By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

ses smtp service: creating a second access key on previously working IAM user results in '535 Authentication Credentials Invalid'

0

We created an IAM user to use SMTP submission on SES. (We are out of the sandbox, have the domain identity verified, and DKIM is set up and working.)

Using the first access key on this IAM user, we have no issue sending email. If we create a second access key on the same IAM user, we get '535 Authentication Credentials Invalid'.

The user has one inline policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ses:SendRawEmail",
            "Resource": "*"
        }
    ]
}

I'm stumped. How can a IAM user work with the first access key, but not the second access key?

And, how do we troubleshoot the 535 Authentication Credentials Invalid? I can't find any better or more verbose logging anywhere.

Topics
Front-End Web & MobileBusiness ApplicationsSecurity, Identity, & Compliance
Tags
Amazon Simple Email ServiceIAM Policies
Language
English
AnotherAWSuser
asked a year ago760 views
2 Answers
1
Accepted Answer

While SES SMTP credentials can be derived from IAM Access Key / Secret Key they are different. If you haven't done this already, you may need to use the code documented here to convert the new Secret Key to an SMTP password.

AWS
zsewell
answered a year ago
1

IAM access key and secret key are not same as the SMTP username and password. you can either generate a new setup of STMP username password or use the below to convert your access key to smpt credentials. Details

// Modify this variable to include your AWS secret access key
key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY";
            
// Modify this variable to refer to the AWS Region that you want to use to send email.
region = "us-west-2";
            
// The values of the following variables should always stay the same.
date = "11111111";
service = "ses";
terminal = "aws4_request";
message = "SendRawEmail";
version = 0x04;

kDate = HmacSha256(date, "AWS4" + key);
kRegion = HmacSha256(region, kDate);
kService = HmacSha256(service, kRegion);
kTerminal = HmacSha256(terminal, kService);
kMessage = HmacSha256(message, kTerminal);
signatureAndVersion = Concatenate(version, kMessage);
smtpPassword = Base64(signatureAndVersion);
AWS
Rishi
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content