Create an SES service in the AWS console, generate SMTP credentials by creating a dedicated IAM user, then configure the SMTP host, port, username, password, and admin_emails_from in your kong.conf file.
You need a running Kong Gateway instance with RBAC and authentication enabled.
SMTP emails are used in Kong Manager for workflows like admin invitations and password resets, which require authentication and RBAC to be turned on.
Make sure you’ve copied and renamed the Kong Gateway kong.conf:
cp /etc/kong/kong.conf.default /etc/kong/kong.conf
To setup an Amazon Simple Email Service (SES) SMTP for Kong Manager, you’ll need to copy the following credentials from your configured SES:
email-smtp.us-east-1.amazonaws.com)SMTP username and SMTP password for the SMTP IAM user
Important: Copy both the SMTP username and SMTP password immediately. The SMTP password is only shown once and cannot be retrieved later. If you lose it, you must create new credentials.
Alternatively, if you already have an existing IAM user with SES permissions, you can convert its AWS secret access key into an SMTP password using the AWS-provided Python script instead of creating a new IAM user. In this case, the SMTP username is the IAM user’s AWS access key ID.
Add the following SMTP configuration to your kong.conf file. Replace the placeholder values with the SMTP endpoint, username, and password from the previous step:
smtp_mock = off
smtp_host = email-smtp.us-east-1.amazonaws.com
smtp_port = 587
smtp_starttls = on
smtp_username = YOUR_SES_SMTP_USERNAME
smtp_password = YOUR_SES_SMTP_PASSWORD
smtp_auth_type = plain
admin_emails_from = YOUR_NAME <verified-sender@example.com>
admin_emails_reply_to = YOUR_NAME <verified-sender@example.com>
Replace the following values:
smtp_host: Use the SMTP endpoint from your AWS SES console. The endpoint varies by AWS region (for example, email-smtp.eu-west-1.amazonaws.com for the EU Ireland region).smtp_username: The SMTP username generated in the prerequisites.smtp_password: The SMTP password generated in the prerequisites.admin_emails_from: A verified email address or an address at a verified domain in your SES account.admin_emails_reply_to: The reply-to email address for outgoing emails.By default,
smtp_mockis set toon, which means Kong Gateway won’t actually send emails. Make sure to setsmtp_mock = offto enable real email delivery.
After updating kong.conf, restart Kong Gateway to apply the changes:
kong restart
To verify that the SMTP configuration is working correctly:
Navigate to Kong Manager in your browser (for example, http://localhost:8002).
Do one of the following:
Can I use an IAM role instead of static SMTP credentials?
No. Kong Gateway currently requires a static SMTP username and password for authentication. IAM role-based authentication for SES SMTP is not supported at this time.
Can I store the SMTP password in a Vault instead of kong.conf?
Yes. If you have a Vault backend configured, you can reference the SMTP password as a Vault secret using the {vault://...} syntax in kong.conf.