AWS SDK for PHP
Developer Guide

Authorizing Senders Using the Amazon SES API and the AWS SDK for PHP Version 3

To enable another AWS account, AWS Identity and Access Management user, or AWS service to send email through Amazon Simple Email Service (Amazon SES) on your behalf, you create a sending authorization policy. This is a JSON document that you attach to an identity that you own.

The policy expressly lists who you are allowing to send for that identity, and under which conditions. All senders, other than you and the entities you explicitly grant permissions to in the policy, are not allowed to send emails. An identity can have no policy, one policy, or multiple policies attached to it. You can also have one policy with multiple statements to achieve the effect of multiple policies.

For more information, see Using Sending Authorization with Amazon SES.

The following examples show how to:

All the example code for the AWS SDK for PHP Version 3 is available here on GitHub.

Credentials

Before running the example code, configure your AWS credentials, as described in Credentials for the AWS SDK for PHP Version 3. Then import the AWS SDK for PHP, as described in Basic Usage Patterns of the AWS SDK for PHP Version 3.

For more information about using Amazon SES, see the Amazon SES Developer Guide.

Create an Authorized Sender

To authorize another AWS account to send emails on your behalf, use an identity policy to add or update authorization to send emails from your verified email addresses or domains. To create an identity policy, use the PutIdentityPolicy operation.

Imports

require 'vendor/autoload.php'; use Aws\SES\SESClient; use Aws\Exception\AwsException;

Sample Code

$SesClient = new SesClient([ 'profile' => 'default', 'version' => '2010-12-01', 'region' => 'us-east-1' ]); $identity = "arn:aws:ses:us-east-1:123456789012:identity/example.com"; $other_aws_account = "0123456789"; $policy = <<<EOT { "Id":"ExampleAuthorizationPolicy", "Version":"2012-10-17", "Statement":[ { "Sid":"AuthorizeAccount", "Effect":"Allow", "Resource":"$identity", "Principal":{ "AWS":[ "$other_aws_account" ] }, "Action":[ "SES:SendEmail", "SES:SendRawEmail" ] } ] } EOT; $name = "policyName"; try { $result = $SesClient->putIdentityPolicy([ 'Identity' => $identity, 'Policy' => $policy, 'PolicyName' => $name, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }

Retrieve Polices for an Authorized Sender

Return the sending authorization policies that are associated with a specific email identity or domain identity. To get the sending authorization for a given email address or domain, use the GetIdentityPolicy operation.

Imports

require 'vendor/autoload.php'; use Aws\SES\SESClient; use Aws\Exception\AwsException;

Sample Code

$SesClient = new SesClient([ 'profile' => 'default', 'version' => '2010-12-01', 'region' => 'us-east-1' ]); $identity = "arn:aws:ses:us-east-1:123456789012:identity/example.com"; $policies = ["policyName"]; try { $result = $SesClient->getIdentityPolicies([ 'Identity' => $identity, 'PolicyNames' => $policies, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }

List Authorized Senders

To list the sending authorization policies that are associated with a specific email identity or domain identity in the current AWS Region, use the ListIdentityPolicies operation.

Imports

require 'vendor/autoload.php'; use Aws\SES\SESClient; use Aws\Exception\AwsException;

Sample Code

$SesClient = new SesClient([ 'profile' => 'default', 'version' => '2010-12-01', 'region' => 'us-east-1' ]); $identity = "arn:aws:ses:us-east-1:123456789012:identity/example.com"; try { $result = $SesClient->listIdentityPolicies([ 'Identity' => $identity, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }

Revoke Permission for an Authorized Sender

Remove sending authorization for another AWS account to send emails with an email identity or domain identity by deleting the associated identity policy with the DeleteIdentityPolicy operation.

Imports

require 'vendor/autoload.php'; use Aws\SES\SESClient; use Aws\Exception\AwsException;

Sample Code

$SesClient = new SesClient([ 'profile' => 'default', 'version' => '2010-12-01', 'region' => 'us-east-1' ]); $identity = "arn:aws:ses:us-east-1:123456789012:identity/example.com"; $name = "policyName"; try { $result = $SesClient->deleteIdentityPolicy([ 'Identity' => $identity, 'PolicyName' => $name, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }