IAM role for sending email with Amazon SES - Amazon Pinpoint

IAM role for sending email with Amazon SES

Amazon Pinpoint uses your Amazon SES resources to send email for your campaign or journey. Before Amazon Pinpoint can use your Amazon SES resources to send email, you must grant the required permissions to Amazon Pinpoint. Your account must have the iam:PutRolePolicy and iam:UpdateAssumeRolePolicy permissions to update or create IAM roles.

The Amazon Pinpoint console can automatically create an AWS Identity and Access Management (IAM) role with the required permissions. For more information, see Creating an email orchestration sending role in the Amazon Pinpoint User Guide.

If you want to create the role manually, attach the following policies to the role:

  • A permissions policy that grants Amazon Pinpoint access to your Amazon SES resources.

  • A trust policy that allows Amazon Pinpoint to assume the role.

After you create the role, you can configure Amazon Pinpoint to use your Amazon SES resources.

You can test IAM policies with the IAM policy simulator. For more information, see Testing IAM policies with the IAM policy simulator in the IAM User Guide.

Creating the IAM role (AWS Management Console)

Complete the following steps to manually create an IAM role for your campaign or journey to send email.

  1. Create a new permission policy by following the directions in Creating policies using the JSON editor in the IAM User Guide.

    1. In step 5, use the following permission policy for the IAM role.

      • Replace partition with the partition that the resource is in. For standard AWS Regions, the partition is aws. If you have resources in other partitions, the partition is aws-partitionname. For example, the partition for resources in the AWS GovCloud (US-West) is aws-us-gov.

      • Replace region with the name of the AWS Region that hosts the Amazon Pinpoint project.

      • Replace accountId with the unique ID for your AWS account.

      { "Version": "2012-10-17", "Statement": [ { "Sid": "PinpointUsesSESForEmailSends", "Effect": "Allow", "Action": [ "ses:SendEmail", "ses:SendRawEmail" ], "Resource": [ "arn:partition:ses:region:accountId:identity/*", "arn:partition:ses:region:accountId:configuration-set/*" ] } ] }
  2. Create a new trust policy by following the directions in Creating a role using custom trust policies in the IAM User Guide.

    1. In step 4, use the following trust policy.

      • Replace accountId with the unique ID for your AWS account.

      { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowPinpoint", "Effect": "Allow", "Principal": { "Service": "pinpoint.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "accountId" } } } ] }
    2. In step 11, add the permission policy that you created in the previous step.