Skip to content

SES SignatureDoesNotMatch exception #476

amagic opened this Issue Jan 16, 2012 · 15 comments

9 participants

amagic commented Jan 16, 2012

I'm using Python 2.7.2+ on Ubuntu, with the latest Boto Git clone (2.1.1) and I cannot send an email using SES API. I keep getting the "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details." error message back. I've also tried this with Python 2.6 and got the same error.

Any tips?


I would check to make sure that your local system time is accurate. If that is indeed the case, can you test the EC2 API and see if you're able to launch an instance?

amagic commented Jan 16, 2012

I was able to test SDB and S3 API without any problems. My script queries SDB domains, puts files into S3 buckets and then finally fails when it tries to send an email message.

amagic commented Jan 16, 2012

Additionally when I modify the system time to be off by several hours I get an entirely different error message back from AWS, complaining that my system time is incorrect.

gtaylor commented Jan 16, 2012

For things like this, we need as much data as possible. Please post the complete send_email or send_raw_email() call with all values. Censor out the subject/body as appropriate, but there very may be something in there that is throwing off the hashing that happens to generate the signature.

kuno commented Jan 29, 2012

Yep, I have the same issue here.
I use django-email-services to send invitation email to our customers, in my case, even the simplest examples are failed.

from django.conf import settings
from django.core.mail import send_mail 
settings.EMAIL_BACKEND = ‘email_services.backends.AmazonSESBackend’
settings.EMAIL_SERVICES_CLIENT_ID = 'my aws id key'
settings.EMAIL_SERVICES_CLIENT_KEY = 'my aws secret access key'
send_mail("subj", "body", "", ['', ""])

 BotoServerError: BotoServerError: 403 Forbidden
<ErrorResponse xmlns="">
    <Message>The request signature we calculated does not match the signature you provided. Check your AWS Secret     Access Key and signing method. Consult the service documentation for details.</Message>
kuno commented Jan 29, 2012

I am sorry, but it seems works if i directly call the send_email method of SESConnection instance from boto.

from django.conf import settings
from import connection
conn =  connection.SESConnection(aws_access_key_id=settings.AWS_ACCESS_KEY_ID, aws_secret_access_key=settings.AWS_SECRET_ACCESS_KEY)
conn.send_email('', 'subj', 'body', [''])

{u'SendEmailResponse': {u'ResponseMetadata': {u'RequestId': u'47222b88-4a56-11e1-8eb5-ad2ad3864ce0'},
u'SendEmailResult': {u'MessageId': u'0000013528a8704e-b5068970-374d-4ea7-8936-87b49606b3f3-000000'}}}
kuno commented Jan 29, 2012

sorry, I am stupid. All of these are caused by my error, not boto neither aws...

bcambel commented Feb 29, 2012

Hi @kuno ,

I think, I am also making the same mistake. What is/was the solution ?

If I use the SMTP credentials that is generated, I got the same error ( The request signature we calculated ....)
and if I use the general amazon key & secret, I got a 400 error.

kuno commented Mar 2, 2012

This kind of errors are most likely caused by wrong aws access key/secret key (or as pair of them).
So my suggestion would be check your credentials, access key, secret key with great carefulness.


I had the same problem. Here are my observations.
Being on Win 7 (cz), 64 bit, python 2.7.3 (32 bit), boto 2.5.2

Using credentials as proposed by SES web page I am getting the error:

<ErrorResponse xmlns="">
    <Message>The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.</Message

Let me call these credentials ses-smtp-user-nagios

I used ini file with proper structure and variable BOTO_CONFIG to point to it - this is my favorite method.

On the other hand, when I used my "root" credentials read from my "root.cfg" ini file, I was able to send the e-mail without any problem.

My ses-smtp-user-nagios credentials have this policy file:


I also tried to modify it, add "ses:SendEmail" action, or even grant this:


without any help.

I tried two different accounts with no help.

Finally I created new account of its own using pure IAM and assigned proper permissions - and this worked.

To me it is not clear what was the cause, possible being:

  1. repeatedly making some stupid mistake in creating my credential config files
  2. AWS SES providing some bad credentials



I have the same problem, the SES perl scripts says SignatureDoesNotMatch.

I double verified it, and anyway, I can send mails with the same username and password through smtp. It has to be an issue on their side.

vlcinsky commented Aug 7, 2012

I can confirm, that the original credentials, which did not work with boto, were usable for sending e-mails over SMTP. It really seems, Amazon has there some sort of bug.

the boto project member
garnaat commented Aug 12, 2012

There are two sets of credentials for SES. First, if you are using the actual SES API you would provide an access_key, secret_key combination. This could be the ones associated with your AWS account or it could be the ones associated with an IAM user or session key created using your AWS account credentials.

The second set of credentials are a username/password that is used only if you are accessing SES via the SMTP interface.

Are you, by chance, confusing these two sets of credentials?


Indeed I was. Sorry for my oversight.


So, the lesson is:

Getting proper credentials (there are two types: SMTP and AWS type)

  • The credentials for SES, which one gets, when using AWS Management Console - the SES part - are SMTP credentials and these are not to be confused with access_key and secret_key, typically used by AWS clients (like boto).
  • These SMTP credentials are usable only by SMTP clients.

How to get credentials to send e-mail using boto

On the other hand, if you want to use some AWS API to send e-mails (like boto), then there is no need to get those SMTP credentials (which simply do not work as credentials for boto), you may use your ordinary AWS credentials as with other types of services (assuming, the used identity has permission to use required SES services).

Anyway, all the work with setting up sender account with all the verifications etc. is probably easier to do over AWS Management console.

Where the confusion comes from (AWS Doc)

It seems like the confusion come from the fact, SES part of AWS Management Console offers creation of SMTP credentials, which
1. look like ordinary AWS credentials, and
2. create some identities visible on IAM.

To make it even more confusing, the default permissions given for the new identities on IAM do allow only SendRawEmail, but not SendEmail.

Correct me, if I am wrong.

Anyway, this is more "documentation bug" or simple misunderstanding, but certainly not a bug in boto, so this issue can be closed.

@jamesls jamesls closed this Jul 11, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.