Amazon Web Service (AWS) - Simple Email Service (SES) Notifications
Account Setup
Section titled “Account Setup”You’ll need to create an account with Amazon Web Service (AWS) first to use this. If you don’t have one, you’ll need your credit card (even though the first 12 months are free). Alternatively, if you already have one (or are using it through your company), you’re good to go to the next step.
The next thing you’ll need to do is generate an Access Key ID and Secret Access Key:
- From the AWS Management Console search for IAM under the AWS services section or simply click here.
- Expand the section reading Access keys (access key ID and secret access key)
- Click on Create New Access Key
- It will present the information to you on screen and let you download a file containing the same information. I suggest you do so since there is no way to retrieve this key again later on (unless you delete it and create a new one).
So at this point, it is presumed you’re set up, and you got your Access Key ID and Secret Access Key on hand.
You also need a verified sender identity in SES. From the AWS Management Console search for Simple Email Service under the AWS services section, then go to Verified identities and verify the email address or domain you want to send from.
Temporary Credentials (Session Token)
Section titled “Temporary Credentials (Session Token)”AWS Lambda execution roles, IAM roles assumed via STS (aws sts assume-role), and other sources of short-lived credentials provide a third component alongside the Access Key ID and Secret Access Key: the Session Token (AWS_SESSION_TOKEN). This token must be included when signing requests, otherwise AWS will reject them with an authorization error.
Apprise supports session tokens in two ways:
- Query parameter (recommended): append
?token={SessionToken}to any SES URL — the token is accepted exactly as AWS provides it, with no escaping required. - URL password field: place the token in the password position of the URL:
ses://{user}:{SessionToken}@{host}/...— any/characters in the token must be percent-encoded as%2F.
Syntax
Section titled “Syntax”Valid syntax is as follows:
ses://{FromEmail}/{AccessKeyID}/{SecretKey}/{Region}/ses://{FromEmail}/{AccessKeyID}/{SecretKey}/{Region}/{ToEmail1}/{ToEmail2}/{ToEmailN}/ses://{FromUser}:{SessionToken}@{FromDomain}/{AccessKeyID}/{SecretKey}/{Region}/ses://{FromEmail}/{AccessKeyID}/{SecretKey}/{Region}/?token={SessionToken}
If no target email is specified, Apprise sends to the {FromEmail} address itself.
Parameter Breakdown
Section titled “Parameter Breakdown”| Variable | Required | Description |
|---|---|---|
| FromEmail | *Yes | The sender email address AWS sends on behalf of. AWS validates this against your verified identities. |
| AccessKeyID | *Yes | The generated Access Key ID from the AWS Management Console. |
| SecretKey | *Yes | The generated Secret Access Key from the AWS Management Console. |
| Region | *Yes | The region code, e.g. us-east-1, us-west-2, cn-north-1. |
| ToEmail | No | One or more recipient email addresses separated by a slash. If omitted, the FromEmail address is notified. |
| SessionToken | No | An AWS session token for temporary/IAM credentials (AWS_SESSION_TOKEN). Prefer ?token= — tokens often contain / which must be escaped as %2F in the password-field form. |
| reply | No | Set a Reply-To address different from the sender address. |
| to | No | Force or override the To address. Usually inferred automatically. |
| name | No | A display name associated with the sender address. |
| cc | No | Carbon Copy email address(es). Multiple values can be separated by commas. |
| bcc | No | Blind Carbon Copy email address(es). Multiple values can be separated by commas. |
| key | No | An alias for AccessKeyID (?key=). Useful in YAML configuration. |
| access | No | A legacy alias for AccessKeyID (?access=). |
| secret | No | An alias for SecretKey (?secret=). |
| token | No | An alias for SessionToken (?token=). Useful in YAML configuration. |
Global Parameters
Section titled “Global Parameters”| Variable | Description |
|---|---|
| overflow | This parameter can be set to either split, truncate, or upstream. This determines how Apprise delivers the message you pass it. By default this is set to upstream 👉 upstream: Do nothing at all; pass the message exactly as you received it to the service.👉 truncate: Ensure that the message will fit within the service’s documented upstream message limit. If more information was passed then the defined limit, the overhead information is truncated.👉 split: similar to truncate except if the message doesn’t fit within the service’s documented upstream message limit, it is split into smaller chunks and they are all delivered sequentially there-after. |
| format | This parameter can be set to either text, html, or markdown. Some services support the ability to post content by several different means. The default of this varies (it can be one of the 3 mentioned at any time depending on which service you choose). You can optionally force this setting to stray from the defaults if you wish. If the service doesn’t support different types of transmission formats, then this field is ignored. |
| verify | External requests made to secure locations (such as through the use of https) will have certificates associated with them. By default, Apprise will verify that these certificates are valid; if they are not then no notification will be sent to the source. In some occasions, a user might not have a certificate authority to verify the key against or they trust the source; in this case you will want to set this flag to no. By default it is set to yes. |
| redirect | By default, Apprise will follow HTTP redirects (3xx responses) issued by the remote server, matching the behaviour of the underlying requests library. If you want to prevent custom headers and credentials from being forwarded to destinations that differ from the original URL, set this to no. By default it is set to yes. |
| cto | This stands for Socket Connect Timeout. This is the number of seconds Requests will wait for your client to establish a connection to a remote machine (corresponding to the connect()) call on the socket. The default value is 4.0 seconds. |
| rto | This stands for Socket Read Timeout. This is the number of seconds the client will wait for the server to send a response. The default value is 4.0 seconds. |
| emojis | Enable Emoji support (such as providing :+1: would translate to 👍). By default this is set to no. Note: Depending on server side settings, the administrator has the power to disable emoji support at a global level; but default this is not the case. |
| tz | Identify the IANA Time Zone Database you wish to operate as. By default this is detected based on the configuration the server hosting Apprise is running on. You can set this to things like America/Toronto, or any other properly formated Timezone describing your area. |
| retry | The number of additional delivery attempts to make after the first failure before giving up. Accepts an integer in the range 0 to 10. The default is 0 (no retries — a single attempt is made). When combined with wait, Apprise pauses the specified number of seconds between each attempt. |
| wait | The number of seconds to pause between retry attempts. Accepts a decimal value in the range 0.0 to 20.0; integer values are promoted to float automatically. The default is 0.5. This value is only meaningful when retry is greater than zero — a service with retry=0 makes exactly one attempt regardless of the wait value. |
| optional | When set to yes, a delivery failure for this service is silently absorbed. The overall notify() call still returns True even if this endpoint was unreachable, provided that every required (non-optional) service in the same batch succeeded. Setting this flag does not skip delivery or bypass retry logic — all configured retry attempts are still made before the failure is absorbed. By default this is set to no, meaning every failure is propagated to the caller. |
Examples
Section titled “Examples”Send a basic SES email:
# Assuming our {AccessKeyID} is AHIAJGNT76XIMXDBIJYA# Assuming our {SecretKey} is bu1dHSdO22pfaaVy/wmNsdljF4C07D3bndi9PQJ9# Assuming our {Region} is us-east-2# Assuming our sender is sender@example.comapprise -vv -t "Test Message Title" -b "Test Message Body" \ ses://sender@example.com/AHIAJGNT76XIMXDBIJYA/bu1dHSdO22pfaaVy/wmNsdljF4C07D3bndi9PQJ9/us-east-2/
# Send to a different recipientapprise -vv -t "Test Message Title" -b "Test Message Body" \ ses://sender@example.com/AHIAJGNT76XIMXDBIJYA/bu1dHSdO22pfaaVy/wmNsdljF4C07D3bndi9PQJ9/us-east-2/recipient@example.comSend using temporary credentials from an IAM role or Lambda:
# Recommended: ?token= accepts the token exactly as AWS provides it,# no escaping needed even when the token contains / charactersapprise -vv -b "Lambda alert fired" \ "ses://sender@example.com/AHIAJGNT76XIMXDBIJYA/bu1dHSdO22pfaaVy/wmNsdljF4C07D3bndi9PQJ9/us-east-2/recipient@example.com?token=MySessionToken"
# Alternate: token in the URL password field -- any / in the token# must be percent-encoded as %2Fapprise -vv -b "Lambda alert fired" \ "ses://sender:MySessionToken@example.com/AHIAJGNT76XIMXDBIJYA/bu1dHSdO22pfaaVy/wmNsdljF4C07D3bndi9PQJ9/us-east-2/recipient@example.com"Example YAML configuration using named parameters:
urls: - ses://: - key: AHIAJGNT76XIMXDBIJYA secret: bu1dHSdO22pfaaVy/wmNsdljF4C07D3bndi9PQJ9 region: us-east-2 from: sender@example.com to: recipient@example.com token: MySessionToken Questions or Feedback?
Technical Issues
Having trouble with the code? Open an issue on GitHub: