Deploying AWS SES access key and SMTP password to the parameter store using AWS CloudFormation

In AWS CloudFormation there is no way to generate the SMTP password of an AWS access key. As a result, the application always has to do the calculation and transform the secret key into an SMTP password.

Fork me on GitHub With This custom CloudFormation provider, we put an end to that. You can create an access key and SMTP password and automatically store the credentials in the AWS Parameter Store. This means that you can create the email infrastructure and provision SMTP credentials to applications that need to send email through Amazon Simple Email Service in a safe and controlled manner.

How does it work?

It is quite easy: you add the CloudFormation resource Custom::AccessKey, as follows:

    Type: Custom::AccessKey
      Description: sample user credential
      UserName: '<UserName>'
      ParameterPath: '<Parameter Path>'
      ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider'

The access key id, access secret and the SMTP password are stored in the parameter store under the paths <ParameterPath>/aws_access_key_id, <ParameterPath>/aws_access_secret_key and <ParameterPath>/smtp_password respectively.


You can specify the following properties:

  • UserName - to create an access key for.
  • ParameterPath - into the parameter store to store the credentials
  • Serial - to force the access key to be recycled
  • Status - Active or Inactive
  • ReturnSecret - returns access id and access secret as attribute
  • ReturnPassword - returns access id and SMTP password as attribute
  • NoEcho - indicate whether output of the return values is replaced by *****, default True.

Return values

With ‘Fn::GetAtt’ the following values are available:

  • SMTPPassword - the SMTP password based for the access key (if ReturnPassword is true).
  • AccessSecretKey - the secret part of the access key (if ReturnSecret is true).

For more information about using Fn::GetAtt, see Fn::GetAtt.


To install this Custom Resource, type:

git checkout https://github.com/binxio/cfn-secret-provider
cd cfn-secret-provider

aws cloudformation create-stack \
	--capabilities CAPABILITY_IAM \
	--stack-name cfn-secret-provider \
	--template-body \

aws cloudformation wait stack-create-complete  \
	--stack-name cfn-secret-provider 

This CloudFormation template will use our pre-packaged provider from:



To install the simple sample from this blog post, type:

aws cloudformation create-stack \
	--stack-name cfn-secret-provider-demo \
	--template-body file://cloudformation/demo-stack.json

aws cloudformation wait stack-create-complete  \
	--stack-name cfn-secret-provider-demo

to validate the result, type:

aws ssm get-parameters-by-path --path /iam-users --recursive --with-decryption


By using the Custom CloudFormation Secret provider you can create an IAM Access Key and the derived SMTP password and stored in the parameter store where it is encrypted and access can be audited and controlled.

If you have any questions, do not hesitate to contact me.

Picture of Mark van Holsteijn
Mark van Holsteijn