How do I rotate my access keys for an existing SES SMTP IAM user?

Resolution

The access keys that you create in the IAM console work when you connect to the Amazon SES endpoint. However, the access keys don't work with the SES SMTP interface. This is because the keys have a different format than what's required for SMTP credentials.

To make the access keys work with the SES SMTP interface, you can create new SES SMTP credentials. Or, you can also convert the existing secret access key into SMTP credentials.

Important: It's a best practice to create new SES SMTP credentials rather than convert the existing secret access key into SMTP credentials.

Create new SES SMTP credentials (best practice)

Use the Amazon SES console to create new SES SMTP credentials.

Note: After you get the new SES SMTP credentials, you can remove or deactivate the IAM user if you don't need the user.

Convert your existing secret access key into SMTP credentials

Note: To complete these steps, you must use Python version 3 or later.

Complete the following steps:

1. Update the existing IAM user's policy to grant permission for ses:SendRawEmail.

2. Paste the following Python code into a text editor, and then save the file as seskey.py.

   #!/usr/bin/env python3
   import hmac
   import hashlib
   import base64
   import argparse
   
   SMTP_REGIONS = [
       'us-east-2',       # US East (Ohio)
       'us-east-1',       # US East (N. Virginia)
       'us-west-2',       # US West (Oregon)
       'ap-south-1',      # Asia Pacific (Mumbai)
       'ap-northeast-2',  # Asia Pacific (Seoul)
       'ap-southeast-1',  # Asia Pacific (Singapore)
       'ap-southeast-2',  # Asia Pacific (Sydney)
       'ap-northeast-1',  # Asia Pacific (Tokyo)
       'ca-central-1',    # Canada (Central)
       'eu-central-1',    # Europe (Frankfurt)
       'eu-west-1',       # Europe (Ireland)
       'eu-west-2',       # Europe (London)
       'sa-east-1',       # South America (Sao Paulo)
       'us-gov-west-1',   # AWS GovCloud (US)
   ]
   
   # These values are required to calculate the signature. Do not change them.
   DATE = "11111111"
   SERVICE = "ses"
   MESSAGE = "SendRawEmail"
   TERMINAL = "aws4_request"
   VERSION = 0x04
   
   
   def sign(key, msg):
       return hmac.new(key, msg.encode('utf-8'), hashlib.sha256).digest()
   
   
   def calculate_key(secret_access_key, region):
       if region not in SMTP_REGIONS:
           raise ValueError(f"The {region} Region doesn't have an SMTP endpoint.")
   
       signature = sign(("AWS4" + secret_access_key).encode('utf-8'), DATE)
       signature = sign(signature, region)
       signature = sign(signature, SERVICE)
       signature = sign(signature, TERMINAL)
       signature = sign(signature, MESSAGE)
       signature_and_version = bytes([VERSION]) + signature
       smtp_password = base64.b64encode(signature_and_version)
       return smtp_password.decode('utf-8')
   
   
   def main():
       parser = argparse.ArgumentParser(
           description='Convert a Secret Access Key for an IAM user to an SMTP password.')
       parser.add_argument(
           'secret', help='The Secret Access Key to convert.')
       parser.add_argument(
           'region',
           help='The AWS Region where the SMTP password will be used.',
           choices=SMTP_REGIONS)
       args = parser.parse_args()
       print(calculate_key(args.secret, args.region))
   
   
   if __name__ == '__main__':
       main()

3. Run the following Python script:

   python3 seskey.py YOURKEYrrpg/JHpyvtStUVcAV9177EAKKmDP37P your-region
   

   Note: Replace YOURKEYrrpg with your existing secret access key, and your-region with the AWS Region where you use the SMTP password.
   In the scripts output, there's a new SMTP password that you can use with the SES SMTP interface.

4. Save the new SMTP credentials securely in your application to authenticate to the SES SMTP endpoints.