copyObject() returned error AccessDenied

[andy1723]

Hello,

I have a forwarder set up and SES can receive an email that goes to S3; however. it gives an error trying to actually forward it from S3.

I've got the following:

2020-12-20T02:31:20.643Z ba3e963c-5f0b-4ced-b76c-1317e4e9d726

INFO {
level: 'error',
message: 'copyObject() returned error:',
error: AccessDenied: Access Denied
at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/services/s3.js:700:35)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:688:14)
at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request. (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)
at Request. (/var/runtime/node_modules/aws-sdk/lib/request.js:690:12)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
code: 'AccessDenied',
region: null,
time: 2020-12-20T02:31:20.585Z,
requestId: 'F25E4F498D1C6244',
extendedRequestId: 'K2IliBX/07z9D+KGHNV9lLBuui5SYlNBrM7A+qJc4DEaouD+p8sLmZpWF84Go50SUCgkJbIoYw4=',
cfId: undefined,
statusCode: 403,
retryable: false,
retryDelay: 83.20931364167198 },
stack: 'AccessDenied: Access Denied\n' +
' at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/services/s3.js:700:35)\n' +
' at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)\n' +
' at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)\n' +
' at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:688:14)\n' +
' at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)\n' +
' at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)\n' +
' at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10\n' +
' at Request. (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)\n' +
' at Request. (/var/runtime/node_modules/aws-sdk/lib/request.js:690:12)\n' +
' at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18)'}

my function config:
var defaultConfig = {
fromEmail: "[email protected]",
subjectPrefix: "",
emailBucket: "ses-forwarding-bucket",
emailKeyPrefix: "emails/",
allowPlusSign: true,
forwardMapping: {
"[email protected]": [
"[email protected]"
]
}
};

function resource-based policy:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "allowSesInvoke",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:77777777777:function:SesForwarder",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "77777777777"
}
}
}
]
}

lambda basic execution role:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:::"
},
{
"Effect": "Allow",
"Action": "ses:SendRawEmail",
"Resource": ""
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::ses-forwarding-bucket/*"
}
]
}

S3 permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSESPuts",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::ses-forwarding-hlw/*",
"Condition": {
"StringEquals": {
"aws:Referer": "484134253961"
}
}
}
]
}

Any advice on how to troubleshoot will be appreciated.

[Cillu]

Hey, I'm not sure if you still need help with this, but I was also stuck on the same thing and it turns out it was because I deleted the 'emailKeyPrefix' attribute within index.js. Please refer to this old thread here: #64 (comment)

[andy1723]

Hi Cillu. Hey, thanks for posting this. I have my 'emailKeyPrefix' in place, and I've tried it empty as well as with "mail /" to no avail. Must be something else. Thank you anyway.

[ds00424]

I had same copyObject Access Denied issue. Turn out that in the policy for the Lambda role, I forgot to put in my S3 bucket name. Once I fixed that, it worked (well I moved on to the next issue having to do with still being sandboxed). HTH.

[davidbeckonline]

Politely reviving this thread:
I am running into the issue described. Permissions for S3 and Lambda seem to be in line with the documentation. Attached below.

Any other ideas, what might be causing this issue?

===

1/ Config Section:

var defaultConfig = {
fromEmail: "[email protected]",
subjectPrefix: "",
emailBucket: "some-bucket-email",
emailKeyPrefix: "emailsPrefix/",
allowPlusSign: true,
forwardMapping: {
"[email protected]": [
"[email protected]"
]
}
};

---

2/ Policy for Lambda Execution Role:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:::"
},
{
"Effect": "Allow",
"Action": "ses:SendRawEmail",
"Resource": ""
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::some-bucket-email/*"
}
]
}

---

3/ S3 Bucket Policy

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GiveSESPermissionToWriteEmail",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::some-bucket-email/*",
"Condition": {
"StringEquals": {
"aws:Referer": "123123123123"
}
}
}
]

[ds00424]

Comparing to mine here are some differences I see. Not sure if any are causing your issue.

• Lambda Execution Role: your ses:SendRawEmail Resource is blank. Mine is "*" (maybe this is the issue?).
• Lambda Execution Role: along with ses:SendRawEmail my Action includes ses:SendEmail
• Lambda Execution Role: PutObject/GetObject Resource: Mine includes the emailPrefix. ie, "arn:aws:s3:::some-bucket-email/emailsPrefix/". But I think the "some-bucket-email/" should cover it.
• Your S3 Bucket policy as shown in the post is missing the last '}' - I assume just a copy/paste issue.
• S3 Bucket policy: I assume your aws:Referrer is correct and not "123123123123"

HTH

[davidbeckonline]

It turned out that the emailKeyPrefix in the config of the Lambda function caused the access issues.
Thank you very much for that hint!

Below the setup (with prefix), which I am running successfully now.
If you decide to use a prefix (as I do), this also needs to be considered in the SES Rule Set.

===

1/ Config Section:

var defaultConfig = {
fromEmail: "[email protected]",
subjectPrefix: "",
emailBucket: "someones-email",
emailKeyPrefix: "emails/",
allowPlusSign: true,
forwardMapping: {
"[email protected]": [
"[email protected]"
]
}
};

2/ Policy for Lambda Execution Role:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:us-east-1:1234567:"
},
{
"Effect": "Allow",
"Action": "ses:SendRawEmail",
"Resource": ""
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::someones-email/emails/*"
}
]
}