Deploying AWS SES access key and SMTP password to the parameter store using AWS CloudFormation

17 Mar, 2018
Xebia Background Header Wave

In AWS CloudFormation there is no way to generate the SMTP password of an AWS access key. As a result, the application always
has to do the calculation and transform the secret key into an SMTP password.
With This custom CloudFormation provider, we put an end to that. You can create an access key and SMTP password and automatically
store the credentials in the AWS Parameter Store. This means that you can create the email infrastructure and provision
SMTP credentials to applications that need to send email through Amazon Simple Email Service in a safe and controlled manner.

How does it work?

It is quite easy: you add the CloudFormation resource Custom::AccessKey, as follows:

    Type: Custom::AccessKey
      content: sample user credential
      UserName: email-sender
      ParameterPath: /iam-users/email-sender
      ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider'

The access key id, access secret and the SMTP password are stored in the parameter store under the paths /iam-users/email-sender/aws_access_key_id, /iam-users/email-sender/aws_access_secret_key and /iam-users/email-sender/smtp_password respectively.


You can specify the following properties:

  • UserName – to create an access key for.
  • ParameterPath – into the parameter store to store the credentials
  • Serial – to force the access key to be recycled
  • Status – Active or Inactive
  • ReturnSecret – returns access id and access secret as attribute
  • ReturnPassword – returns access id and SMTP password as attribute
  • NoEcho – indicate whether output of the return values is replaced by *****, default True.

Return values

With ‘Fn::GetAtt’ the following values are available:

  • SMTPPassword – the SMTP password based for the access key (if ReturnPassword is true).
  • AccessSecretKey – the secret part of the access key (if ReturnSecret is true).
    For more information about using Fn::GetAtt, see Fn::GetAtt.


To install this Custom Resource, type:

git checkout
cd cfn-secret-provider

aws cloudformation create-stack 
  --capabilities CAPABILITY_IAM 
  –-stack-name cfn-secret-provider 
  –-template-body file://cloudformation/cfn-custom-resource-provider.yaml

aws cloudformation wait stack-create-complete 
  –-stack-name cfn-secret-provider

This CloudFormation template will use our pre-packaged provider from:



To install the simple sample from this blog post, type:

aws cloudformation create-stack 
 --stack-name cfn-secret-provider-demo 
 --template-body file://cloudformation/demo-stack.yaml

aws cloudformation wait stack-create-complete  
 –stack-name cfn-secret-provider-demo

to validate the result, type:

aws ssm get-parameters-by-path 
  --path /iam-users 


By using the Custom CloudFormation Secret provider you can create an IAM Access Key and the derived SMTP password and stored in the parameter store where it is encrypted and access can be audited and controlled.
If you got this far, you may also want to deploy your SES domain identities and DKIM records using CloudFormation.
If you have any questions, do not hesitate to contact me.

Mark van Holsteijn
Mark van Holsteijn is a senior software systems architect at Xebia Cloud-native solutions. He is passionate about removing waste in the software delivery process and keeping things clear and simple.

Get in touch with us to learn more about the subject and related solutions

Explore related posts