AWS ERROR: Forbidden - perhaps check your credentials?

Hi, I could not get my AWS SES credentials to work, despite being absolutely sure I copied them correctly. Error 403
So I deleted the credentials, and then tried to recreate.
This error is slightly different, but still a 403. Any idea how I can fix this?

ERROR: Forbidden - perhaps check your credentials?
The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

{"message":"Request failed with status code 403","name":"Error","stack":"Error: Request failed with status code 403\n    at createError (/usr/local/lib/node_modules/n8n/node_modules/axios/lib/core/createError.js:16:15)\n    at settle (/usr/local/lib/node_modules/n8n/node_modules/axios/lib/core/settle.js:17:12)\n    at IncomingMessage.handleStreamEnd (/usr/local/lib/node_modules/n8n/node_modules/axios/lib/adapters/http.js:269:11)\n    at IncomingMessage.emit (events.js:327:22)\n    at endReadableNT (internal/streams/readable.js:1327:12)\n    at processTicksAndRejections (internal/process/task_queues.js:80:21)"}

This came up a few days ago and it was a policy thing in AWS. It might be worth double checking this.

1 Like

I’m trying to create a email connection to SES though. Does n8n use SNS to get bounce notifications?
I’ve added both an AmazonSESFullAccess and AmazonSNSFullAccess policy to this users.
I’ve verified the AccessKeyID and Secret are correct.
Still the same 403 error.
Hmmm

I just changed the endpoint to a postbin so I could see what n8n is actually sending.

here is the authorization header. I notice it is sending to us-east-1. Whereas my SES/SNS is at us-west-2. Is it defaulting to us-east-1 because i just put a custom endpoint in? Or is that a bug?

AWS4-HMAC-SHA256 Credential=AKIAxxxxxxxxRVGE/20211009/us-east-1//aws4_request, SignedHeaders=host;x-amz-date, Signature=0fdc24b8653d0039xxxxxxxxxd15e87505

I don’t think it does but a similar error and it made sense as a possible solution.

Did you set the region in the credentials section in n8n?

Yes, however I’m not sure if putting in the custom endpoint to test would have overridden that.
I just tried putting in the endpoint with the region, and it fails with the same error.
I also added the n8n user to the admin group, so it can do anything. Same error.
Is there a log anywhere that I can see what n8n is actually sending is?

I just check if I could send an SNS message using the same credentials, and it was successful.
It is very odd.

Another oddity, is that when I looked at the log for the credentials in AWS, prior to that successful SNS message, it showed that the accesskey has never actually been used. After that successful SNS it shows as being used once.

I’m not sure if AWS registers a use only when it is a successful access.

That is odd, I would imagine it only shows on success.

Normally a 403 is going to be authentication or something funky in the request. I am out of ideas and would need to set up a test account to look.

Maybe one of the n8n team will have an idea.

I’ve posted a bug report here as I can’t find any other solution.

Sorry but can not reproduce that issue. For me, SES works totally fine, also when using “us-west-2”.

I checked also what it sends, and this is the full request (with some information redacted):

{
  headers: {
    Host: 'email.us-west-2.amazonaws.com',
    'X-Amz-Date': '20211009T201659Z',
    Authorization: 'AWS4-HMAC-SHA256 Credential=xxx/20211009/us-west-2/ses/aws4_request, SignedHeaders=host;x-amz-date, Signature=xxx'
  },
  method: 'POST',
  uri: 'https://email.us-west-2.amazonaws.com/?Action=SendEmail&Message.Subject.Data=test%20email&[email protected]&Message.Body.Text.Data=my%20email&[email protected]',
  body: undefined
}

As you can see does it set “us-west-2” totally correctly. To be 100% sure that it does actually send that did I change the code that it sends everything to webhook.site, also there it did arrive exactly the same way. Meaning that you are right that it has to do with the custom endpoint.

Sadly no idea why it would not work for you.

Are you 100% sure the problem is n8n related? Did you try using these credentials with another service and there they worked?

2 Likes

For anyone else who runs into this. I found a solution.
A few days ago, I noticed I was getting those weird failures on another node. Where it just dumps a stack trace (in the original post).
The solution was to delete the workflow, create a new fresh workflow, and copy in the nodes from scratch.
This morning I wondered if that could solve the issue.
So I created a new workflow with just the SES node. And shazam, it worked as expected.
I suspect there must be some sort of weird caching going on somewhere.
I have a sneaking suspicion, that the caching could be on the cloudflare end (we use it as the proxy).
But could it be on the n8n side? It is the only thing I can think of.
And fyi, that original workflow SES node, which is identical, still throws a 403 error.
Strange…

3 Likes