BotoServerError: 403 Forbidden. Signature Version 3 requests are deprecated from March 1, 2021.

AWS
スポンサーリンク
language

I’m using AWS SES to send emails from Django, and since around March 2021, I’ve been getting the following errors frequently.

BotoServerError: 403 Forbidden
<ErrorResponse xmlns="http://ses.amazonaws.com/doc/2010-12-01/">
  <Error>
    <Type>Sender</Type>
    <Code>InvalidClientTokenId</Code>
    <Message>Signature Version 3 requests are deprecated from March 1, 2021. From that date on, we are progressively rejecting such requests. To resolve the issue you must migrate to Signature Version 4. If you are self-signing your requests, refer to the documentation for Authenticating requests to the Amazon SES API [1] with Signature Version 4 [2]. If you are not self-signing your requests, simply update your SDK/CLI to the latest version. [1] https://docs.aws.amazon.com/ses/latest/DeveloperGuide/using-ses-api-authentication.html [2] https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html</Message>
  </Error>
  <RequestId>8adae7d9-8c5b-49be-aeab-4504a1d200eb</RequestId>
</ErrorResponse>

This error says the following

  • Signature version 3 requests are deprecated starting March 1, 2021.
  • After that date, such requests will be phased out.
  • If you self-sign your requests, see the documentation on authenticating requests to the AmazonSES API using signature version 4.
  • If you do not self-sign your requests, update your SDK / CLI to the latest version
スポンサーリンク

The solution is to update the SDK / CLI to the latest version.

I’m using django-ses to send emails, so update django-ses according to “Update SDK / CLI to the latest version if you don’t want to self-sign requests”.

django-ses/django-ses
A Django email backend for Amazon's Simple Email Service - django-ses/django-ses

The latest version of django-ses right now is 2.0.0.
If you check the version of django-ses you’re using, it’s much older.

$ pip list
Package             Version
------------------- ---------
...
boto3               1.12.2
...
django-ses          0.8.14
...

Use pip to update to the latest version of django-ses.

Confirm that the django-ses version has been updated to 2.0.0.

$ pip install -U django-ses
$ pip list
Package             Version
------------------- ---------
...
boto3               1.17.55
...
django-ses          2.0.0
...

Finally, don’t forget to restart the WSGI server.

You should now be able to send mail with the updated django-ses and the error will be resolved.

$ sudo systemctl restart gunicorn

The cause is the transition to signature version 4.

With the transition to signature version 4, signature version 3 requests were deprecated as of March 1, 2021.

And the error is caused by the fact that they were rejected by AWS in stages.

Signature Version 3 requests are deprecated from March 1, 2021. From that date on, we are progressively rejecting such requests. To resolve the issue you must migrate to Signature Version 4.

https://docs.aws.amazon.com/ja_jp/general/latest/gr/signature-version-4.html

There was also a move to support the migration to signature version 4 in django-ses from June 2020.

Upgrade from boto to boto3, and use env variables by GitRon · Pull Request #183 · django-ses/django-ses
Hi guys, I started the migration from boto to boto3. I tried it out locally and now I can send from an email region which has this new auth type v4. Here's ...

Summary

The error was caused by the fact that the request for signature version 3 was deprecated from March 1, 2021, and was rejected by AWS.

There are two ways to resolve this error.

  • If you are self-signing requests, see the documentation on authenticating requests to the AmazonSES API using Signature Version 4.
  • If you do not want to self-sign requests, update your SDK / CLI to the latest version

If you’re using the SDK / CLI like me, updating to the latest version will solve the problem.

タイトルとURLをコピーしました