Resolving Amazon SES 535 Authentication Credentials Invalid Error During Access Key Rotation

Hello Data Scientists and fellow Software Engineers

Resolving Amazon SES 535 Authentication Credentials Invalid Error During Access Key Rotation

Hello Data Scientists and fellow Software Engineers! Today we will tackle an issue many of you might have faced while working with Amazon Simple Email Service (SES): the notorious 535 Authentication Credentials Invalid error, especially during access key rotation.

What is Amazon SES?

Amazon SES (Simple Email Service) is a highly scalable and cost-effective service for sending and receiving emails. It’s a reliable way to route email communication within applications, but like any tool, it can produce its fair share of errors.

The 535 Authentication Credentials Invalid Error

The “535 Authentication Credentials Invalid” error is a common issue encountered in Amazon SES when there’s a problem with your SMTP credentials. SMTP (Simple Mail Transfer Protocol) is the protocol that enables the sending of emails. When your SMTP credentials are invalid, Amazon SES can’t send your emails and returns the 535 error.

Amazon Access Key Rotation

Access Key rotation is a security best practice recommended by AWS. It involves creating a new access key (consisting of an Access Key ID and Secret Access Key), switching applications to use the new access key, and then deactivating the old key. This can help to limit the impact if credentials are compromised, as it ensures the keys are not valid indefinitely.

How to Resolve the 535 Error During Key Rotation

Here’s a step-by-step guide on how to handle this error while rotating your access key.

Step 1: Generate a New SMTP Password

When you rotate your AWS access keys, you need to generate a new SMTP password for Amazon SES. The SMTP password is derived from the AWS Secret Access Key, so when you create a new access key, the old SMTP password becomes invalid.

import hmac
import hashlib
import base64

def create_smtp_password(secret_access_key):
    message = "SendRawEmail"
    version = '\x02'
    sig =, msg=message, digestmod=hashlib.sha256).digest()
    new_smtp_password = base64.b64encode(sig + message + version)

    return new_smtp_password.decode()

Step 2: Update Your Application

After generating a new SMTP password, you must update your application with the new SMTP credentials (the SMTP username is the Access Key ID, and the SMTP password is the one you just generated).

Step 3: Test Your Application

Send a test email to ensure that your application is working correctly with the new SMTP credentials.

Step 4: Deactivate the Old Key

Once you’ve confirmed the new credentials are working, deactivate the old AWS access key.


AWS key rotation is a vital process to enhance the security of your application, but it can lead to the 535 Authentication Credentials Invalid error in Amazon SES if not handled correctly. To avoid this, ensure that you generate a new SMTP password every time you rotate your access keys and update this in your application.

Remember, a tool is only as good as its user. Understanding the intricacies of Amazon SES and SMTP can significantly enhance your data science and software engineering projects. Happy coding!

About Saturn Cloud

Saturn Cloud is your all-in-one solution for data science & ML development, deployment, and data pipelines in the cloud. Spin up a notebook with 4TB of RAM, add a GPU, connect to a distributed cluster of workers, and more. Join today and get 150 hours of free compute per month.