I'm trying to figure out if there is a way to send an SES email from a Linux EC2 instance through AWS CLI. I looked at some examples saying that it's better to use SMTP, saying SES would work but no details behind, or some saying it's not possible.
I have tried this:
aws ses send-raw-email --from-arn arn:aws:ec2:<REGION>:<ACCOUNT_ID>:instance/<instance-id> --destinations <list>
but I didn't get anything.
As per the help page of send-raw-email aws ses send-raw-email help, parameter --from-arn is the resource name of the verified identity you configure in SES.
This parameter is used only for sending authorization. It is the ARN of the identity that is associated with the sending authorization
policy that permits you to specify a particular "From" address in
the header of the raw email.
More importantly it is not the ARN of the EC2 instance from which you are invoking the CLI.
Consider the examples below:
Without parameter --from-arn, instead using --source
% aws ses send-raw-email --source saini001#gmail.com --destinations saini001#gmail.com --raw-message file://email.json --cli-binary-format raw-in-base64-out
{
"MessageId": "0100017fc8dc8fbd-34f5bf83-ac26-4bd5-aa69-7358d96d925a-000000"
}
Using --from-arn
% aws ses send-raw-email --from-arn arn:aws:ses:us-region-x:xxxxx:identity/saini001#gmail.com --destinations saini001#gmail.com --raw-message file://email.json --cli-binary-format raw-in-base64-out
{
"MessageId": "0100017fc8df4fd7-3c21d871-3883-4d4c-8c82-17cbfd479e5f-000000"
}
In both cases, SES sent email to the specified destination.
Related
I have an ec2 instance with a instance profile attached to it. This instance profile has permissions to publish messages to a sns topic. When I remote into the ec2 instance and issue a command like
aws sns publish --topic-arn topic_arn --message hello
This works.
Now I'm trying to do the same with a simple curl command and this is what I use after remoting into the ec2 instance
curl "https://sns.us-west-2.amazonaws.com/?Message=hello&Action=Publish&TargetArn=topic_arn"
I get the following error
<Code>MissingAuthenticationToken</Code>
<Message>Request is missing Authentication Token</Message>
I was hoping that the curl would attach the instance profile details when sending the request (like when using the aws cli) but it does not seem to do so. Does anyone know how I can overcome this ?
When you do:
curl "https://sns.us-west-2.amazonaws.com/?Message=hello&Action=Publish&TargetArn=topic_arn"
you are directly making a request to the SNS endpoint. Which means that you have to sign your request with AWS credentials from your instance profile. If you don't want to use AWS CLI or any AWS SDK for accessing the SNS, you have to program the entire signature procedure yourself as described in the docs.
That's why, when you are using AWS CLI
aws sns publish --topic-arn topic_arn --message hello
everything works, because the AWS CLI makes a signed request to the SNS endpoint on your behalf.
I'm newbie in AWS IoT and now try to play around with existing resources to understand the main concept.
I faced with an odd behaviour while using aws iot-data command trying to publish data into one of AWS reserved topics.
Let's say I want to update named Shadow called stubShadow of some stub thing (I'm using Test tab in the AWS IoT Dashboard):
aws iot-data update-thing-shadow --thing-name stub --shadow-name stubShadow \
--cli-binary-format raw-in-base64-out \
--payload '{"state":{"desired":{"ColorRGB":[0,11,11]}},"clientToken":"21b21b21-bfd2-4279-8c65-e2f697ff4fab"}' /dev/stdout
and it works pretty well, I can observe $aws/things/stub/shadow/name/stubShadow/update/accepted topic for updates.
Now I want to publish a message using topic argument. Here is an example:
aws iot-data publish --topic "$aws/things/stub/shadow/name/stubShadow/update" \
--cli-binary-format raw-in-base64-out \
--payload '{"state":{"reported":{"ColorRGB":[0,11,11]}},"clientToken":"21b21b21-bfd2-4279-8c65-e2f697ff4fab"}'
and nothing happens...
I wonder what's wrong with this command with sending direct message to a AWS Service topic? Am I miss something? Because for regular (manually created) topics it works well.
As the document says,
payload is the base64 encoded representation of stringify json message
{"state":{"reported":{"ColorRGB":[0,11,11]}}}
console.log(btoa(JSON.stringify({"state":{"reported":{"ColorRGB":[0,11,11]}}})))
payload : eyJzdGF0ZSI6eyJyZXBvcnRlZCI6eyJDb2xvclJHQiI6WzAsMTEsMTFdfX19
aws iot-data publish --topic "$aws/things/stub/shadow/name/stubShadow/update" --payload 'eyJzdGF0ZSI6eyJyZXBvcnRlZCI6eyJDb2xvclJHQiI6WzAsMTEsMTFdfX19'
When Using CLI, If you publish message, it wont reflect in shadow document. While when you give command Update Shadow- you can see the change in shadow.
This we recently observed while using MQTT Test client of AWS. Just open AWS IOT Core console and go to test client and subscribe to the topic that you are publishing.
You will observe Publish message is coming
I need to get a list of the IAM policies attached to an AWS IoT Thing's certificate, in way that is script/automation-friendly. I have searched through the documentation website and the man pages, but didn't find a command that seemed to achieve this (e.g.: aws iot describe-certificate does not include this in it output).
Is there a way to achieve this with the AWS CLI?
You can get thing's certificate and policy attached to that certificate by running the following two commands of AWS CLI:
aws iot list-thing-principals --thing-name [Name of your IoT Thing]. This command will return the Certificate ARN attached to your thing.
aws iot list-principal-policies --principal [Certificate ARN]. This command will return the policies attached to the certificate.
I assume you actually mean IoT policies. Use the list-principal-policies api call to list the IoT policies attached to a certificate.
I created simple Lambda function for processing Amazon SES incoming email.
Function works, testing it with SES data works from Lambda editing panel.
When trying to create SES email receiving rule always getting identical errors:
Invalid Lambda function:
arn:aws:lambda:region:userid:function:functionname
(Request ID: requestid)
Tried to add roles for this lambda via command line:
aws lambda add-permission
--function-name arn:aws:lambda:region:userid:function:functionname
--statement-id=GiveSESPermissionToInvokeFunction
--principal=ses.amazonaws.com
--action=lambda:InvokeFunction
--source-account=userid
--region "region"
role is added successfully, but it's not helping.
The Lambda function needs to be in the same AWS region as you are configuring the SES rule in.
When using STS to assume a role, in the AWS SDKs (Java, for example), we have shaved valuable seconds off the operation by selecting the 'local' STS endpoint for the region our code is executing in (e.g. https://sts.eu-west-2.amazonaws.com).
Is it possible to do the same from the CLI (aws sts assume-role ...? There doesn't seem to be an option to override the default endpoint in the documentation.
Take a look at: Activating and Deactivating AWS STS in an AWS Region and enable the region endpoint you want to connect to.
--region (string)
is common for all AWS CLI commands. Once you enable additional endpoints, you can use --region (string) to override the default endpoint.