该文档建议在各个地方不要使用根凭据.

The documentation advises in various places against using the root credentials.

获取临时凭证 提及使用角色作为选项，尚未为SES客户端对象定义assume_role().

Acquiring temporary credentials using roles is mentioned as an option, yet assume_role() is not defined for SES client objects.

如何通过具有临时SES专用凭据的SES发送电子邮件?

How do I send an email through SES with temporary SES-specific credentials?

更新

我的问题的上下文是在EC2实例上运行的应用程序.

The context for my question is an application running on an EC2 instance.

推荐答案

有一些内容.

首先，您需要一个IAM策略.您可以使用一种内置策略，例如AmazonSESFullAccess，也可以创建自己的策略.特定策略的持有者将能够访问策略中定义的资源和操作.您可以手动创建此策略，也可以通过AWS控制台进行操作，它将逐步引导您. IAM->策略->创建策略

First you need an IAM policy. You can use one of the built-in policies, such as AmazonSESFullAccess or you can create your own. The holder of a particular policy will be able to access the resources and actions defined in the policy. You can create this policy manually, or work through the AWS console and it will walk you through it. IAM --> Policies --> Create Policy

第二，您将需要一个角色.另外，在控制台中轻松完成. IAM->角色->创建角色.受信任的实体是AWS服务.突出显示EC2.在下一个屏幕中，选择要与此角色关联的策略.这是您在上面创建的策略.如果您的EC2已经具有角色，则可以将IAM策略添加到该角色.将IAM策略分配给角色就是他们所谓的信任策略.

Secondly, you will need a role. Also, easily done in the console. IAM --> Roles --> Create role. Trusted entity is AWS service. Highlight EC2. In the next screen, select the policy you want to associate with this role. This is the policy you created above. If your EC2 already has a role, then you can add the IAM policy to this role. Assigning an IAM policy to a role, is what they refer to as a trust policy.

现在，在您的EC2实例上运行的任何代码都将能够向您的SES服务发送消息. EC2承担分配给它的角色.并且为该角色定义了SES策略.这将允许EC2在后台获取临时凭据.

Now any code that runs on your EC2 instance will be able to send messages to your SES service. The EC2 assumes the role assigned to it. And the SES policy is defined for that role. This will allow EC2 to get temporary credentials (behind the scenes).

背景故事如下.任何对AWS服务的API调用都需要具有密钥和机密.从本地计算机进行API调用时，可以使用您的个人密钥和机密(甚至根用户).当您需要从其他服务进行API调用时，则不需要该密钥和机密.将凭据存储在EC2上既不安全也不实用.甚至更糟的是，在S3存储桶中.这就是AWS提出Role概念的原因.角色可以从称为简单令牌服务(STS)的内部服务中请求临时凭据.例如，角色被附加到EC2实例.而且，如果将正确的策略附加到该角色，则EC2实例可以请求获取临时凭据以对另一个服务进行API调用.所有这些都是在幕后发生的.

The back story is as follows. Any API call to an AWS service needs to have a key and secret. When you make API calls from your local computer, you may use your personal key and secret (or even root ones). When you need to make API calls from another service, you do not have that key and secret. It would not be secure or practical to store the credentials on an EC2. Or even worse, in an S3 bucket. That is why AWS came up with the Role concept. Roles can request temporary credentials from an internal service called Simple Token Service (STS). A role is attached to an EC2 instance for example. And if the right policy is attached to that role, the EC2 instance can request to get temporary credentials to make an API call to another service. All of this happens behind the scenes.

这篇关于如何通过具有临时SES专用凭据的SES发送电子邮件?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！