AWS

SignatureDoesNotMatch - Signature Does Not Match

Getting a **SignatureDoesNotMatch** error means AWS calculated a different request signature than what you sent—your Secret Access Key is wrong, system clock is skewed, or the request was modified after signing. This client-side error (4xx) happens when AWS validates request signatures using Signature Version 4. Most common when Secret Access Keys are incorrect, but also appears when system clocks are out of sync (more than 15 minutes), requests are modified after signing, regions don't match, or signing algorithms are wrong.

#Common Causes

  • Identity: Secret Access Key is incorrect. Access key was rotated but old secret still in use. Credentials file has wrong secret. Environment variable has typo.
  • Network: System clock skewed (more than 15 minutes difference). NTP not synchronized. Timezone misconfiguration. Request timestamp invalid.
  • Limits: Region mismatch (request signed for different region). Request modified after signing (proxy/load balancer). Wrong signing algorithm used.

Solutions

  1. 1Step 1: Diagnose - Check system time: date. Compare with AWS time: aws sts get-caller-identity (if this works, time is OK). Verify NTP sync: ntpq -p (Linux) or sntp -sS time.google.com (macOS).
  2. 2Step 2: Diagnose - Verify Secret Access Key: aws configure list. Check credentials file: cat ~/.aws/credentials | grep aws_secret_access_key. Compare with IAM: aws iam list-access-keys --user-name USER_NAME.
  3. 3Step 3: Diagnose - Check region configuration: aws configure get region. Verify region matches request: aws s3 ls --region us-east-1. Region must match in all requests.
  4. 4Step 4: Fix - Synchronize system clock: sudo ntpdate -s time.nist.gov (Linux) or sudo sntp -sS time.google.com (macOS). For Windows: w32tm /resync. Restart AWS CLI after sync.
  5. 5Step 5: Fix - Update Secret Access Key: aws configure set aws_secret_access_key NEW_SECRET. Or regenerate keys: aws iam create-access-key --user-name USER_NAME. Verify: aws sts get-caller-identity.

</>Code Examples

Diagnose SignatureDoesNotMatch: Check System Time
1#!/bin/bash
2# Check system time
3echo "=== System Time ==="
4date
5date -u  # UTC time
6
7# Check time synchronization
8echo "\n=== NTP Status (Linux) ==="
9if command -v ntpq &> /dev/null; then
10  ntpq -p
11elif command -v timedatectl &> /dev/null; then
12  timedatectl status
13fi
14
15# Sync system time (Linux)
16echo "\n=== Synchronizing Time (requires sudo) ==="
17echo "Linux: sudo ntpdate -s time.nist.gov"
18echo "macOS: sudo sntp -sS time.google.com"
19echo "Windows: w32tm /resync"
20
21# Check time difference with AWS
22echo "\n=== Testing AWS Time Sync ==="
23aws sts get-caller-identity 2>&1
24if [ $? -ne 0 ]; then
25  echo "Cannot verify time with AWS (credentials may be wrong)"
26else
27  echo "Time appears synchronized (AWS request succeeded)"
28fi
Verify Secret Access Key and Region
1#!/bin/bash
2# Check current AWS configuration
3echo "=== AWS Configuration ==="
4aws configure list
5
6# Check credentials file
7echo "\n=== Credentials File ==="
8if [ -f ~/.aws/credentials ]; then
9  echo "Secret Access Key (first 4 chars):"
10  grep aws_secret_access_key ~/.aws/credentials | head -1 | cut -c1-30
11  echo "..."
12fi
13
14# Verify region
15echo "\n=== Region Configuration ==="
16REGION=$(aws configure get region)
17echo "Configured region: ${REGION}"
18
19# Test with specific region
20echo "\n=== Testing Region Match ==="
21aws s3 ls --region ${REGION} 2>&1 | head -1
22
23# List access keys to verify secret matches
24echo "\n=== Access Keys ==="
25USER_NAME=$(aws sts get-caller-identity --query Arn --output text 2>/dev/null | cut -d'/' -f2)
26if [ ! -z "${USER_NAME}" ]; then
27  aws iam list-access-keys --user-name ${USER_NAME} \
28    --query 'AccessKeyMetadata[*].[AccessKeyId,Status]' \
29    --output table
30  echo "Compare AccessKeyId above with your credentials file"
31fi
Fix SignatureDoesNotMatch: Update Credentials
1#!/bin/bash
2# Method 1: Update Secret Access Key via AWS CLI
3echo "=== Updating Secret Access Key ==="
4NEW_SECRET_KEY="xxxxx"  # Replace with correct secret
5
6aws configure set aws_secret_access_key ${NEW_SECRET_KEY}
7
8# Verify new credentials
9echo "\n=== Verifying Credentials ==="
10aws sts get-caller-identity --output table
11
12# Method 2: Regenerate access keys
13echo "\n=== Regenerating Access Keys ==="
14USER_NAME=$(aws sts get-caller-identity --query Arn --output text | cut -d'/' -f2)
15echo "Current user: ${USER_NAME}"
16echo "WARNING: This will create new keys. Old keys will need to be deleted."
17read -p "Regenerate keys? (y/N): " -n 1 -r
18echo
19if [[ $REPLY =~ ^[Yy]$ ]]; then
20  # Create new key
21  NEW_KEY=$(aws iam create-access-key --user-name ${USER_NAME} \
22    --query 'AccessKey.[AccessKeyId,SecretAccessKey]' \
23    --output text)
24  
25  NEW_ACCESS_KEY_ID=$(echo ${NEW_KEY} | cut -f1)
26  NEW_SECRET_ACCESS_KEY=$(echo ${NEW_KEY} | cut -f2)
27  
28  echo "New Access Key ID: ${NEW_ACCESS_KEY_ID}"
29  echo "New Secret Access Key: ${NEW_SECRET_ACCESS_KEY}"
30  echo "\nIMPORTANT: Save the Secret Access Key - it won't be shown again!"
31  
32  # Update configuration
33  aws configure set aws_access_key_id ${NEW_ACCESS_KEY_ID}
34  aws configure set aws_secret_access_key ${NEW_SECRET_ACCESS_KEY}
35  
36  # Verify
37  aws sts get-caller-identity --output table
38fi

Related Errors

InvalidAccessKeyIdRequestExpired

Provider Information

This error code is specific to AWS services. For more information, refer to the official AWS documentation.

SignatureDoesNotMatch - Signature Does Not Match | AWS Error Reference | Error Code Reference