Amazon SES 535 Authentication Credentials Invalid

iGaskin · July 27, 2016, 9:11pm

I've created my watcher with the following watch config:

{
"trigger": {
    "schedule": {
        "interval": "10s"
    }
},
"input": {
    "simple": {
        "color": "red",
        "status": "error",
        "count": 3
    }
},
"condition": {
    "compare": {
        "ctx.payload.status": {
            "eq": "error"
        }
    }
},
"actions": {
    "ses_account": {
        "throttle_period": "15m",
        "email": {
            "to": "isaac@example.com",
            "subject": "State {{ctx.payload.status}}",
            "body": "The color is now {{ ctx.payload.color }}"
        }
    }
}

}

My elasticsearch.yml config looks like:

watcher.actions.email.service.account:
  ses_account:
    smtp:
      auth: true
      starttls.enable: true
      starttls.required: true
      host: email-smtp.us-east-1.amazonaws.com
      port: 587
      user: AKXXXXXXXXXXXXXXXXXX
      password: Aj/4XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

When I try running the watch with /_watcher/watch/cluster_health_email/_execute, I get the following response:

"actions": [
    {
      "id": "ses_account",
      "type": "email",
      "status": "failure",
      "reason": "MessagingException[failed to send email with subject [State error] via account [ses_account]]; nested: AuthenticationFailedException[535 Authentication Credentials Invalid]; "
     }
  ]

Troubleshooting steps I've taken so far

Checking policy attached to credentials
Checking credentials in elasticsearch.yml
restarting elasticsearch on all aws instances

What other steps should I be taking to get this configured properly? I am not sure how to further troubleshoot if my credentials were invalid when initially generated.

spinscale · July 28, 2016, 8:13am

Hey,

have you tried sending an email manually from the host where watcher is running on, to see if this works? Can you show that this works?

--Alex

iGaskin · July 28, 2016, 3:19pm

Hello,

I tried sending email manually via Amazon's documentation. It failed multiple times, but after generating my fourth pair of credentials I was able to successfully authenticate. I think this had something to do with the URL encoding of the previously generated credentials. I now receive this error message when executing the watch

MessagingException[failed to send email with subject [State error] via account [ses_account]]; nested: MessagingException[can't determine local email address];

iGaskin · July 28, 2016, 3:29pm

Update: I finally got it working after adding the "from" field in the "actions" in my watch. My JSON looks like this:

    "actions": {
    "ses_account": {
        "throttle_period": "15m",
        "email": {
            "from": "isaac@example.com",
            "to": "isaac@example.com",
            "subject": "State {{ctx.payload.status}}",
            "body": "The color is now {{ ctx.payload.color }}"
        }
    }
}

It should also be noted that this needs to be a verified email address with Amazon SES. It might be worth it to add these details to the doc for sending email with ses: https://www.elastic.co/guide/en/watcher/current/email-services.html#amazon-ses