Home / Questions / 512243
Accepted
Jorge Edo. Hernández
Asked: 2022-07-01 16:41:22 +0800 CST 2022-07-01 16:41:22 +0800 CST

Conflict between aws/aws-sdk-php and league/flysystem-aws-s3-v3

  • 772

I have an application in Laravel 8 and I configured aws/aws-sdk-phpit to send email with SES and everything was working perfectly until I installed league/flysystem-aws-s3-v3.

The error is the following:

Error executing "SendRawEmail" on "https://email.sa-east-1.amazonaws.com";
AWS HTTP error: Client error: `POST https://email.sa-east-1.amazonaws.com` resulted in a `403 Forbidden` response: <ErrorResponse xmlns="http://ses.amazonaws.com/doc/2010-12-01/"> <Error> <Type>Sender</Type> <Code>AccessDenie (truncated...) AccessDenied (client): User `arn:aws:iam::684414359630:user/laravel_s3' is not authorized to perform `ses:SendRawEmail' on resource `arn:aws:ses:sa-east-1:684414359630:identity/[email protected]' - <ErrorResponse xmlns="http://ses.amazonaws.com/doc/2010-12-01/"> <Error> <Type>Sender</Type> <Code>AccessDenied</Code> <Message>User `arn:aws:iam::684414359630:user/laravel_s3' is not authorized to perform `ses:SendRawEmail' on resource `arn:aws:ses:sa-east-1:684414359630:identity/[email protected]'</Message> </Error> <RequestId>1721b50a-14b8-43ef-ae8b-173a2de0f295</RequestId> </ErrorResponse>

From what I can understand is that when sending an email it aws/aws-sdk-phpis taking the user created for league/flysystem-aws-s3-v3.

.envThe credentials for the two functionalities are saved in my file .

Foraws/aws-sdk-php

MAIL_MAILER=ses 
MAIL_HOST=email-smtp.us-east-1.amazonaws.com 
MAIL_PORT=587 MAIL_USERNAME=AKIAZ6WSGLB----UNOF 
MAIL_USERNAME=AKIAZ6WS-----UNOF (Usuario email_laravel en IAM)
MAIL_PASSWORD=BMdl/Up2WPWOFpfX+fsDn------9luDWSrYWVFtmtHTkR/ 
MAIL_ENCRYPTION=tls 
[email protected] 
MAIL_FROM_NAME="${APP_NAME}"

Forleague/flysystem-aws-s3-v3

AWS_ACCESS_KEY_ID=AKIAZ6WSG-----P4KH (Usuario Laravel_s3. en IAM)
AWS_SECRET_ACCESS_KEY=vv3NnsRc1------u8h1Ie6XyQoQC5nFRYwk6nPC
AWS_DEFAULT_REGION=sa-east-1
AWS_BUCKET=app-g12brasil-local
AWS_URL=https://app-g12brasil-local.s3.sa-east-1.amazonaws.com/

Could someone tell me why it aws/aws-sdk-phpis taking the one KEY_IDfrom league/flysystem-aws-s3-v3, since the error shows that the user "Laravel_S3" is not authorized and that user is not the one configured to send emails?

laravel-8

1 Answers

  1. Best Answer

    The configuration definition for SES found in config/mail.php does not use the mail keys you mention, unless you are using SES via SMTP (but in your code you are using IAM credentials).

        'ses' => [
        'transport' => 'ses',
    ],

    The actual SES configuration is in config/services.php . There it says that the SES service uses exactly the credentials that you are redefining for S3

    'ses' => [
    'key' => env('AWS_ACCESS_KEY_ID'),
    'secret' => env('AWS_SECRET_ACCESS_KEY'),
    'region' => env('AWS_DEFAULT_REGION', 'us-east-1'),
],

    For your use case, it sounds to me that the healthiest thing is to define the ses configuration inconfig/mail.php

        'ses' => [
        'transport' => 'ses',
        'key' => env('SES_AWS_ACCESS_KEY_ID'),
        'secret' => env('SES_AWS_SECRET_ACCESS_KEY'),
        'region' => env('SES_AWS_DEFAULT_REGION', 'us-east-1'),
        'version' => 'latest',
    ],

    and that of S3 in config/filesystems.php,

        's3' => [
        'driver' => 's3',
        'key' => env('S3_AWS_ACCESS_KEY_ID'),
        'secret' => env('S3_AWS_SECRET_ACCESS_KEY'),
        'region' => env('S3_AWS_DEFAULT_REGION'),
        'bucket' => env('S3_AWS_BUCKET'),
    ],

    (using a different prefix to avoid name scope, otherwise it doesn't make much sense...)

    Another option is to give S3 and SES permission to the IAM user, but sooner or later you will run into a use case where you have to separate permissions and the later that happens the harder it is to audit where what is used.

    • 1