Amazon SES 535 Authentication Credentials Invalid trying to rotate access key
We have an Amazon SES setup that works well and sends thousands of emails a day via SMTP. Trying to follow a best practice of "rotating" access keys we went to https://console.aws.amazon.com/iam/home and creating a new access key for the exact same user which is used to send emails. The new key is supposedly active but when trying to email with the access keys, we keep getting
535 Authentication Credentials Invalid
Switching to the old access keys works well and emails are sent. Tried a couple of times to delete the new access keys and create others. Same machine, same software. We have proper copy+paste skills to ensure we're using the same ID/Password provided in the CSV coming from Amazon. Here the dialog from Amazon:
So what's going on? Is there a time limit till the new key becomes active? Is there some other hidden limitation somewhere?
You are confusing the SMTP credentials with access_key and secret. They are different.
- access_key/secret --> Use in SDK and CLI
SMTP credentials --> Use to configure SES SMTP
You are creating a new access_key/secret and using it as SMTP credentials
- Instead you create a new SMTP credentials and use it
- Key rotation is different from SMTP credential rotation
- No need to create a new user
It is likely you are using the SMTP credentials that does not change even if you generate another set of access_key/secret. In your case it looks like you are using the SMTP server and not the SDK. So generating a new set of access_key/secret has no effect on SMTP credentials.
If you want to create a new set of SMTP credentials, go to AWS SES dashboard and create SMTP credentials.
For more information: Obtaining Your Amazon SES SMTP Credentials
- Unable to delete cfn stack, role is invalid or cannot be assumed
- How to Set Up Account Linking for a Skill using Alexa API from Amazon?
- GitHub actions "aws: not found" error on ubuntu-latest with Godot CI
- Download file from S3 to Rails 4 app
- Cloudfront (CDN) with Internal Application Load Balancer
- Connecting private load balancer to cloud front distribution?
- Request to Amazon API with delphi : Got HTTP/1.1 403 Forbidden
- Shift Lambda infrastructure to ECS
- IAM policy to allow EC2 instance API access only to modify itself
- How to match these 2 tables?
- What is the best way of getting files from AWS S3, inserting them into zip and uploading that zip to the bucket?
- What does this mean? An error occurred (SignatureDoesNotMatch) when calling the GetCallerIdentity operation: Signature expired
- How to query: filtering on multiple primary partition keys and range on primary sort key
- How can I get boto3 script to run as a Lambda function?
- Testing AWS CDK Applications Locally
- Downloading an entire S3 bucket?
- AWS ElastiCache SNS notifications Inactive
- How to set credentials in AWS SDK v3 JavaScript?
- Redis HINCRBY hash field -1 counter for decrementing only till 0 or non negative value
- Error creating mediaconvert job for HLS output with mp4, mp3 and SRT as input
- Firehose Stream Delivers to S3 in Uncompressed Format Despite Compression Enabled
- AWS S3 Bucket Policy - Only Allow Certain File Types In Folder
- couldn't get current server API group list: the server has asked for the client to provide credentials error: You must be logged in to the server
- AWS DotNet SDK Error: Unable to get IAM security credentials from EC2 Instance Metadata Service
- AWS passive failover pricing
- Is there any API available for AWS Pricing Calculator
- Append data to an S3 object
- How to handle UnprocessedItems using AWS JavaScript SDK (dynamoDB)?
- AWS SAM-defined ECS Fargate scheduled task won't start
- How to configure AWS Application Load Balancer to point to multiple ports on the same server