ses smtp service: creating a second access key on previously working IAM user results in '535 Authentication Credentials Invalid'


We created an IAM user to use SMTP submission on SES. (We are out of the sandbox, have the domain identity verified, and DKIM is set up and working.)

Using the first access key on this IAM user, we have no issue sending email. If we create a second access key on the same IAM user, we get '535 Authentication Credentials Invalid'.

The user has one inline policy:

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": "ses:SendRawEmail",
            "Resource": "*"

I'm stumped. How can a IAM user work with the first access key, but not the second access key?

And, how do we troubleshoot the 535 Authentication Credentials Invalid? I can't find any better or more verbose logging anywhere.

2 Answers
Accepted Answer

While SES SMTP credentials can be derived from IAM Access Key / Secret Key they are different. If you haven't done this already, you may need to use the code documented here to convert the new Secret Key to an SMTP password.

answered a year ago

IAM access key and secret key are not same as the SMTP username and password. you can either generate a new setup of STMP username password or use the below to convert your access key to smpt credentials. Details

// Modify this variable to include your AWS secret access key
// Modify this variable to refer to the AWS Region that you want to use to send email.
region = "us-west-2";
// The values of the following variables should always stay the same.
date = "11111111";
service = "ses";
terminal = "aws4_request";
message = "SendRawEmail";
version = 0x04;

kDate = HmacSha256(date, "AWS4" + key);
kRegion = HmacSha256(region, kDate);
kService = HmacSha256(service, kRegion);
kTerminal = HmacSha256(terminal, kService);
kMessage = HmacSha256(message, kTerminal);
signatureAndVersion = Concatenate(version, kMessage);
smtpPassword = Base64(signatureAndVersion);
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions