How can I rotate my access keys for an existing Amazon SES SMTP IAM user?

3 minute read

I want to rotate my Amazon Simple Email Service (Amazon SES) Simple Mail Transfer Protocol (SMTP) credentials in AWS Identity and Access Management (IAM). How can I create a user name and password that's compatible with Amazon SES?


Access keys that you create in the IAM console for an SMTP user work when customer is connecting to the SES API endpoint, but don't work with the Amazon SES SMTP interface. The keys generated in the IAM console are in a different format than the format required for the credentials required for Amazon SES SMTP servers.

It's a best practice to create new Amazon SES SMTP credentials instead of converting an existing secret access key. 

To set up credentials for the Amazon SES SMTP interface, do one of the following:

Create new Amazon SES SMTP credentials (recommended)

1.    Use the Amazon SES console to create new Amazon SES SMTP credentials.

2.    After you get the new credentials, you can delete the existing Amazon SES credentials in IAM if you don't need them.

Convert your existing secret access key into the Amazon SES SMTP format

Note: You must use Python 3 or later versions with the following steps.

1.    Update the existing IAM user's policy to grant permission for ses:SendRawEmail at minimum.

2.    Paste the following Python code into a text editor, and then save the file as

#!/usr/bin/env python3

import hmac
import hashlib
import base64
import argparse

    'us-east-2',       # US East (Ohio)
    'us-east-1',       # US East (N. Virginia)
    'us-west-2',       # US West (Oregon)
    'ap-south-1',      # Asia Pacific (Mumbai)
    'ap-northeast-2',  # Asia Pacific (Seoul)
    'ap-southeast-1',  # Asia Pacific (Singapore)
    'ap-southeast-2',  # Asia Pacific (Sydney)
    'ap-northeast-1',  # Asia Pacific (Tokyo)
    'ca-central-1',    # Canada (Central)
    'eu-central-1',    # Europe (Frankfurt)
    'eu-west-1',       # Europe (Ireland)
    'eu-west-2',       # Europe (London)
    'sa-east-1',       # South America (Sao Paulo)
    'us-gov-west-1',   # AWS GovCloud (US)

# These values are required to calculate the signature. Do not change them.
DATE = "11111111"
SERVICE = "ses"
MESSAGE = "SendRawEmail"
TERMINAL = "aws4_request"
VERSION = 0x04

def sign(key, msg):
    return, msg.encode('utf-8'), hashlib.sha256).digest()

def calculate_key(secret_access_key, region):
    if region not in SMTP_REGIONS:
        raise ValueError(f"The {region} Region doesn't have an SMTP endpoint.")

    signature = sign(("AWS4" + secret_access_key).encode('utf-8'), DATE)
    signature = sign(signature, region)
    signature = sign(signature, SERVICE)
    signature = sign(signature, TERMINAL)
    signature = sign(signature, MESSAGE)
    signature_and_version = bytes([VERSION]) + signature
    smtp_password = base64.b64encode(signature_and_version)
    return smtp_password.decode('utf-8')

def main():
    parser = argparse.ArgumentParser(
        description='Convert a Secret Access Key for an IAM user to an SMTP password.')
        'secret', help='The Secret Access Key to convert.')
        help='The AWS Region where the SMTP password will be used.',
    args = parser.parse_args()
    print(calculate_key(args.secret, args.region))

if __name__ == '__main__':

3.    To run the Python script, enter your existing secret access key. Then, enter a space and the AWS Region where you're using the SMTP password. Use the following command:

python3 YOURKEYrrpg/JHpyvtStUVcAV9177EAKKmDP37P us-east-1

Important: Be sure to enter your credentials and run this script on a machine that's secure and trusted.

4.    The script outputs a new secret access key that you can use with Amazon SES. Store the generated SMTP credentials in your application, and then use the credentials to connect to SES SMTP endpoints.

AWS OFFICIALUpdated 2 years ago