SignatureDoesNotMatch error

[thomaswitt]

I keep on getting a A client error (SignatureDoesNotMatch) occurred when calling the ListUsers operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

I set the environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_DEFAULT_REGION.

[jamesls]

EDIT: If you are running into this issue, we'd appreciate your help in troubleshooting. I'm updating this comment for better visibility on troubleshooting steps.

Troubleshooting

The first step for troubleshooting this is to determine whether or not the issue is with the credentials themselves or with the CLI. To test this, try using these credentials in other AWS SDKs (javascript, ruby, java, etc). To help with this, I've created a test script that uses the AWS SDK for python and javascript which is available here: https://github.com/jamesls/aws-creds-test . After cloning, just run make install, make test. It will prompt you for credentials (similar to the CLI) and make an API call to sts.GetCallerIdentity.

/tmp $ mkdir /tmp/repro-cli-602
/tmp $ cd /tmp/repro-cli-602/
/tmp/repro-cli-602 $ git clone git://github.com/jamesls/aws-creds-test
Cloning into 'aws-creds-test'...
...
/tmp/repro-cli-602 $ cd aws-creds-test/
/tmp/repro-cli-602/aws-creds-test (master u=) $ make install
npm install
aws-js-cli@1.0.0 /private/tmp/repro-cli-602/aws-creds-test
├─┬ aws-sdk@2.45.0
...
pip install -r requirements.txt
Requirement already satisfied: botocore<2.0.0,>=1.5.0 in /usr/local/lib/python2.7/site-packages (from -r requirements.txt (line 1))
...

/tmp/repro-cli-602/aws-creds-test (master u=) $ make test
./test-creds.sh
Testing python...
Access Key:
Secret Access Key:
AKID   hash: 4e7c36343646e1fa7495092bffcd4b9b7dd00f2f5014a189ab81f326e6472a62
AKID length: 20

SAK    hash: 941a655993caccb1a1218883b97a88b6f41762c6d03902f1cdd1e2a5de5fd82e
SAK  length: 40
Successfuly made an AWS request with the provided credentials.

Testing javasript...
Access Key: ********************
Secret Access Key: ****************************************
AKID   hash: 4e7c36343646e1fa7495092bffcd4b9b7dd00f2f5014a189ab81f326e6472a62
AKID length: 20

SAK    hash: 941a655993caccb1a1218883b97a88b6f41762c6d03902f1cdd1e2a5de5fd82e
SAK  length: 40
Sucessfully made an AWS request with the provided credentials.

For people running into this issue, please run the test script and share the output.

This should give us better insight into where this issue is occurring:

• If the above script passes for both python and javascript but is failing when using the CLI, likely a CLI issue.
• If the script fails for python but passes for javascript, likely an issue with botocore (which the CLI uses).
• If the above script fails for both python and javascript, likely an issue with the actual credentials.

Thanks in advance for anyone that can help us troubleshoot this issue. Let me know if there's any questions.

[thomaswitt]

This is how it looks like:

thomas@iMac:~ $ echo $AWS_ACCESS_KEY_ID
AKIAXXXXXXXXXXXXXXXX
thomas@iMac:~ $ echo $AWS_SECRET_ACCESS_KEY
abcaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa+0
thomas@iMac:~ $ aws configure list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
              env    AWS_ACCESS_KEY_ID
              env    AWS_SECRET_ACCESS_KEY
    region                eu-west-1              env    AWS_DEFAULT_REGION

[foscraig]

Any updates on this issue? I'm also encountering this error and my credentials file hasn't changed.

[squirvoid]

I have a similar issue. Jenkins s3 plugin is able to put an object using my credentials, but the aws-cli is giving me the errors below.

aws s3 cp s3://my-bucket/folder/test.txt test.txt
A client error (Forbidden) occurred when calling the HeadObject operation: Forbidden Completed 1 part(s) with ... file(s) remaining

aws s3api get-object --bucket my-bucket --key folder/test.txt test.txt
A client error (SignatureDoesNotMatch) occurred when calling the GetObject operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

[JeremyShort]

I am running into the same issue. If I make up a secret it gives me a different (AuthFailure) error.

[ec2-user@ip-127.0.0.1]]$ aws configure list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
access_key     ****************AMKA              env    AWS_ACCESS_KEY_ID
secret_key     ****************jPU2              env    AWS_SECRET_ACCESS_KEY
    region                us-west-2              env    AWS_DEFAULT_REGION

This is pretty much stopping me completely. I can do some things with the ec2-blah-stuff utilities by specifying x509 certs but the help says that's deprecated so I don't want to depend on it. Any help troubleshooting or what ever would really be appreciated.

[jamesls]

The first step would be to ensure that your access/secret keys are actually valid. A few things to try:

• Does these same access/secret key credentials work with other tools? (The java/javascript/ruby/python SDK?)
• Do other commands besides "aws s3" work for you? Does "aws ec2 describe-instances" still generate auth errors?

[JeremyShort]

They do not work with other tools (ec2-describe-instance for instance).

I think I have the appropriate rights since using the certs works. To make sure it's not a workstation thing I built an Amazon Linux instance and I'm using the awscli verison that comes with it but getting the same message.

[TeePaps]

Also an issue for me. I'm using it in a docker container, built with the same Dockerfile. It works fine when built on an EC2, but does not work when built locally on a coreos vagrant box.

[jamesls]

It looks like the issue is with the credentials themselves. I've double checked this, and I'm not able to repro this issue. Double check the credentials on the security credentials page. If someone can provide an exact set of steps that demonstrate the issue, I'd be happy to take another look.

[rvfn]

Just had this happening to me and was a result of my system time being off by too much even though it did not report that. Ran ntpdate against pool.ntp.org and fixed this problem for me.

[anuraj-optimizely]

If you are getting this error when cred are setup using env variable, try sudo

[rcosnita]

If you are in a virtual machine make sure your host os time matches the guest os time. If this is not the case you will get into the error you described.

[j0ni]

A very similar error occurs for me with good credentials, whilst listing a bucket which has a lot of keys in it. Here's the error:

A client error (SignatureDoesNotMatch) occurred when calling the ListObjects operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

Here's my output from aws configure list

      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
access_key     ****************4UNA shared-credentials-file
secret_key     ****************MNOG shared-credentials-file
    region                <not set>             None    None

Note that these credentials work fine with other aws invocations, and in fact this list op runs for a long time (more than an hour) before bailing with this error. I have a file with over 82,000 lines of output in it from the command which eventually failed.

[aub]

I've been getting this issue, and if I just sleep my script for a second and try again then it goes through. It's almost like it's getting throttled and returning the wrong error or something.

[ansjob]

I can report this issue too. Trying to upload a 11 GB file using aws cp foo s3://mybucket/foo/bar I get various errors like:

A client error (SignatureDoesNotMatch) occurred when calling the UploadPart operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

and

Max retries exceeded with url: /***REDACTED***?partNumber=196&uploadId=B2viwGFF4Lmq5itbs8ipqwBExx0BWGRm3gkG_D5EYTiU8uEO_tmUT.d.i7BcgPnP5npZa.OW7yMfJ3ZhhLJD61zP7EVv.5.ZftCJQbKNdkEBeijGBqWlrxz4vMx3B05Q (Caused by <class 'socket.gaierror'>: [Errno -2] Name or service not known)

I've checked that my system time is correct. I also noticed considerable slowness (on the level of http requests timing out) on the same system while uploading, so this being a throttling issue does sound reasonable. It also works fine to upload small files with the same credentials, and using the web console from the same machine, so this does appear to be a aws-cli problem.

[ranrub]

This happened to me with too with aws-cli 1.5.5, updating aws-cli to 1.6.2 solved it.

[ansjob]

Happens to me with 1.6.2

[ye]

This happened to me today. This is new to me. Been using awl-cli for a few months no problem and no change to the credentials AFAIK.

$ aws configure --profile ye list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                       ye           manual    --profile
access_key     ****************ERMQ shared-credentials-file    
secret_key     ****************E8Id shared-credentials-file    
    region                us-east-1      config-file    ~/.aws/config

[jamesls]

I believe this issue is now fixed via https://github.com/boto/botocore/pull/388, and will be available in the next AWS CLI release.

[ye]

@jamesls confirmed fixed on awscli version 1.6.4. I was using 1.5.4. Thanks!

[wolfeidau]

I am getting this issue on a fresh ubuntu system.

A client error (SignatureDoesNotMatch) occurred when calling the PutObject operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

Installed aws-cli via pip

$ pip list
ansible (1.5.4)
apt-xapian-index (0.45)
argparse (1.2.1)
awscli (1.6.5)
bcdoc (0.12.2)
botocore (0.76.0)
chardet (2.0.1)
Cheetah (2.4.4)
cloud-init (0.7.5)
colorama (0.2.5)
configobj (4.7.2)
docutils (0.11)
html5lib (0.999)
httplib2 (0.8)
Jinja2 (2.7.2)
jmespath (0.5.0)
jsonpatch (1.3)
jsonpointer (1.0)
Landscape-Client (14.01)
MarkupSafe (0.18)
mercurial (2.8.2)
oauth (1.0.1)
PAM (0.4.2)
Pillow (2.3.0)
pip (1.5.4)
prettytable (0.7.2)
pyasn1 (0.1.7)
pycrypto (2.6.1)
pycurl (7.19.3)
Pygments (1.6)
pyinotify (0.9.4)
pyOpenSSL (0.13)
pyserial (2.6)
python-apt (0.9.3.5)
python-dateutil (2.3)
python-debian (0.1.21-nmu2ubuntu2)
PyYAML (3.10)
requests (2.2.1)
roman (2.0.0)
rsa (3.1.2)
setuptools (3.3)
six (1.5.2)
Sphinx (1.2.2)
ssh-import-id (3.21)
Twisted-Core (13.2.0)
urllib3 (1.7.1)
wsgiref (0.1.2)
zope.interface (4.0.5)

Any ideas on how to fix it?

[aub]

My solution was to sleep for a few seconds and then try it again, but it sounds like there may be an update to the tool that fixes it as well.

On Tue, Dec 2, 2014 at 3:38 AM, Mark Wolfe notifications@github.com wrote:

I am getting this issue on a fresh ubuntu system.

A client error (SignatureDoesNotMatch) occurred when calling the PutObject operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

Installed aws-cli via pip

$ pip list ansible (1.5.4) apt-xapian-index (0.45) argparse (1.2.1) awscli (1.6.5) bcdoc (0.12.2) botocore (0.76.0) chardet (2.0.1) Cheetah (2.4.4) cloud-init (0.7.5) colorama (0.2.5) configobj (4.7.2) docutils (0.11) html5lib (0.999) httplib2 (0.8) Jinja2 (2.7.2) jmespath (0.5.0) jsonpatch (1.3) jsonpointer (1.0) Landscape-Client (14.01) MarkupSafe (0.18) mercurial (2.8.2) oauth (1.0.1) PAM (0.4.2) Pillow (2.3.0) pip (1.5.4) prettytable (0.7.2) pyasn1 (0.1.7) pycrypto (2.6.1) pycurl (7.19.3) Pygments (1.6) pyinotify (0.9.4) pyOpenSSL (0.13) pyserial (2.6) python-apt (0.9.3.5) python-dateutil (2.3) python-debian (0.1.21-nmu2ubuntu2) PyYAML (3.10) requests (2.2.1) roman (2.0.0) rsa (3.1.2) setuptools (3.3) six (1.5.2) Sphinx (1.2.2) ssh-import-id (3.21) Twisted-Core (13.2.0) urllib3 (1.7.1) wsgiref (0.1.2) zope.interface (4.0.5)

Any ideas on how to fix it?

— Reply to this email directly or view it on GitHub https://github.com/aws/aws-cli/issues/602#issuecomment-65198065.

[ye]

@wolfeidau and yeah I spoke too soon. The locally pip installed awscli is giving the SignatureDoesNotMatch errors again. Yikes!

A client error (SignatureDoesNotMatch) occurred when calling the DeregisterInstancesFromLoadBalancer operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

The Canonical String for this request should have been
'POST
/

host:elasticloadbalancing.us-east-1.amazonaws.com
user-agent:aws-cli/1.6.5 Python/2.7.8 Darwin/13.4.0
x-amz-date:20141203T015747Z

host;user-agent;x-amz-date
1d9dafbf4bfa9b1225d91bdbf99d8645503484d174b9094e4c3af637e6664b5b'

The String-to-Sign should have been
'AWS4-HMAC-SHA256
20141203T015747Z
20141203/us-east-1/elasticloadbalancing/aws4_request
5a56d12a4920502f4124e37a92aad475c36edda93d9865871e6a4fe1e49045c3'

[jamesls]

Does this issue happen only when a request is retried? Or does this happen everytime you run the deregister-instances-from-load-balancer command?

[ye]

@jamesls it happens everytime now :(

[j-gibbings]

I know this issue is closed but wanted to share that you can see this error when running in a VM which hibernates. In such cases, the system clock doesn't consistently catch up if you're using Ubuntu. Just update the time to fix (i.e. sudo ntpdate -s time.nist.gov).

[include]

hello, is there any final fix on this?

[gsterndale]

+1

Using version 1.7.8 of the CLI I was seeing the same SignatureDoesNotMatch error when trying the following: $ aws iam list-users

And getting an AuthFailure for this: $ aws ec2 describe-security-groups

After deleting my keys and trying new ones, both commands work.

This is the old secret access key that may have been the cause of my problems, note the percent, plus and forward slash characters: H2J7/oT3Fib15SwFVB1s3EnTCmg+SC7wF7qoP+dw%

[johnjelinek]

:+1: @gsterndale. My access key with % in it didn't work. I had to generate new keys.

[hellais]

I have also experienced this issue multiple times. Every time regenerating the key until I got one without any special character in it (in particular I was having issues with the + sign in the secret) fixed it.

[mikeatlas]

Truthfully all of my signing key problems melted away when I switched from running the command on an ubuntu machine instead of a local mac homebrew installation.

[nimalhot84]

I am very new to AWS , faced this issuse right away on node js

              ^

SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the s vice documentation for details.

The Canonical String for this request should have been 'POST /

host:email.us-west-2.amazonaws.com x-amz-content-sha256:89cdc817a829111278fbed35aacc694db71669f3845874beaecaf00ff2be1a39 x-amz-date:20150809T053346Z

host;x-amz-content-sha256;x-amz-date 89cdc817a829111278fbed35aacc694db71669f3845874beaecaf00ff2be1a39'

The String-to-Sign should have been 'AWS4-HMAC-SHA256 20150809T053346Z 20150809/us-west-2/ses/aws4_request 0b908b0248bae550b814b37629a418707742416377816b5a5e78e1897b72293e'

[mcobzarenco]

+1

I am having this problem for all aws s3 commands (awscli 1.8.6 on ubuntu 14.04 LTS). Are there any known solutions? I tried deleting my credentials file and run aws configure, rebooting, reinstalling awscli.

[gsterndale]

@mcobzarenco, have you tried new keys?

[mcobzarenco]

@gsterndale I saw the comment above about having slashes in old keys, but that's not the case and my keys were recently generated (in June 2015). I only have this problem on AWS Ubuntu 14.04 LTS. On my laptop (14.04) awscli (same version) works fine.

[gsterndale]

@mcobzarenco I don't think it's the age of the keys, rather the special characters in them. When I originally created keys, they happened to have percent, plus and forward slash characters. While debugging the issue I tried deleting and creating new keys. These new ones luckily did not have any of these characters and they work.

[stebl]

just ran into this problem on ubuntu. When I entered the keys via cli, it stored them in ~/.aws/config, but stripped away the '+' character. Manually editing the file to add the '+' allowed me to connect.

[mcobzarenco]

@gsterndale Thanks for the tip, I can confirm that generating a new key that doesn't contain + worked for me as well. @stebl's solution is nice if it's inconvenient to replace the keys.

[sumgup]

I faced the same issue when using AWS SDk with node js. To resolve this issues I followed exactly the same steps mentioned here http://aws.amazon.com/developers/getting-started/nodejs/

I think AWS SDK is developed with particular version of node js, mismatch in node js will result in issues like this.

[tukaaa]

I has the same issue and yes, is was solved by using a key without special symbols (the + in my specific case)

[carlsborg]

We encountered this error (where one machine could describe-instances using awscli but the other got an an access denied error with the same access key. On the latter machine iam list-users gave this SignatureDoesNotMatch error). Resolved by correcting the system clock time on the machine with the problem.

[ebuildy]

As @tukaaa said, there is a bug if secret access key contains a non alphabet character (such as +). I think a bad escaping somewhere ;-(

[jamesls]

@ebuildy Can you confirm what version of the CLI you're seeing this on (aws --version)? If this is a reason version of the CLI I'll go ahead and reopen this issue.

[Felivel]

I am getting this on aws-cli/1.9.1 Python/3.5.0 Windows/7 botocore/1.1.8

[IanMcLarenTR]

I was having the same issue on one Windows box, using a key without any non-alpha chars in it. I'd checked it wasn't a copy / paste error by using the same paste buffer on another box. Uninstalling / re-installing the AWS cli and deleting the credentials / config files, then re-running aws configuration fixed it.

[LegNeato]

Just saw this on aws-cli/1.10.3 Python/2.7.10 Darwin/14.5.0 botocore/1.3.25.

Regenerating a key without special characters fixed it. FWIW in my case special character was / and I was using an INI file.

[jamesls]

Ok reopening, we'll dig into this.

[tengpeng]

@I can confirm I have the same issue as @gsterndale describes.

aws --version
aws-cli/1.10.6 Python/2.7.11 Linux/3.10.0-327.4.5.el7.x86_64 botocore/1.3.28

But my key does not contain any special symbols.

[martinstreicher]

I am getting the same error using the s3-cli node module. My secret key contains an [.

[tengpeng]

I finally found out what's wrong. I accidentally added several characters to the keys. That's the reason.