ATOM Documentation

← Back to App

AWS Simple Email Service (SES) Setup Guide

This guide explains how to configure AWS SES for sending transaction emails (invitations, password resets, etc.) from Atom SaaS.

1. AWS Console Configuration

Step 1.1: Verify Your Identity

  1. Log in to the AWS SES Console.
  2. Navigate to **Configuration** > **Verified identities**.
  3. Click **Create identity**.
  4. **Identity type**: Select **Domain** (Recommended since you use Route 53).
  5. **Domain**: Enter atomagentos.com.
  6. **Advanced settings**: Ensure **Easy DKIM** is selected.
  7. **Route 53 Integration**: Since your domain is in Route 53, SES should offer to automatically create the DNS records for you. Click **Create** and then follow any prompts to "Update DNS records in Route 53".
  8. Verification status will change to "Verified" once the DNS changes propagate (usually minutes).

Step 1.2: Request Production Access (Remove Sandbox)

By default, all new SES accounts are in the "Sandbox". In sandbox mode, you can only send emails **TO** other verified identities.

  1. Go to the **SES Dashboard**.
  2. Click **Request production access** in the alert box at the top.
  3. Choose **Transactional** as the mail type.
  4. Provide a website URL and a brief description of how you will use SES (e.g., "Sending account invitation links and password reset tokens to registered users").
  5. Wait for AWS approval (usually < 24 hours).

Step 1.3: Create IAM Credentials

  1. Go to the IAM Console.
  2. Create a new user (e.g., atom-ses-user).
  3. **Permissions**: Select "Attach policies directly" and search for AmazonSimpleEmailServiceFullAccess.
  4. After user creation, go to the **Security credentials** tab.
  5. Click **Create access key** > **Application running outside AWS**.
  6. Copy the **Access Key ID** and **Secret Access Key**.

---

2. Atom SaaS Configuration

Set the following secrets in your production environment (Vault). **These prefixed variables ensure your SES setup doesn't conflict with your Cloudflare R2 memory storage.**

atom-cli secrets set \
  SES_AWS_ACCESS_KEY_ID=your_access_key_id \
  SES_AWS_SECRET_ACCESS_KEY=your_secret_access_key \
  SES_AWS_REGION=us-east-1 \
  SES_SENDER_EMAIL=noreply@yourdomain.com

Environment Variables Detail

VariableDescription
SES_AWS_ACCESS_KEY_IDThe Access Key ID from IAM (falls back to AWS_ACCESS_KEY_ID).
SES_AWS_SECRET_ACCESS_KEYThe Secret Access Key from IAM (falls back to AWS_SECRET_ACCESS_KEY).
SES_AWS_REGIONThe region where you configured SES (e.g., us-east-1).
SES_SENDER_EMAILThe verified email address (must match exactly what you verified in SES).

---

3. Testing

You can test the setup by inviting a user from the Admin Dashboard or by running the test script:

# From the backend-saas directory
python3 scripts/test_email.py <your-test-recipient-email>