How do I use Amazon SES as the SMTP host to send emails from Amazon MWAA DAG tasks?

3 minute read

I want to use Amazon Simple Email Service (Amazon SES) as the Simple Mail Transfer Protocol (SMTP) host to send emails from a Directed Acyclic Graph (DAG) task on Amazon Managed Workflows for Apache Airflow (Amazon MWAA).

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

To use Amazon SES as the SMTP host to send emails from a DAG task on Amazon MWAA, complete the following steps:

Set up email sending with Amazon SES.
Create Amazon SES SMTP credentials to send emails in Amazon MWAA.
Note: The SMTP interface credentials are different from the access keys that you create with AWS Identity Access and Management (IAM) for an SMTP user.
Attach your Apache Airflow configuration options to your Amazon MWAA environment.
Set the following values for the configuration options:
Set email.email_backend to airflow.utils.email.send_email_smtp.
Set smtp.smtp_host to email-smtp.region.amazonaws.com.
Note: Replace region with your AWS Region.
Set smtp.smtp_starttls to False.
Set smtp.smtp_ssl to True.
Set smtp.smtp_port to 587.
Note: Use port 587 for SMTP traffic. By default, AWS blocks outbound SMTP traffic on port 25 from all Amazon Elastic Compute Cloud (Amazon EC2) instances. To send outbound traffic on port 25, submit a request to remove the restriction.
Set smtp.smtp_mail_from to your email address.
Note: For more information about the preceding configuration options, see [email] and [smtp] on the Apache Airflow website.
Create an AWS Secrets Manager secret for the SMTP user and one for the password. Use the Amazon SES SMTP credentials from step 2. Then, configure a startup script to set the environment variables.
Note: It's a best practice to store your SMTP credentials in Secrets Manager.

Add the following startup.sh script to your Amazon Simple Storage Service (Amazon S3) bucket:

#!/bin/sh
# Get the SMTP username and password from secrets manager
username=$(aws secretsmanager get-secret-value --secret-id airflow/variables/smtp.smtp_user --query SecretString --output text)
password=$(aws secretsmanager get-secret-value --secret-id airflow/variables/smtp.smtp_password --query SecretString --output text)

# Set the SMTP Environment variables with the username and password retrieved from Secrets Manager
export AIRFLOW__SMTP__SMTP_USER=$username
export AIRFLOW__SMTP__SMTP_PASSWORD=$password

# Print the SMTP user
echo "SMTP user is $AIRFLOW__SMTP__SMTP_USER"

Note: Your Amazon MWAA execution role must have permission to retrieve individual secret values.

Run the update-environment command to update the Amazon MWAA environment with the email configuration options and the Amazon S3 path for the startup script.

Note: When you create or update the environment, the Apache Airflow callbacks for success, failure, and retry use the preceding configuration. You can also use tasks with EmailOperator to send emails. For more information, see airflow.operators.email on the Apache Airflow website.

Topics: Application Integration Front-End Web & Mobile Business Applications
Tags: Amazon Managed Workflows for Apache Airflow (MWAA)Amazon Simple Email Service
Language: English

AWS OFFICIALUpdated a year ago

4 Comments

Following this SES documentation, to set up a TLS Wrapper connection, the SMTP client connects to the Amazon SES SMTP endpoint on port 465 or 2465. If you set the MWAA configuration as above:smtp.smtp_ssl = True & smtp.smtp_port = 587, the connection will fail with ssl.SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number.

To use port 587, the value of smtp.smtp_ssl should be set to FALSE. Otherwise, the value of smtp.smtp_port should be set to 465.

hyunie

replied a year ago

I agree with the above comment. smtp.smtp_starttls = False & smtp.smtp_ssl = True & smtp.smtp_port = 465 are correct.

replied a year ago

This does not work for me. The variables for AIRFLOW__SMTP__SMTP_USER and AIRFLOW__SMTP__SMTP_PASSWORD simply are not available on MWAA worker during a DAG execution:

[2024-10-09, 14:42:35 UTC] {{email.py:265}} DEBUG - No user/password found for SMTP, so logging in with no authentication.

If I run a dag that executes an "env" command to check if OS has the Environment variable, I can see email_backend, smtp port, etc etc... but not these two added on the startup.sh. Am I the only one with this issue or is it a global one?

Onisim Iacob

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

MODERATOR

AWS Official

replied a year ago

Relevant content

How to setup SMTP for sending emails using SES?
paj-zj-99
asked 5 years ago
SES Email Bounce When Sending Mail Using SMTP
Ahammad
asked 2 years ago
Amazon SES: SMTP interface to send email based on template
Accepted Answer
Mariusz
asked 3 years ago
Configuring WorkMail to send all outbound email through SMTP Gateway to SES
Derek
asked 5 months ago
Intermittent AWS SES Email Sending Failures (Sporadic SMTP Connection Issues)
mma01us
asked 8 months ago
Why do I get a "535 Authentication credentials invalid" error from an Amazon SES SMTP endpoint?
AWS OFFICIALUpdated 2 years ago
How do I resolve the Amazon SES email error "SMTP server requires a secure connection"?
AWS OFFICIALUpdated 2 months ago
How do I use SMTP to send emails through Amazon SES?
AWS OFFICIALUpdated 6 months ago
Why do I get an "Invalid MAIL FROM" or "Invalid RCPT TO" error response from an Amazon SES SMTP endpoint?
AWS OFFICIALUpdated 2 years ago
How do I configure Amazon SES to send SQL Server backup notification emails from Amazon WorkSpaces while keeping existing email hosting?
EXPERT
Gayathri Krishnamoorthy
published a month ago