AWS:为SES不工作IAM用户策略 [英] AWS: IAM user policies for SES not working
问题描述
我想我的服务器上运行下面的PHP code:
要求aws_sdk_php / AWS-autoloader.php;
使用AWS \经济局局长\ SesClient;
回声teste1;
$客户端= SesClient ::工厂(阵列(
'键'=> XXXXX,
秘密=> YYYYY,
'区域'=> 我们东-1'
));
回声teste2;
回声$客户 - > listIdentities();
回声teste3;
回声$客户 - > verifyEmailIdentity(阵列(
EmailAddress的'=> my_email@gmail.com
));
我创建了一个用户有权限发送使用SMTP电子邮件(SES:SendRawEmail)和它的作品就好了。然而,listIdentities和verifyEmailIdentity只要求工作时,我承认SES完全访问权限,或者使用全凭据的帐户。
如果我只添加SES:ListIdentities和SES:VerifyEmailIdentity同一个用户,我得到一个403错误说的签名不匹配。任何人有任何想法是怎么回事?我一定要添加其他权限/政策授权访问这个电话?
我也跑在IAM策略模拟器此权限,他们通过在分别设置他们,但是我收到一个拒绝后,我把他们赶走。
谢谢!
更新:根据这个<一个href="http://stackoverflow.com/questions/22459155/ses-aws-error-$c$c-signaturedoesnotmatch-status-$c$c-403">SES AWS错误code:SignatureDoesNotMatch,状态code:403 也许修复程序我应该调整的时候我的EC2服务器上,但我怎么能发现什么时候是它,因为我不SES服务器'T有机会获得他们?
UPDATE2:看起来的diferent时间的情况下不,因为我跑在北弗吉尼亚州的一个服务器上的code,得到了相同的结果。权限传递的模拟器。有什么建议?
[...]也许修复程序我应该调整我的EC2服务器上的时间,但我怎么能发现什么时候是它的SES的服务器,因为我没有与他们接触?
而时钟偏差在杰里米·林德布洛姆的回答提到意味着时间您的服务器上没有充分与同步协调世界时(UTC)的在的减去时区偏移量,也就是你实际上并不需要知道时间对亚马逊SES 服务器(这肯定只是UTC虽然) ,而只是确保自己的系统与UTC太(不管你是在什么时区)同步 - 见我的回答同步本地的Debian时间与亚马逊Debian的实例(RDS)MDT为UTC 了解关于这个问题,以及如何详细解决这个让Debian / GNU RESP。 Ubuntu系统:
[...]这是很容易通过安装网络时间协议补救(NTP)守护进程自动设置的作为Debian的的日期时间,这可以归结为命令和apt-get安装NTP和编辑/etc/ntp.conf中目标更加的本地NTP服务器源,获取最佳的效果。
I'm trying to run the following PHP code on my server:
require 'aws_sdk_php/aws-autoloader.php';
use Aws\Ses\SesClient;
echo 'teste1';
$client = SesClient::factory(array(
'key' => 'xxxxx',
'secret' => 'yyyyy',
'region' => 'us-east-1'
));
echo 'teste2';
echo $client->listIdentities();
echo 'teste3';
echo $client->verifyEmailIdentity(array(
'EmailAddress' => 'my_email@gmail.com'
));
I created a user with permission to send emails using SMTP (ses:SendRawEmail) and it works just fine. However the "listIdentities" and "verifyEmailIdentity" calls only works when I grant SES Full Access permission or use full credentials for the account.
If I add only "ses:ListIdentities" and "ses:VerifyEmailIdentity" to the same user, I get a 403 error saying the signature not match. Anybody have any idea what's going on? Do I have to add other permissions/policies to grant access to this calls?
I also ran this permissions on the IAM Policy Simulator and they passed when they were set, but I received a "denied" after I removed them.
Thanks!
Update: According to this SES AWS Error Code: SignatureDoesNotMatch, Status Code: 403 MAYBE the fix is I should adjust the time on my EC2 server, but how can I found out what time is it on SES servers since I don't have access to them?
Update2: Doesn't seem like a case of diferent time, as I ran the code on a server on North Virginia and got the same results. Permissions passed on the simulator. Any suggestions?
[...] MAYBE the fix is I should adjust the time on my EC2 server, but how can I found out what time is it on SES servers since I don't have access to them?
The "clock skew" mentioned in Jeremy Lindblom's answer means that the time on your server isn't sufficiently synchronized with Coordinated Universal Time (UTC) after subtracting the timezone offset, i.e. you do not actually need to know the time on the Amazon SES servers (which most certainly is simply UTC though), rather just ensure that your own system is synchronized with UTC too (no matter what timezone you are in) - see my answer to synchronize local Debian time with amazon Debian instances (RDS) MDT to UTC for more details on the subject and how to resolve this for a Debian/GNU resp. Ubuntu system:
[...] This is easily remedied by installing a Network Time Protocol (NTP) daemon to Set the time automatically as explained in Debian's DateTime, which boils down to sudo apt-get install ntp and editing /etc/ntp.conf to target more local NTP server sources for optimal results.
这篇关于AWS:为SES不工作IAM用户策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
