如何使用 SES 特定的临时凭据通过 SES 发送电子邮件?

本文介绍了如何使用 SES 特定的临时凭据通过 SES 发送电子邮件?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

此页面显示如何使用 SES 发送电子邮件.该示例通过从 ~/.aws/credentials 读取凭据来工作，这些凭据是根(但共享"??)凭据.

This page shows how to send an email using SES. The example works by reading the credentials from ~/.aws/credentials, which are the root (yet "shared"??) credentials.

文档在多处建议不要使用根凭据.

The documentation advises in various places against using the root credentials.

获取临时凭证提到使用 roles 作为选项，但是 assume_role() 没有为 SES 客户端对象定义.

Acquiring temporary credentials using roles is mentioned as an option, yet assume_role() is not defined for SES client objects.

如何使用 SES 特定的临时凭据通过 SES 发送电子邮件?

How do I send an email through SES with temporary SES-specific credentials?

更新

我的问题的上下文是在 EC2 实例上运行的应用程序.

The context for my question is an application running on an EC2 instance.

推荐答案

这里有几个部分.

首先，您需要一个 IAM 政策.您可以使用其中一种内置策略，例如 AmazonSESFullAccess，也可以创建自己的策略.特定策略的持有者将能够访问策略中定义的资源和操作.您可以手动创建此策略，或通过 AWS 控制台工作，它会引导您完成它.IAM --> 策略 --> 创建策略

First you need an IAM policy. You can use one of the built-in policies, such as AmazonSESFullAccess or you can create your own. The holder of a particular policy will be able to access the resources and actions defined in the policy. You can create this policy manually, or work through the AWS console and it will walk you through it. IAM --> Policies --> Create Policy

其次，您需要一个角色.此外，在控制台中轻松完成.IAM --> 角色 --> 创建角色.可信实体是 AWS 服务.突出显示 EC2.在下一个屏幕中，选择要与此角色关联的策略.这是您在上面创建的策略.如果您的 EC2 已经有一个角色，那么您可以将 IAM 策略添加到该角色.将 IAM 策略分配给角色，就是他们所说的信任策略.

Secondly, you will need a role. Also, easily done in the console. IAM --> Roles --> Create role. Trusted entity is AWS service. Highlight EC2. In the next screen, select the policy you want to associate with this role. This is the policy you created above. If your EC2 already has a role, then you can add the IAM policy to this role. Assigning an IAM policy to a role, is what they refer to as a trust policy.

现在，在您的 EC2 实例上运行的任何代码都能够向您的 SES 服务发送消息.EC2 承担分配给它的角色.并且为该角色定义了 SES 策略.这将允许 EC2 获得临时凭证(在幕后).

Now any code that runs on your EC2 instance will be able to send messages to your SES service. The EC2 assumes the role assigned to it. And the SES policy is defined for that role. This will allow EC2 to get temporary credentials (behind the scenes).

背景故事如下.对 AWS 服务的任何 API 调用都需要有密钥和秘密.当您从本地计算机进行 API 调用时，您可以使用您的个人密钥和秘密(甚至是 root 用户).当您需要从另一个服务进行 API 调用时，您没有那个密钥和秘密.将凭证存储在 EC2 上既不安全也不实用.或者更糟的是，在 S3 存储桶中.这就是 AWS 提出 Role 概念的原因.角色可以从称为简单令牌服务 (STS) 的内部服务请求临时凭证.例如，角色附加到 EC2 实例.如果为该角色附加了正确的策略，EC2 实例可以请求获取临时凭证以对另一个服务进行 API 调用.所有这一切都发生在幕后.

The back story is as follows. Any API call to an AWS service needs to have a key and secret. When you make API calls from your local computer, you may use your personal key and secret (or even root ones). When you need to make API calls from another service, you do not have that key and secret. It would not be secure or practical to store the credentials on an EC2. Or even worse, in an S3 bucket. That is why AWS came up with the Role concept. Roles can request temporary credentials from an internal service called Simple Token Service (STS). A role is attached to an EC2 instance for example. And if the right policy is attached to that role, the EC2 instance can request to get temporary credentials to make an API call to another service. All of this happens behind the scenes.