Debug Your Infrastructure

Get Instant Solutions for Kubernetes, Databases, Docker and more

AWS CloudWatch
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Pod Stuck in CrashLoopBackOff
Database connection timeout
Docker Container won't Start
Kubernetes ingress not working
Redis connection refused
CI/CD pipeline failing

Amazon Cognito InvalidEmailRoleAccessPolicyException

The IAM role for sending email messages does not have the correct permissions.

Understanding Amazon Cognito

Amazon Cognito is a service provided by AWS that enables developers to add user sign-up, sign-in, and access control to their web and mobile applications quickly and easily. It supports authentication through social identity providers such as Facebook, Google, and Amazon, as well as enterprise identity providers via SAML 2.0.

Identifying the Symptom

When using Amazon Cognito, you might encounter the InvalidEmailRoleAccessPolicyException. This error typically occurs when attempting to send email messages through Cognito, but the necessary permissions are not correctly configured.

What You Observe

Developers often notice that email notifications are not being sent to users during sign-up or password recovery processes. The error message InvalidEmailRoleAccessPolicyException is logged, indicating a permissions issue.

Exploring the Issue

The InvalidEmailRoleAccessPolicyException is triggered when the IAM role associated with Amazon Cognito does not have the appropriate permissions to send email messages. This is crucial for operations like user verification and password resets, which rely on email communications.

Root Cause Analysis

The root cause of this issue is typically an incomplete or incorrect IAM policy attached to the role used by Amazon Cognito for sending emails. Without the correct permissions, Cognito cannot perform the necessary email operations.

Steps to Resolve the Issue

To resolve the InvalidEmailRoleAccessPolicyException, you need to update the IAM role policy to include the necessary permissions for sending email messages.

Step-by-Step Guide

  1. Log in to the AWS Management Console.
  2. Navigate to the IAM Dashboard.
  3. In the left navigation pane, select Roles.
  4. Find and select the IAM role associated with your Amazon Cognito user pool.
  5. Under the Permissions tab, click Add inline policy.
  6. Choose the JSON tab and enter the following policy:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ses:SendEmail",
"Resource": "*"
}
]
}

  1. Review the policy and click Review policy.
  2. Provide a name for the policy and click Create policy.

Conclusion

By updating the IAM role policy with the correct permissions, you can resolve the InvalidEmailRoleAccessPolicyException and ensure that your Amazon Cognito user pool can send email messages as expected. For more detailed information, refer to the Amazon Cognito Documentation.

Master 

Amazon Cognito InvalidEmailRoleAccessPolicyException

 debugging in Minutes

— Grab the Ultimate Cheatsheet

(Perfect for DevOps & SREs)

Most-used commands
Real-world configs/examples
Handy troubleshooting shortcuts
Your email is safe with us. No spam, ever.

Thankyou for your submission

We have sent the cheatsheet on your email!
Oops! Something went wrong while submitting the form.

🚀 Tired of Noisy Alerts?

Try Doctor Droid — your AI SRE that auto-triages alerts, debugs issues, and finds the root cause for you.

Heading

Your email is safe thing.

Thank you for your Signing Up

Oops! Something went wrong while submitting the form.

MORE ISSUES

Deep Sea Tech Inc. — Made with ❤️ in Bangalore & San Francisco 🏢

Doctor Droid