Amazon SES is not working when trying to rotate access key


Hi Team,

We have an Amazon SES setup that works well and sends thousands of emails a day via SMTP. Trying to follow a best practice of "rotating" access keys we went to and creating a new access key for the exact same user which is used to send emails. The new key is supposedly active but when trying to email with the access keys, it's not working email is not sending.

Switching to the old access keys works well and emails are sent. Tried a couple of times to delete the new access keys and create others. Same machine, same software. We have proper copy+paste skills to ensure we're using the same ID/Password provided in the CSV coming from Amazon.

So what's going on? Is there a time limit till the new key becomes active? Is there some other hidden limitation somewhere?

Could you please help me on this?

Thanks, Anuj

1 Answer


Did you try it?

Access keys that you create in the IAM console for an SMTP user work when customer is connecting to the SES API endpoint, but don't work with the Amazon SES SMTP interface. The keys generated in the IAM console are in a different format than the format required for the credentials required for Amazon SES SMTP servers.

It's a best practice to create new Amazon SES SMTP credentials instead of converting an existing secret access key.

To set up credentials for the Amazon SES SMTP interface, do one of the following:

Create new Amazon SES SMTP credentials (recommended)

  1. Use the Amazon SES console to create new Amazon SES SMTP credentials.

  2. After you get the new credentials, you can delete the existing Amazon SES credentials in IAM if you don't need them.

Convert your existing secret access key into the Amazon SES SMTP format Note: You must use Python 3 or later versions with the following steps.

  1. Update the existing IAM user's policy to grant permission for ses:SendRawEmail at minimum.

  2. Paste the following Python code into a text editor, and then save the file as

#!/usr/bin/env python3

import hmac import hashlib import base64 import argparse

SMTP_REGIONS = [ 'us-east-2', # US East (Ohio) 'us-east-1', # US East (N. Virginia) 'us-west-2', # US West (Oregon) 'ap-south-1', # Asia Pacific (Mumbai) 'ap-northeast-2', # Asia Pacific (Seoul) 'ap-southeast-1', # Asia Pacific (Singapore) 'ap-southeast-2', # Asia Pacific (Sydney) 'ap-northeast-1', # Asia Pacific (Tokyo) 'ca-central-1', # Canada (Central) 'eu-central-1', # Europe (Frankfurt) 'eu-west-1', # Europe (Ireland) 'eu-west-2', # Europe (London) 'sa-east-1', # South America (Sao Paulo) 'us-gov-west-1', # AWS GovCloud (US) ]

These values are required to calculate the signature. Do not change them.

DATE = "11111111" SERVICE = "ses" MESSAGE = "SendRawEmail" TERMINAL = "aws4_request" VERSION = 0x04

def sign(key, msg): return, msg.encode('utf-8'), hashlib.sha256).digest()

def calculate_key(secret_access_key, region): if region not in SMTP_REGIONS: raise ValueError(f"The {region} Region doesn't have an SMTP endpoint.")

signature = sign(("AWS4" + secret_access_key).encode('utf-8'), DATE)
signature = sign(signature, region)
signature = sign(signature, SERVICE)
signature = sign(signature, TERMINAL)
signature = sign(signature, MESSAGE)
signature_and_version = bytes([VERSION]) + signature
smtp_password = base64.b64encode(signature_and_version)
return smtp_password.decode('utf-8')

def main(): parser = argparse.ArgumentParser( description='Convert a Secret Access Key for an IAM user to an SMTP password.') parser.add_argument( 'secret', help='The Secret Access Key to convert.') parser.add_argument( 'region', help='The AWS Region where the SMTP password will be used.', choices=SMTP_REGIONS) args = parser.parse_args() print(calculate_key(args.secret, args.region))

if name == 'main': main() 3. To run the Python script, enter your existing secret access key. Then, enter a space and the AWS Region where you're using the SMTP password. Use the following command:

python3 YOURKEYrrpg/JHpyvtStUVcAV9177EAKKmDP37P us-east-1 Important: Be sure to enter your credentials and run this script on a machine that's secure and trusted.

  1. The script outputs a new secret access key that you can use with Amazon SES. Store the generated SMTP credentials in your application, and then use the credentials to connect to SES SMTP endpoints.
profile pictureAWS
answered 8 months ago
  • Hi Team,

    It's the long and custom process. Why we need to convert the key by code.

    What is the issue in my process?

    What I am missing to my flow?


You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions