How do I use Amazon SES as the SMTP host to send emails from Amazon MWAA DAG tasks?

3 minute read
0

I want to use Amazon Simple Email Service (Amazon SES) as the SMTP host to send emails from Amazon Managed Workflows for Apache Airflow (Amazon MWAA) DAG tasks.

Resolution

To use Amazon SES as the SMTP host to send emails from Amazon MWAA DAG tasks, complete the following steps:

  1. Set up email sending with Amazon SES.

  2. Create Amazon SES SMTP credentials to send emails in Amazon MWAA.
    Note: The SMTP interface credentials are different from the access keys that you create with AWS Identity Access and Management (IAM) for an SMTP user.

  3. Attach your Apache Airflow configuration options to your environment.

  4. Set the following values for the configuration options:
    email.email_backend to airflow.utils.email.send_email_smtp. See email_backend on the Apache Airflow website.
    smtp.smtp_host to **email-smtp.region.**amazonaws.com. Replace region with your AWS Region. See smtp_host on the Apache Airflow website.
    smtp.smtp_starttls to False. See smtp_starttls on the Apache Airflow website.
    smtp.smtp_ssl to True. See smtp_ssl on the Apache Airflow website.
    smtp.smtp_port to 587. See smtp_port on the Apache Airflow website.
    Note: Use port 587 for SMTP traffic. By default, AWS blocks outbound SMTP traffic on port 25 from all Amazon Elastic Compute Cloud (Amazon EC2) instances. To send outbound traffic on port 25, request to remove the restriction.
    smtp.smtp_mail_from to your email address. See smtp_mail_from on the Apache Airflow website.

  5. Use your Amazon SES SMTP credentials to add the configuration options smtp.smtp_user and smtp.smtp_password as plain text.
    Note: It's a best practice to store your SMTP credentials in AWS Secrets Manager.

  6. Create a Secrets Manager secret for the SMTP user and password. Use a startup script to set the environment variables.

  7. Add the following startup.sh script to the Apache Airflow Amazon Simple Storage Service (Amazon S3) bucket:
    Note: Your Amazon MWAA execution role must have permission to retrieve individual secret values.

    #!/bin/sh
    
    # Get the SMTP username and password from secrets manager
    username=$(aws secretsmanager get-secret-value —secret-id airflow/variables/smtp.smtp_user —query SecretString —output text)
    password=$(aws secretsmanager get-secret-value —secret-id airflow/variables/smtp.smtp_password —query SecretString —output text)
    
    # Set the SMTP Environment variables with the username and password retrieved from Secrets Manager
    export AIRFLOW__SMTP__SMTP_USER=$username
    export AIRFLOW__SMTP__SMTP_PASSWORD=$password
    
    # Print the SMTP user
    echo "SMTP user is $AIRFLOW__SMTP__SMTP_USER"
  8. Update the Amazon MWAA environment with the preceding email configuration options and the Amazon S3 path for the startup script.

Note: When you create or update the environment, the Apache Airflow callbacks for success, failure, and retry use the preceding configuration. You can also use tasks with EmailOperator to send emails. For more information, see airflow.operators.email on the Apache Airflow website.

4 Comments

Following this SES documentation, to set up a TLS Wrapper connection, the SMTP client connects to the Amazon SES SMTP endpoint on port 465 or 2465. If you set the MWAA configuration as above:smtp.smtp_ssl = True & smtp.smtp_port = 587, the connection will fail with ssl.SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number.

To use port 587, the value of smtp.smtp_ssl should be set to FALSE. Otherwise, the value of smtp.smtp_port should be set to 465.

hyunie
replied 20 days ago

I agree with the above comment. smtp.smtp_starttls = False & smtp.smtp_ssl = True & smtp.smtp_port = 465 are correct.

bs
replied 20 days ago

This does not work for me. The variables for AIRFLOW__SMTP__SMTP_USER and AIRFLOW__SMTP__SMTP_PASSWORD simply are not available on MWAA worker during a DAG execution:

[2024-10-09, 14:42:35 UTC] {{email.py:265}} DEBUG - No user/password found for SMTP, so logging in with no authentication.

If I run a dag that executes an "env" command to check if OS has the Environment variable, I can see email_backend, smtp port, etc etc... but not these two added on the startup.sh. Am I the only one with this issue or is it a global one?

replied 6 days ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 6 days ago