In this guide you will learn how to setup Amazon SES and connect it to Semplates. This is an important requirement in order to publish and use templates in SES after designing them in Semplates. In this guide, we outline how to provide access to Semplates via role-based access control (RBAC).
Note: Semplates also supports connection via access and secret key as a legacy option. It's recommended though to use RBAC since its the more secure way of enabling cross-account access.
Enabling production mode
In case you are already using AWS SES and want to connect it with Semplates right away, you can skip the first step and move to the next section. If you do not have an AWS account yet, go and sign up for one here.
If you have not used SES before, you first have to get out of sandbox mode. To achieve this, log into the AWS console and go to the SES dashboard. First you will be asked to create an identity. For this, you need to verify a domain or email address that you wish to use for sending emails. Afterwards you will find a note, that you are still in sandbox mode (as in the below image) and that you have to request production mode access. Follow the description as stated there to achieve this step:
Creating a permission policy
Next, you need to grant Semplates access to AWS SES by setting up an identity-based policy that grants Semplates certain permissions. To do so navigate to IAM Policies page in the AWS Console and click Create policy in the upper right corner:
Next, you will need to copy the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GetCallerIdentity",
"Effect": "Allow",
"Action": [
"sts:GetCallerIdentity"
],
"Resource": "*"
},
{
"Sid": "SimulatePrincipalPolicy",
"Effect": "Allow",
"Action": [
"iam:SimulatePrincipalPolicy"
],
"Resource": "arn:aws:iam::123456789012:policy/YourPolicyName"
},
{
"Sid": "TemplateManagement",
"Effect": "Allow",
"Action": [
"ses:CreateTemplate",
"ses:DeleteTemplate",
"ses:GetTemplate",
"ses:UpdateTemplate",
"ses:ListTemplates"
],
"Resource": "*"
},
{
"Sid": "DomainManagement",
"Effect": "Allow",
"Action": [
"ses:GetIdentityDkimAttributes",
"ses:GetIdentityMailFromDomainAttributes",
"ses:PutEmailIdentityDkimSigningAttributes",
"ses:SetIdentityMailFromDomain",
"ses:VerifyDomainIdentity",
"ses:VerifyDomainDkim"
],
"Resource": "*"
},
{
"Sid": "SenderAddressManagement",
"Effect": "Allow",
"Action": [
"ses:DeleteIdentity",
"ses:GetEmailIdentity",
"ses:GetIdentityVerificationAttributes",
"ses:VerifyEmailAddress",
"ses:VerifyEmailIdentity",
"ses:ListIdentities",
"ses:ListVerifiedEmailAddresses",
"ses:DeleteVerifiedEmailAddress"
],
"Resource": "*"
},
{
"Sid": "SendingStatistics",
"Effect": "Allow",
"Action": [
"ses:GetAccountSendingEnabled",
"ses:GetSendStatistics",
"ses:GetSendQuota"
],
"Resource": "*"
},
{
"Sid": "MailSending",
"Effect": "Allow",
"Action": [
"ses:SendEmail",
"ses:SendTemplatedEmail",
"ses:TestRenderTemplate"
],
"Resource": "*"
}
]
}
Paste it into the policy editor as shown on the following screenshot:
Finish the setup, by providing a descriptive name for the policy and saving the new policy:
Alternatively, you can skip the policy setup and use the pre-existing role AmazonSESFullAccess in the next step of the setup. This is though not recommended as it does follow the principle of least privileges. Thus, do not use AmazonSESFullAccess in production accounts.
Setting Up a Role
Continue the setup by creating a role that Semplates can assume to perform actions in your account on your behalf. For this navigate to the IAM Roles page and click Create role:
Set up the trust relationship by choosing Custom trust policy. Then, paste the following policy into the policy editor:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::744807968535:role/SemplatesExecutionRole"
},
"Action": "sts:AssumeRole"
}
]
}
Next, search and attach the permission policy that you created earlier:
Give the role a descriptive name, such as SemplatesManagementAccessRole, and provide an optional description. Review the role and trust policy to make sure everything is correct, then click on Create role:
After creating the role, AWS will take you to the summary page for your new role. On the summary page, you'll find the Role ARN. This is the unique identifier for the role you'll need to provide to Semplates in the next step. So copy the Role ARN to your clipboard:
Connecting with Semplates
You can either enter your information within the onboarding dialog or go to Settings > AWS Credentials and enter your Role ARN there. Make sure to use the correct region (the one AWS SES is located in). We will then validate your credentials.
A word on connecting multiple AWS SES accounts
One of the most exciting features of Semplates is the possibility to add multiple accounts and then duplicate templates between them. It allows you to smoothly support a couple of advanced usage patterns including:
- Managed AWS SES: If you manage AWS SES for a client (e.g. as an agency), you can design and test your templates in your own AWS SES account before duplicating them to your client.
- CI/CD Template Design: If you have multiple AWS accounts due to your development setup (e.g. develop, staging, production), then you can use Semplates to move your templates along, following the same process logic.
- Multi Region Architectures: Your architecture is spanning across multiple regions? If SES needs to be available redundantly for you, so do your templates!
Continue the setup
You have now successfully connected AWS SES with Semplates. Continue the setup by: