How can I rotate my access keys for an existing Amazon SES SMTP IAM user?

Last updated: 2020-08-28

I want to rotate my Amazon Simple Email Service (Amazon SES) Simple Mail Transfer Protocol (SMTP) credentials in AWS Identity and Access Management (IAM). How can I create a user name and password that's compatible with Amazon SES?


Access keys that you create in the IAM console for an SMTP user don't work with the Amazon SES SMTP interface. The keys generated in the IAM console are in a different format than the format required for the credentials that you need for Amazon SES SMTP servers.

To set up credentials for the Amazon SES SMTP interface, do one of the following:

Create new Amazon SES SMTP credentials

1.    Use the Amazon SES console to create new Amazon SES SMTP credentials.

2.    After you get the new credentials, you can choose to delete the existing Amazon SES credentials in IAM if you don't need them.

Convert your existing secret access key into the Amazon SES SMTP format

Note: You must use Python 3 or later versions with the following steps. 

1.    Update the existing IAM user's policy to grant permission for ses:SendRawEmail at minimum.

2.    Copy the Python code for converting a secret access key into an Amazon SES SMTP password.

3.    Paste the Python code into a text editor, and then save the file as

4.    To run the Python script, use the following command:
For --secret, enter your existing secret access key.
For --region, enter the AWS Region where you're using the SMTP password.

python3 --secret YOURKEYrrpg/JHpyvtStUVcAV9177EAKKmDP37P --region us-east-1

5.    The script outputs a new secret access key that you can use with Amazon SES:

import os      #required to fetch environment varibles
import hmac    #required to compute the HMAC key
import hashlib #required to create a SHA256 hash
import base64  #required to encode the computed key
import sys     #required for system functions (exiting, in this case)

# Fetch the environment variable called AWS_SECRET_ACCESS_KEY, which contains
# the secret access key for your IAM user.
key = os.getenv('AWS_SECRET_ACCESS_KEY',0)

# These varibles are used when calculating the SMTP password. You shouldn't
# change them.
message = 'SendRawEmail'
version = '\x02'

# See if the environment variable exists. If not, quit and show an error.
if key == 0:
    sys.exit("Error: Can't find environment variable AWS_SECRET_ACCESS_KEY.")

# Compute an HMAC-SHA256 key from the AWS secret access key.
signatureInBytes ='utf-8'),message.encode('utf-8'),hashlib.sha256).digest()
# Prepend the version number to the signature.
signatureAndVersion = version.encode('utf-8') + signatureInBytes
# Base64-encode the string that contains the version number and signature.
smtpPassword = base64.b64encode(signatureAndVersion)
# Decode the string and print it to the console.

Did this article help?

Do you need billing or technical support?