aws-cdk-lib/aws-stepfunctions-tasks: sesv2 task does not grant ses:SendEmail permission

[concavegit]

Describe the bug

I am creating a state machine with a sesv2 task defined like

new tasks.CallAwsService(this, "placeholder", {
            service: "sesv2",
            action: "sendEmail",
            parameters: {
                FromEmailAddress: myEmailAddress,
                Destination: {
                    ToAddresses: recipients,
                },
                Content: {
                    Simple: {
                        Subject: {
                            Data: subject,
                        },
                        Body: {
                            Text: {
                                Data: body,
                            },
                        },
                    },
                },
            },
            iamResources: ["*"],
        });

If I try to run this step, I get the error

{
  "Error": "SesV2.SesV2Exception",
  "Cause": "User `<step_function_role>' is not authorized to perform `ses:SendEmail' on resource `<ses_identity_arn>' (Service: SesV2, Status Code: 403, Request ID: requestId)"
}

This is because the resulting step function CDK added this permission for the task

		{
			"Action": "sesv2:sendEmail",
			"Resource": "*",
			"Effect": "Allow"
		},

This should have been ses:sendEmail, which causes the error.

Expected Behavior

the sesv2 task successfully sends an email

Current Behavior

permission error since CDK does not grant the step function role ses:sendEmail permission.

Reproduction Steps

Define a step function with step

new tasks.CallAwsService(this, "placeholder", {
            service: "sesv2",
            action: "sendEmail",
            parameters: {
                FromEmailAddress: myEmailAddress,
                Destination: {
                    ToAddresses: recipients,
                },
                Content: {
                    Simple: {
                        Subject: {
                            Data: subject,
                        },
                        Body: {
                            Text: {
                                Data: body,
                            },
                        },
                    },
                },
            },
            iamResources: ["*"],
        });

You will find that the step function does not have ses:sendEmail permission and will run into the above error.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.130.0

Framework Version

No response

Node.js Version

6.14.17

OS

macOS

Language

TypeScript

Language Version

No response

Other information

No response

[concavegit]

Note that sesv2:sendEmail is not a valid permission

[acbellini]

I think this is WAI. Both ses and sesv2 use the same actions, so you need to add:

iamAction: "ses:SendEmail"
to your definition. Per the iamAction docs:

Use in the case where the IAM action name does not match with the API service/action name

[concavegit]

Got it, thanks!

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[aws-cdk-automation]

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.