Skip to main content

Documentation Index

Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt

Use this file to discover all available pages before exploring further.

Early access. This feature is in early access, which means it’s undergoing ongoing testing and development while we gather feedback, validate functionality, and improve outputs. Contact the C1 Support team if you’d like to try it out or share feedback.
By default, C1 sends notifications from no-reply@conductorone.com. You can instead send through your own AWS Simple Email Service (SES) account so recipients see your company’s domain as the sender. This task requires the Super Admin role in C1 and permission to create IAM roles and verify identities in your AWS account. C1 authenticates to your AWS account via IAM role assumption with an External ID — no access keys or secrets are shared with C1. You keep full control of the role and can revoke access at any time by deleting it.

Before you begin

Configure SPF, DKIM, and DMARC for your sending domain by following AWS SES’s recommended email authentication settings before proceeding.
You’ll need:
  • An AWS account with SES available in your target region.
  • The ability to create IAM roles and policies in that account.
  • A sending identity (email address or domain) you own and can verify.

Step 1: Verify a sending identity in SES

Before SES will send mail on your behalf, the sender address (or its domain) must be verified.
1
Sign in to the AWS console and navigate to SES > Identities > Create identity.
2
Choose one:
  • Domain (recommended): Enter your domain (for example, yourcompany.com). SES displays three DKIM CNAME records. Publish all three at your DNS provider.
  • Email address: Enter the specific sender address. SES sends a verification link to that address — click it to verify.
3
Wait for the Identity status to become Verified. Domain verification can take up to 72 hours, though it’s usually much faster.
4
If your account is still in the SES sandbox (the default for new accounts), you can only send to verified recipient addresses. To send to any recipient, request production access: SES > Account dashboard > Request production access. Approval typically takes 24 hours.

Step 2: Open C1 and copy your tenant’s External ID

C1 generates a unique External ID per tenant. This value is used in your IAM role’s trust policy so that only your C1 tenant can assume the role.
1
In C1, navigate to Settings > Email provider.
2
Click Edit.
3
Select Customer provided.
4
In Email service, select AWS SES.
5
In the AWS SES configuration section, click the copy icon next to the External ID field and save the value — you’ll paste it into the IAM trust policy in Step 3.
The External ID is tenant-specific. Do not reuse External IDs across tenants. If you manage multiple C1 tenants, each needs its own IAM role with its own External ID.
Leave the C1 edit form open — you’ll return to it in Step 4 to finish configuration.

Step 3: Create the IAM role

Create a role in your AWS account that C1 can assume to send mail.
C1 uses a dedicated, isolated AWS account for customer integrations. The only principal that can assume your role is arn:aws:iam::765656841499:role/ConductorOneService. The External ID condition ensures only your tenant’s assume-role calls succeed.
1
In the AWS console, navigate to IAM > Roles > Create role.
2
For Trusted entity type, select Custom trust policy and paste the following, replacing YOUR_C1_EXTERNAL_ID with the value you copied in Step 2:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::765656841499:role/ConductorOneService"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_C1_EXTERNAL_ID"
        }
      }
    }
  ]
}
3
Click Next. Skip the managed-policy selection and click Next again.
4
Name the role (for example, c1-ses-sender) and click Create role.
5
On the role’s detail page, open the Permissions tab and click Add permissions > Create inline policy. Paste the following:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ses:SendEmail",
        "ses:SendRawEmail"
      ],
      "Resource": "*"
    }
  ]
}
6
Name the policy (for example, c1-ses-send) and save.
7
Copy the role’s ARN (for example, arn:aws:iam::123456789012:role/c1-ses-sender). You’ll paste this into C1 in the next step.

Step 4: Finish configuring the email provider in C1

Return to the Settings > Email provider edit form you left open in Step 2.
1
Fill in the remaining fields:
  • Sender name: The display name recipients see (for example, Governance Team).
  • Sender email address: A verified SES identity, or an address on a verified domain from Step 1.
  • Reply-to address: Usually the same as the sender address.
  • IAM role ARN: The role ARN from Step 3.
  • AWS region: The AWS region where your SES identity is verified (for example, us-east-1).
  • Configuration set name (optional): An SES configuration set for tracking and metrics. Leave blank if you don’t use configuration sets.
2
Click Save.
When you save, C1 validates the full assume-role chain by calling sts:GetCallerIdentity against your role. If the role ARN, trust policy, or External ID is wrong, save fails with a clear error and your previous configuration is preserved.
Sender must be a verified SES identityThe address in Sender email address must be verified in SES — either directly, or as an address on a verified domain. SES rejects sends from unverified identities. If your account is still in the SES sandbox, the recipient must also be verified.

Step 5: Verify

Send a test message to confirm C1 can send through SES and that your email authentication records are passing.
1
On the Email provider page, click Send test.
2
Enter your own email address and click Send test.
3
Check your inbox. View the raw headers (in Gmail: ⋮ → Show original) and confirm SPF: PASS, DKIM: PASS with your domain as signer, DMARC: PASS.
4
If the message does not arrive, check the spam folder and your SES sending activity (SES > Monitoring > Sending statistics).