Skip to content

Amazon Web Service (AWS) - Simple Email Service (SES) Notifications

Overview

You’ll need to create an account with Amazon Web Service (AWS) first to use this. If you don’t have one, you’ll need your credit card (even though the first 12 months are free). Alternatively, if you already have one (or are using it through your company), you’re good to go to the next step.

The next thing you’ll need to do is generate an Access Key ID and Secret Access Key:

  1. From the AWS Management Console search for IAM under the AWS services section or simply click here.
  2. Expand the section reading Access keys (access key ID and secret access key)
  3. Click on Create New Access Key
  4. It will present the information to you on screen and let you download a file containing the same information. I suggest you do so since there is no way to retrieve this key again later on (unless you delete it and create a new one).

So at this point, it is presumed you’re set up, and you got your Access Key ID and Secret Access Key on hand.

You also need a verified sender identity in SES. From the AWS Management Console search for Simple Email Service under the AWS services section, then go to Verified identities and verify the email address or domain you want to send from.

AWS Lambda execution roles, IAM roles assumed via STS (aws sts assume-role), and other sources of short-lived credentials provide a third component alongside the Access Key ID and Secret Access Key: the Session Token (AWS_SESSION_TOKEN). This token must be included when signing requests, otherwise AWS will reject them with an authorization error.

Apprise supports session tokens in two ways:

  • Query parameter (recommended): append ?token={SessionToken} to any SES URL — the token is accepted exactly as AWS provides it, with no escaping required.
  • URL password field: place the token in the password position of the URL: ses://{user}:{SessionToken}@{host}/... — any / characters in the token must be percent-encoded as %2F.

Valid syntax is as follows:

  • ses://{FromEmail}/{AccessKeyID}/{SecretKey}/{Region}/
  • ses://{FromEmail}/{AccessKeyID}/{SecretKey}/{Region}/{ToEmail1}/{ToEmail2}/{ToEmailN}/
  • ses://{FromUser}:{SessionToken}@{FromDomain}/{AccessKeyID}/{SecretKey}/{Region}/
  • ses://{FromEmail}/{AccessKeyID}/{SecretKey}/{Region}/?token={SessionToken}

If no target email is specified, Apprise sends to the {FromEmail} address itself.

VariableRequiredDescription
FromEmail*YesThe sender email address AWS sends on behalf of. AWS validates this against your verified identities.
AccessKeyID*YesThe generated Access Key ID from the AWS Management Console.
SecretKey*YesThe generated Secret Access Key from the AWS Management Console.
Region*YesThe region code, e.g. us-east-1, us-west-2, cn-north-1.
ToEmailNoOne or more recipient email addresses separated by a slash. If omitted, the FromEmail address is notified.
SessionTokenNoAn AWS session token for temporary/IAM credentials (AWS_SESSION_TOKEN). Prefer ?token= — tokens often contain / which must be escaped as %2F in the password-field form.
replyNoSet a Reply-To address different from the sender address.
toNoForce or override the To address. Usually inferred automatically.
nameNoA display name associated with the sender address.
ccNoCarbon Copy email address(es). Multiple values can be separated by commas.
bccNoBlind Carbon Copy email address(es). Multiple values can be separated by commas.
keyNoAn alias for AccessKeyID (?key=). Useful in YAML configuration.
accessNoA legacy alias for AccessKeyID (?access=).
secretNoAn alias for SecretKey (?secret=).
tokenNoAn alias for SessionToken (?token=). Useful in YAML configuration.
VariableDescription
overflowThis parameter can be set to either split, truncate, or upstream. This determines how Apprise delivers the message you pass it. By default this is set to upstream
👉 upstream: Do nothing at all; pass the message exactly as you received it to the service.
👉 truncate: Ensure that the message will fit within the service’s documented upstream message limit. If more information was passed then the defined limit, the overhead information is truncated.
👉 split: similar to truncate except if the message doesn’t fit within the service’s documented upstream message limit, it is split into smaller chunks and they are all delivered sequentially there-after.
formatThis parameter can be set to either text, html, or markdown. Some services support the ability to post content by several different means. The default of this varies (it can be one of the 3 mentioned at any time depending on which service you choose). You can optionally force this setting to stray from the defaults if you wish. If the service doesn’t support different types of transmission formats, then this field is ignored.
verifyExternal requests made to secure locations (such as through the use of https) will have certificates associated with them. By default, Apprise will verify that these certificates are valid; if they are not then no notification will be sent to the source. In some occasions, a user might not have a certificate authority to verify the key against or they trust the source; in this case you will want to set this flag to no. By default it is set to yes.
redirectBy default, Apprise will follow HTTP redirects (3xx responses) issued by the remote server, matching the behaviour of the underlying requests library. If you want to prevent custom headers and credentials from being forwarded to destinations that differ from the original URL, set this to no. By default it is set to yes.
ctoThis stands for Socket Connect Timeout. This is the number of seconds Requests will wait for your client to establish a connection to a remote machine (corresponding to the connect()) call on the socket. The default value is 4.0 seconds.
rtoThis stands for Socket Read Timeout. This is the number of seconds the client will wait for the server to send a response. The default value is 4.0 seconds.
emojisEnable Emoji support (such as providing :+1: would translate to 👍). By default this is set to no.
Note: Depending on server side settings, the administrator has the power to disable emoji support at a global level; but default this is not the case.
tzIdentify the IANA Time Zone Database you wish to operate as. By default this is detected based on the configuration the server hosting Apprise is running on. You can set this to things like America/Toronto, or any other properly formated Timezone describing your area.
retryThe number of additional delivery attempts to make after the first failure before giving up. Accepts an integer in the range 0 to 10. The default is 0 (no retries — a single attempt is made). When combined with wait, Apprise pauses the specified number of seconds between each attempt.
waitThe number of seconds to pause between retry attempts. Accepts a decimal value in the range 0.0 to 20.0; integer values are promoted to float automatically. The default is 0.5. This value is only meaningful when retry is greater than zero — a service with retry=0 makes exactly one attempt regardless of the wait value.
optionalWhen set to yes, a delivery failure for this service is silently absorbed. The overall notify() call still returns True even if this endpoint was unreachable, provided that every required (non-optional) service in the same batch succeeded. Setting this flag does not skip delivery or bypass retry logic — all configured retry attempts are still made before the failure is absorbed. By default this is set to no, meaning every failure is propagated to the caller.

Send a basic SES email:

Terminal window
# Assuming our {AccessKeyID} is AHIAJGNT76XIMXDBIJYA
# Assuming our {SecretKey} is bu1dHSdO22pfaaVy/wmNsdljF4C07D3bndi9PQJ9
# Assuming our {Region} is us-east-2
# Assuming our sender is sender@example.com
apprise -vv -t "Test Message Title" -b "Test Message Body" \
ses://sender@example.com/AHIAJGNT76XIMXDBIJYA/bu1dHSdO22pfaaVy/wmNsdljF4C07D3bndi9PQJ9/us-east-2/
# Send to a different recipient
apprise -vv -t "Test Message Title" -b "Test Message Body" \
ses://sender@example.com/AHIAJGNT76XIMXDBIJYA/bu1dHSdO22pfaaVy/wmNsdljF4C07D3bndi9PQJ9/us-east-2/recipient@example.com

Send using temporary credentials from an IAM role or Lambda:

Terminal window
# Recommended: ?token= accepts the token exactly as AWS provides it,
# no escaping needed even when the token contains / characters
apprise -vv -b "Lambda alert fired" \
"ses://sender@example.com/AHIAJGNT76XIMXDBIJYA/bu1dHSdO22pfaaVy/wmNsdljF4C07D3bndi9PQJ9/us-east-2/recipient@example.com?token=MySessionToken"
# Alternate: token in the URL password field -- any / in the token
# must be percent-encoded as %2F
apprise -vv -b "Lambda alert fired" \
"ses://sender:MySessionToken@example.com/AHIAJGNT76XIMXDBIJYA/bu1dHSdO22pfaaVy/wmNsdljF4C07D3bndi9PQJ9/us-east-2/recipient@example.com"

Example YAML configuration using named parameters:

urls:
- ses://:
- key: AHIAJGNT76XIMXDBIJYA
secret: bu1dHSdO22pfaaVy/wmNsdljF4C07D3bndi9PQJ9
region: us-east-2
from: sender@example.com
to: recipient@example.com
token: MySessionToken
Questions or Feedback?

Documentation

Notice a typo or an error?

Technical Issues

Having trouble with the code? Open an issue on GitHub:

Made with love from Canada