Status Code 403: SignatureDoesNotMatch when I am using Amazon SES

Question

I created a new Amazon account. Created SMTP Credentials and used AWS Java SDK to send emails. But it is failing with following error:

Status Code: 403, AWS Service: AmazonSimpleEmailService, AWS Request ID: xyz, AWS Error Code: SignatureDoesNotMatch, AWS Error Message: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

For me, it was a clock skew issue: https://stackoverflow.com/a/22460549/470749 — Ryan, Jan 01 '19 at 21:45

score 27 · Accepted Answer · answered Jan 12 '13 at 19:18

27

The keys to be provided to send Emails are not "SMTP Credentials" . The keys are instead Global access key which can be retrieved http://docs.amazonwebservices.com/ses/latest/GettingStartedGuide/GetAccessIDs.html.

answered Jan 12 '13 at 19:18

Deepak Singhal

9,577
10
50
92

5

I'll be darned, but this is quite true. You need to create a global access key for AWS to be able to access SES. Use the URL https://console.aws.amazon.com/iam/home?#security_credential Note that this provides keys with unlimited access to the AWS account. Don't see why the SES can't make do with a more limited set of credentials... – joker Apr 14 '14 at 10:37
1

Best practice is create a IAM user and then, create an Access ID for that user. You can limit user permissions now. All this actions must be done in AIM control panel: https://console.aws.amazon.com/iam/home – Adrian Lopez Feb 27 '15 at 22:31
The answer above is correct , worked for me. There is just one caution I had to take, somehow when you download the credentials via csv format, they do not work, so copy from the aws console itself rather than downloading csv and copying from there. – 89n3ur0n Feb 01 '20 at 06:53

score 12 · Answer 2 · answered Jun 26 '14 at 14:42

SMTP Credentials are not valid for use with SES API (AWS Java SDK). SMTP credential are in fact different to the ones manually created for IAM users, even that this different is not visible anywhere on AWS Console. Take a look here to see differences: http://docs.aws.amazon.com/ses/latest/DeveloperGuide/using-credentials.html

You don't actually need to create Global Access credentials (which could be a security leak), but you should create a new IAM user with the following security policy, and create new credentials for that user.

{
"Version": "2012-10-17",
"Statement":[{
   "Effect":"Allow",
   "Action":["ses:SendEmail", "ses:SendRawEmail"],
   "Resource":"*"
   }
]
}

PS: Probably, you could just add new credentials to the SMTP IAM user already created for SES, but I haven't yet tested this.

The policy works fine, but I had to create another credential to use with it. — Carlos Coelho, Jun 14 '16 at 14:51

Status Code 403: SignatureDoesNotMatch when I am using Amazon SES

2 Answers2

Linked