使用 NestJS 应用程序在本地主机上运行的所有 SES 相关服务,但每当我在 AWS EKS 中作为
NodePort
服务与同一 Kubernetes 集群中的其他 NodePort
服务部署时,SES 访问都会被拒绝。
虽然看起来一切都在运行,包括服务的运行状况检查,但我在 Postman 中的 SES 相关命令中收到以下错误:
[
"Failed to list email templates",
{
"name": "AccessDenied",
"$fault": "client",
"$metadata": {
"httpStatusCode": 403,
"requestId": "99werewr43-we4-435f-563b-e3252sdfsf",
"attempts": 1,
"totalRetryDelay": 0
},
"Type": "Sender",
"Code": "AccessDenied",
"message": "User: arn:aws:sts::XXXXXXXXX:assumed-role/eksctl-demo-application-nodegroup-NodeInstanceRole-1HO2384034FJ/i-e390239328wwrer is not authorized to perform: ses:ListTemplates because no identity-based policy allows the ses:ListTemplates action"
}
]
我的.env如下:
PORT=3003
SES_ACCESS_KEY=AWBFLDKLJFLKJKJDFDJKFJ
SES_SECRET_KEY=wqeriopisdfkjeroijfdsnlfierjiwejdfsdf/
SES_REGION=eu-west-2
[email protected]
SES客户端:
import { SESClient } from "@aws-sdk/client-ses";
const SES_CONFIG = {
credential: {
accessKeyId: process.env.SES_ACCESS_KEY,
secretAccessKey:process.env.SES_SECRET_KEY,
},
region: process.env.SES_REGION,
};
// Create SES service object.
// const sesClient = new SESClient({ region: process.env.SES_REGION });
const sesClient = new SESClient( SES_CONFIG );
export { sesClient };
具有上面关联的访问密钥和秘密的 IAM 用户角色
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:*"
],
"Resource": "*"
}
]
}
部署的 Kubernetes 清单:
apiVersion: apps/v1
kind: Deployment
metadata:
name: demo-deployment
labels:
app: demo-app
spec:
replicas: 1
selector:
matchLabels:
app: demo-app
template:
metadata:
labels:
app: demo-app
spec:
containers:
- name: demo-app
image: XXXXXXX.dkr.ecr.eu-west-2.amazonaws.com/demo-app
imagePullPolicy: Always
env:
- name: SES_ACCESS_KEY
value: AWBFLDKLJFLKJKJDFDJKFJ
- name: SES_SECRET_KEY
value: 'wqeriopisdfkjeroijfdsnlfierjiwejdfsdf/'
- name: SES_REGION
value: eu-west-2
- name: SES_SENDER
value: [email protected]
---
apiVersion: v1
kind: Service
metadata:
name: demo-app-srv
labels:
app: demo-app
spec:
type: NodePort
selector:
app: demo-app
ports:
- name: demo-app
protocol: TCP
port: 3003
targetPort: 3003
我不明白如何为错误消息中提到的节点组授予权限:
"message": "User: arn:aws:sts::XXXXXXXXX:assumed-role/eksctl-demo-application-nodegroup-NodeInstanceRole-1HO2384034FJ/i-e390239328wwrer is not authorized to perform: ses:ListTemplates because no identity-based policy allows the ses:ListTemplates action"
或者我还缺少什么吗?任何帮助将不胜感激。
请记住,您需要创建一个服务帐户,链接到您的角色,我的示例是用 python 编写的,但应该很容易转换为节点
oidc_principal = iam.OpenIdConnectPrincipal(cluster.open_id_connect_provider)
role = iam.Role(
self,
id=role_name,
role_name=role_name,
assumed_by=oidc_principal,
)
您的堆栈中似乎缺少该代码,然后您需要将服务帐户添加到您的 pod 中。