Amazon Simple Email Service
Developer Guide (API Version 2010-12-01)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Obtaining Your Amazon SES SMTP Credentials

You need an Amazon SES SMTP user name and password to access the Amazon SES SMTP interface. You can use the same set of SMTP credentials in all AWS regions.


Your SMTP user name and password are not the same as your AWS access key ID and secret access key. Do not attempt to use your AWS credentials to authenticate yourself against the SMTP endpoint. For more information about credentials, see Using Credentials With Amazon SES.

There are two ways to generate your SMTP credentials. You can either use the Amazon SES console or you can generate your SMTP credentials from your AWS credentials.

Use the Amazon SES console to generate your SMTP credentials if:

  • You want to get your SMTP credentials using the simplest method.

  • You do not need to automate SMTP credential generation using code or a script.

Generate your SMTP credentials from your AWS credentials if:

  • You have an existing AWS Identity and Access Management (IAM) user that you created using the IAM interface and you want that user to be able to send emails using the Amazon SES SMTP interface.

  • You want to automate SMTP credential generation using code or a script.

For information on each method, see Obtaining Amazon SES SMTP Credentials Using the Amazon SES Console and Obtaining Amazon SES SMTP Credentials by Converting AWS Credentials.

Obtaining Amazon SES SMTP Credentials Using the Amazon SES Console

When you generate SMTP credentials by using the Amazon SES console, the Amazon SES console creates an IAM user with the appropriate policies to call Amazon SES and provides you with the SMTP credentials associated with that user.


An IAM user can create Amazon SES SMTP credentials, but the IAM user's policy must give them permission to use IAM itself, because Amazon SES SMTP credentials are created through IAM. If the IAM user tries to create Amazon SES SMTP credentials using the console and they don't have IAM permissions, they will get an error that says "… not authorized to perform iam:ListUsers…" In that case, the root account owner needs to modify the IAM user's policy to allow them to access the following IAM actions: "iam:ListUsers", "iam:CreateUser", "iam:CreateAccessKey", and "iam:PutUserPolicy".

To create your SMTP credentials

  1. Sign in to the AWS Management Console and open the Amazon SES console at

  2. In the navigation pane, click SMTP Settings.

  3. In the content pane, click Create My SMTP Credentials.

  4. In the Create User for SMTP dialog box, you will see that an SMTP user name has been filled in for you. You can accept this suggested user name or enter a different one. To proceed, click Create.

    Create User for SMTP
  5. Click Show User SMTP Credentials. Your SMTP credentials will be displayed on the screen; copy them and store them in a safe place. You can also click Download Credentials to download a file that contains your credentials.

    Create User for SMTP


    This is the only time that you will be able to view your SMTP credentials! We strongly advise you to download these credentials and refrain from sharing them with others.

  6. Click Close Window.

If you want to delete your SMTP credentials, go to the IAM console at and delete the IAM user name that corresponds with your SMTP credentials. To learn more, go to the Using IAM guide.

If you want to change your SMTP password, go to the IAM console and delete your existing IAM user, and then go to the Amazon SES console to re-generate your SMTP credentials.

Obtaining Amazon SES SMTP Credentials by Converting AWS Credentials

If you have an IAM user that you set up using the IAM interface, you need to do the following two steps to enable the user to send email using the Amazon SES SMTP interface:

  • Derive the user's SMTP credentials from their AWS credentials using the algorithm provided in this section. A user's SMTP username is the same as their AWS Access Key ID, so you just need to generate the SMTP password.

  • Apply the following policy to the IAM user:

    { "Statement": [{

    For more information about using Amazon SES with IAM, see Controlling User Access to Amazon SES.


Although you can generate Amazon SES SMTP credentials for any existing IAM user, we recommend for security reasons that you create a separate IAM user for the AWS credentials that you will use to generate the SMTP password. For information about why it is good practice to create users for specific purposes, go to IAM Best Practices.

The following pseudocode shows the algorithm that converts an AWS Secret Access Key to an Amazon SES SMTP password.

key = AWS Secret Access Key;
message = "SendRawEmail";
versionInBytes = 0x02;
signatureInBytes = HmacSha256(message, key);
signatureAndVer = Concatenate(versionInBytes, signatureInBytes);
smtpPassword = Base64(signatureAndVer);

The following is an example Java implementation that converts an AWS Secret Access Key to an Amazon SES SMTP password. Before you run the program, put the AWS Secret Access Key of the IAM user into an environment variable called AWS_SECRET_ACCESS_KEY. The output of the program is the SMTP password. That password, along with the SMTP username (which is the same as the AWS Access Key ID) are the user's Amazon SES SMTP credentials.

import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.bind.DatatypeConverter;

public class SesSmtpCredentialGenerator {
       private static final String KEY_ENV_VARIABLE = "AWS_SECRET_ACCESS_KEY"; // Put your AWS secret access key in this environment variable.
       private static final String MESSAGE = "SendRawEmail"; // Used to generate the HMAC signature. Do not modify.
       private static final byte VERSION =  0x02; // Version number. Do not modify.

       public static void main(String[] args) {
              // Get the AWS secret access key from environment variable AWS_SECRET_ACCESS_KEY.
              String key = System.getenv(KEY_ENV_VARIABLE);         	  
              if (key == null)
                 System.out.println("Error: Cannot find environment variable AWS_SECRET_ACCESS_KEY.");  
              // Create an HMAC-SHA256 key from the raw bytes of the AWS secret access key.
              SecretKeySpec secretKey = new SecretKeySpec(key.getBytes(), "HmacSHA256");

              try {         	  
                     // Get an HMAC-SHA256 Mac instance and initialize it with the AWS secret access key.
                     Mac mac = Mac.getInstance("HmacSHA256");

                     // Compute the HMAC signature on the input data bytes.
                     byte[] rawSignature = mac.doFinal(MESSAGE.getBytes());

                     // Prepend the version number to the signature.
                     byte[] rawSignatureWithVersion = new byte[rawSignature.length + 1];               
                     byte[] versionArray = {VERSION};                
                     System.arraycopy(versionArray, 0, rawSignatureWithVersion, 0, 1);
                     System.arraycopy(rawSignature, 0, rawSignatureWithVersion, 1, rawSignature.length);

                     // To get the final SMTP password, convert the HMAC signature to base 64.
                     String smtpPassword = DatatypeConverter.printBase64Binary(rawSignatureWithVersion);       
              catch (Exception ex) {
                     System.out.println("Error generating SMTP password: " + ex.getMessage());