Obtaining Amazon SES SMTP credentials
You need an Amazon SES SMTP user name and password to access the Amazon SES SMTP interface.
The credentials that you use to send email through the Amazon SES SMTP interface are unique to each AWS Region. If you use the Amazon SES SMTP interface to send email in more than one Region, you must generate a set of SMTP credentials for each Region that you plan to use.
Your SMTP password is different from your AWS secret access key. For more information about credentials, see Types of Amazon SES credentials.
SMTP endpoints are not currently available in Africa (Cape Town), Asia Pacific (Jakarta), Europe (Milan), Middle East (Bahrain).
Obtaining Amazon SES SMTP credentials using the Amazon SES console
When you use the SES workflow below to generate SMTP credentials by using the console, you are taken to the IAM console to create an IAM user with the appropriate policies to call Amazon SES and provides you with the SMTP credentials associated with that user.
Requirement
An IAM user can create Amazon SES SMTP credentials, but the IAM user's policy must
give them permission to use IAM itself, because Amazon SES SMTP credentials are created
by using IAM. Your IAM policy must allow you to perform the following IAM
actions: iam:ListUsers
, iam:CreateUser
,
iam:CreateAccessKey
, and iam:PutUserPolicy
. If you try
to create Amazon SES SMTP credentials using the console and your IAM user doesn't have
these permissions, you see an error that states that your account is "not authorized
to perform iam:ListUsers."
To create your SMTP credentials
-
Sign in to the AWS Management Console and open the Amazon SES console at https://console.aws.amazon.com/ses/
. -
Choose SMTP settings in the left navigation pane - this will open the Simple Mail Transfer Protocol (SMTP) settings page.
-
Choose Create SMTP Credentials in the upper-right corner - the IAM console will open.
-
(Optional) If you need to view, edit, or delete SMTP users you’ve already created, choose Manage my existing SMTP credentials in the lower-right corner - the IAM console will open. Details for managing SMTP credentials is given following these procedures.
-
For Create User for SMTP, type a name for your SMTP user in the IAM User Name field. Alternatively, you can use the default value that is provided in this field. When you finish, choose Create in the bottom-right corner.
-
Expand Show User SMTP Security Credentials - your SMTP credentials are shown on the screen.
-
Download these credentials by choosing Download Credentials or copy them and store them in a safe place, because you can't view or save your credentials after you close this dialog box.
-
Choose Close Window.
You can view a list of the SMTP credentials you've created using this procedure in the IAM console under Access management and choosing Users followed by using the search bar to find all users that you've assigned SMTP credentials.
You can also use the IAM console to delete existing SMTP users. To learn more about deleting users, see Managing IAM Users in the IAM Getting Started Guide.
If you want to change your SMTP password, delete your existing SMTP user in the IAM console. Then, to generate a new set of SMTP credentials, complete the previous procedures.
Obtaining Amazon SES SMTP credentials by converting existing AWS credentials
If you have an IAM user that you set up using the IAM interface, you can derive the user's Amazon SES SMTP credentials from their AWS credentials.
Don't use temporary AWS credentials to derive SMTP credentials. The Amazon SES SMTP interface doesn't support SMTP credentials that have been generated from temporary security credentials.
To enable the IAM user to send email using the Amazon SES SMTP interface, do the following.
-
Derive the user's SMTP credentials from their AWS credentials by using the algorithm provided in this section. Because you're starting from AWS credentials, the SMTP user name is the same as the AWS access key ID, so you only need to generate the SMTP password.
-
Apply the following policy to the IAM user:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ses:SendRawEmail", "Resource": "*" } ] }
For more information about using Amazon SES with IAM, see Identity and access management in Amazon SES.
Although you can generate Amazon SES SMTP credentials for any IAM user, we recommend that you create a separate IAM user when you generate your SMTP credentials. For information about why it's good practice to create users for specific purposes, go to IAM Best Practices.
The following pseudocode shows the algorithm that converts an AWS secret access key to an Amazon SES SMTP password.
// Modify this variable to include your AWS secret access key key = "
wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
"; // Modify this variable to refer to the AWS Region that you want to use to send email. region = "us-west-2
"; // The values of the following variables should always stay the same. date = "11111111"; service = "ses"; terminal = "aws4_request"; message = "SendRawEmail"; version = 0x04; kDate = HmacSha256(date, "AWS4" + key); kRegion = HmacSha256(region, kDate); kService = HmacSha256(service, kRegion); kTerminal = HmacSha256(terminal, kService); kMessage = HmacSha256(message, kTerminal); signatureAndVersion = Concatenate(version, kMessage); smtpPassword = Base64(signatureAndVersion);
Some programming languages include libraries that you can use to convert an IAM secret access key into an SMTP password. This section includes a code example that you can use to convert an AWS secret access key to an Amazon SES SMTP password using Python.
The following example uses f-strings that were introduced in Python 3.6; if using an older version, they won't work.
Currently, the Python SDK (Boto3) officially supports 2.7 and 3.6 (or later). However, 2.7 support is deprecated and will be dropped on 7/15/2021, so you'll need to upgrade to at least 3.6.
To use this script, first save the preceding code as
smtp_credentials_generate.py
. Then, at the command line, run
the following command:
python
path/to/
smtp_credentials_generate.pywJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
us-east-1
In the preceding command, do the following:
-
Replace
path/to/
with the path to the location where you savedsmtp_credentials_generate.py
. -
Replace
wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
with the Secret Access Key that you want to convert into an SMTP password. -
Replace
us-east-1
with the AWS Region in which you want to use the SMTP credentials.
When this script runs successfully, the only output is your SMTP password.