Select Language:

If you’re having trouble with SES returning an “InvalidClientTokenId” error while STS works fine, but your credentials seem correct, the issue is likely not permission-based. Instead, it’s probably a communication or integrity problem, such as a time mismatch or credential formatting issue.

Here’s what you can do to fix the problem:

Start by making sure your system’s clock is accurate. AWS uses strict time checks for request validation, especially with Signature Version 4.. If your server’s time is off by more than a few minutes from the atomic clock, SES may reject your requests. To fix this, run the following commands on your Ubuntu 22.04 server:

bash
sudo apt-get update
sudo apt-get install ntp -y
sudo service ntp restart

Verify the current UTC time

date -u

Next, consider rotating your AWS credentials. Sometimes, special characters like “/” or “+” in your secret keys can cause issues with how the SDK constructs the signature, especially if your environment doesn’t escape them properly. Generate a new access key pair for your user, and if the secret still contains problematic characters, create a new key until the secret is only alphanumeric characters. This can help ensure clean, compatible credentials.

Also, check if your AWS account is part of an Organization with Service Control Policies (SCPs) or permission boundaries. These can override or restrict permissions even if your inline policies allow actions. For example, an SCP might permit STS actions but restrict SES usage to specific regions or under certain conditions. Review these policies to make sure SES isn’t blocked.

Lastly, verify if there are hardcoded environment variables or other credential sources that might conflict with your setup. For EC2 instances, credentials can come from multiple places:

The /etc/environment file
.env files within your Mautic directory
EC2 instance IAM Roles (metadata)

If an IAM role is attached, your application might be automatically using temporary credentials from that role instead of the static ones you provided, leading to mismatches. Make sure only the intended credentials are in use, and remove or update any conflicting configurations.

By verifying and updating the system time, rotating your credentials, reviewing organizational policies, and checking credential sources, you should be able to resolve the “InvalidClientTokenId” error and get your SES setup working smoothly.