Document the required IAM permissions for SES email transport to work #618
Description
Describe the Bug
It would be super helpful if the email config page includes, or references, the required IAM policy actions and resources required for EMAIL_TRANSPORT: ses to work, so that administrators can set very narrow IAM permissions boundaries. Through trial and error I discovered that the SES transport requires:
Actions:
ses:GetAccount
ses:SendRawEmail
Resources:
Identity that matches/includes the EMAIL_FROM address, but also:
An identity in the EMAIL_SES_REGION for invalid@invalid (🤷)
...for both email sending and the email health checks to work. Until I added that, password reset emails were sent out successfully but the /server/health/ endpoint returned a nondescript error response:
{
"errors": [
{
"message": "Converting circular structure to JSON\n --> starting at object with constructor 'IncomingMessage'\n | property 'req' -> object with constructor 'ClientRequest'\n --- property 'res' closes the circle",
"extensions": {
"code": "INTERNAL_SERVER_ERROR"
}
}
]
}
In my case, adding the missing ses:GetAccount action and invalid@invalid resource to my IAM policy fixed this.
To Reproduce
Create an IAM policy with ses:SendRawEmail but not ses:GetAccount and not the 'invalid@invalid' SES identity.
Set the EMAIL_TRANSPORT config value to ses and set the other required values.
Send a request to /server/health/.
Receive above error response.
Modify IAM permissions to include ses:GetAccount and the 'invalid@invalid' identity.
Restart Directus instance and send another request to /server/health.
Receive OK.
Originall created at: directus/directus#27038