14

I have a domain registered with AWS Route 53 and I am using AWS Cognito for handling user registration.

I am trying to configure my User Pool to use SES to send verification emails instead of Cognito. I have verified my domain in Route 53 and added a MAIL FROM Domain which is in 'verified' status.

In Cognito, when I select 'Message customizations' in the left panel of the User Pool configuration and select the 'FROM email address ARN' dropdown, it only shows 'Default'. I have selected the SES Region where my domain is registered.

What else do I need to do to populate this so I can set my 'FROM email address'?

Thanks

sam
  • 2,469
  • 8
  • 37
  • 57
  • 3
    Have you checked the answer in https://stackoverflow.com/questions/60645748/can-a-cognito-user-pool-use-ses-with-a-verified-domain-and-not-a-verified-email? You did not mention verifying an individual email address, just a domain. The AWS Console for Cognito expects only verified email addresses as ARN, not domain identities. – Dan C. Jun 02 '21 at 15:42
  • Thanks for linking that answer, I hadn't seen it before. I created the JSON config and ran the command through CLI and it worked! Not sure why I couldn't do this through the AWS website but at least its sorted. Thanks! – sam Jun 02 '21 at 20:28
  • Note that this is supported though CloudFormation as well (I checked), you need to set SourceArn and From parameters on the UserPool config. The AWS Console will display the verified email domain, but not let you change it. – Dan C. Jun 03 '21 at 11:42

7 Answers7

11

I solved it for the new AWS Console UI, which was updated a couple of days ago I believe.

Here's what I did.

STEP 1

In SES, I went back to the old UI. When you go to your verified domain settings, you should see a TXT-type DNS record which according to the new docs you don't need. However, I added it by clicking on the Use Route 53 button. It's very handy. If you don't see the button then you should already have that TXT record in your Route 53 already. Go there and make sure that's the case. If not, just add it manually.

Finally, I went to Cognito again but switched to the old UI. There, in the Message customizations menu I can see a SES ARN value in the FROM email address ARN *.

STEP 2

Initially, under the Messaging tab in the Email section in the new UI, I have set only the FROM email address field, which is a selectable option from the dropdown menu.

In my case, I have a verified whole domain, not a single email address.

In order to solve it, I went to the Messaging tab in the Email section in the new UI and also set values for both FROM sender name - optional and REPLY-TO email address - optional. I was not having those two initially. Of course, the emails you set there have to be valid under the domain you have verified.

Here's how it should look like, given your verified domain is example.com: enter image description here

(spent 3 days reading Cognito and SES documentation trying to figure out what to do and where, also some experimenting and reading AWS forums helped by giving me some clues along the way ‍♂️)

tonkatata
  • 369
  • 5
  • 21
  • 1
    Thanks so much @tonkatat, worked like magic. In my case I just I used new UI of Cognito, selected the verified domain, specified the verified email in the FROM sender name and in REPLY-TO. But then I got the "Cognito received the following error from Amazon SES when attempting to send email: Email address is not verified. The following identities failed the check in region US-EAST-1: the email address" I guess because mine is still in the sandbox environment. – Edgar Manukyan Feb 23 '22 at 04:00
  • 1
    Thank you SO much, I literally almost paid 30 bucks for professional support to get an answer because it made no sense. I wanna buy you a coffee :) What I've learnt - if the new console doesn't make sense, look at the old console. – Tobias Feil Jun 14 '22 at 13:13
  • 1
    @TobiasFeil haha super glad, man! cheers! – tonkatata Jun 17 '22 at 16:08
  • 1
    Thanks! Tldr; from and reply-to are not really optional – JackDev May 31 '23 at 13:39
2

Was solved by switching to new interface from old. You could add verified domain and then mail from

Вячеслав
  • 21
  • 3
0

I was having a similar issue. Have you checked that your SES setup and Cognito setup are in the same region?

For example: Make sure that your SES account is set up in "us-east-1". Then create AWS Cognito User Pool or Identity Pool in "us-east-1" as well.

Make sure to refresh the Cognito page once you know that all the artifacts are in the same region.

Harsh Brew
  • 26
  • 3
  • 1
    Hi. I have double checked this and my Cognito user pool and SES are both in eu-west-1 region. Not sure what else I may have missed – sam May 31 '21 at 17:40
0

You need to use the boto3 python library to setup the "from ARN" for the cognito pool. Nowhere in the docs says you have to do it like that, but i found this tip in a forum some time ago looking for the same answer.

Cognito only allows three regions for cognito to use SES. If your pool is not in one of those you cannot match them, and shouldn't need to relocate the pool just for that. Regardless of region matching seems like is impossible to select from drop down.

Here is the script i used sanitized

import boto3
from pprint import pprint
client = boto3.client("cognito-idp")
import json



pool_id = 'ap-southeast-2_dsfvbGuHU'

pool_config = dict(
    UserPoolId=pool_id,
    EmailConfiguration={
        "SourceArn": "arn:aws:ses:us-west-2:421412422035:identity/example.com",
        "ReplyToEmailAddress": "no-reply@example.com",
        "EmailSendingAccount": "DEVELOPER",
        "From": "no-reply@example.com",
    },
    AutoVerifiedAttributes=["email"],
    VerificationMessageTemplate={
        "SmsMessage": "Your verification code is {####}. ",
        "EmailMessage": "Your verification code is {####}. ",
        "EmailSubject": "Your verification code",
        "EmailMessageByLink": "Please click the link below to verify your email address. {##Verify Email##} ",
        "EmailSubjectByLink": "Your verification link",
        "DefaultEmailOption": "CONFIRM_WITH_CODE",
    },
    LambdaConfig={
        "CustomMessage": "arn:aws:lambda:ap-southeast-2:421084812035:function:sls-repo-dev-cognito-message-service",
        "PostAuthentication": "arn:aws:lambda:ap-southeast-2:421084812035:function:sls-repo-dev-cognito-post-auth-service",
        "PostConfirmation": "arn:aws:lambda:ap-southeast-2:421084812035:function:sls-repo-dev-cognito-post-confirmation-service",
        "PreTokenGeneration": "arn:aws:lambda:ap-southeast-2:421084812035:function:sls-repo-dev-cognito-pretoken-gen-service",
    },
)

res = client.update_user_pool(**pool_config)

response = client.describe_user_pool(UserPoolId=pool_id)

pprint(response)

be careful with the script because it might override some of your settings. You can comment and print your existing configuration so you can replicate the settings. Don't forget you need aws CLI credentials to run this

subzero79
  • 1
0

I was able to achieve this by switching to the new console. The old one does not work in such case.

Tomasz Czechowski
  • 611
  • 8
  • 11
0
  1. Make sure you are using the new console.
  2. Make sure your <your-domain>.com is in the verified domains list and is verified too.
  3. Make sure your email@<your-domain>.com is in the verifier domains list and is verified too.
  4. User Pools > Messaging > Edit email configs > Send emails with SES
  5. Make sure you select the valid SES region in which you have verified your entities.
  6. Select the domain name <your-domain>.com in FROM email address.
  7. Add your verified email email@<your-domain>.com in FROM sender name and REPLY TO email address.
  8. Save
Gaurav Sharma
  • 1,983
  • 18
  • 18
0

Your free quota is over its 5o email , you can edit Cognito pool messaging update Cognoto to SES and update IAM role to Cognito can access SES

enter image description here

vaquar khan
  • 10,864
  • 5
  • 72
  • 96