Add SES identity owners or "use verified SES-domains across accounts" #228
Conversation
|
Thanks @mariusburfey! So glad this is in! |
|
Hey @mariusburfey, are you currently using this feature. I believe I have everything set up as it should be, but it's still not honoring the sending ARN's. It does honor the region, but it's sending to the identities in the local account rather than the remote ARN's that I specified. |
|
Hey @gposton, I think we are not using it productively yet. But I tested it during development with one difference: I used a domain which was only defined in the account of the identity owner and not in the account of the delegate sender. This might be a difference? Do you get errors about permissions or is it just "using the wrong account"? |
|
No errors.... just simply using the wrong account. That may be it tho.... in my case the domains were the same. AWS certainly goofed on their side if that's the case tho. |
|
I should also add that I was able to send correctly via the aws-cli with the same setup.... so maybe it's boto and not AWS. Would be interesting to dig into this, but I just ended up moving sending to the local accounts. 🤷 |
|
I started using the feature (again) and verified that it works. But it took me some time to figure out that I need to set |
User Story
As devops-engineer I want to separate my environments from each other to keep my applications as secure as possible, as described in AWS best practices. I do not want to validate my SES-domains in all accounts, but I want to use "identity owners" to send mails from multiple accounts via one SES-domain: https://docs.aws.amazon.com/ses/latest/DeveloperGuide/sending-authorization-delegate-sender-tasks-email.html
The result is: I have a lot of environments (PROD, TEST, STAGE, ...), which can send SES-mails from my one "SES-core-account", which contains my validated domains.
Solution
Identity Owners and Delegate Senders can do that:
This pull requests includes the changes described in #227
fixes #227