SignatureDoesNotMatch error

[thomaswitt]

I keep on getting a A client error (SignatureDoesNotMatch) occurred when calling the ListUsers operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

I set the environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_DEFAULT_REGION.

[love8587]

It was so strange and tricky for me. I struggled with this problem and I was trying many times to resolve it. At the moment It suddenly worked! I was surprised so I made new bucket but it didn't work. Because I had done nothing except changing code, I just waited for hours. Finally, it worked well although I did nothing. I can't believe it...

[Boggin]

Using aws configure in a bash shell on Windows 7 I found I had two aws_secret_access_key lines in my .aws/credentials and the second line was where I'd mis-typed a load of rubbish. Deleted the second line and it all worked.

[codingthat]

aws-cli/1.11.119 Python/2.7.12 Linux/4.4.0-53-generic botocore/1.5.82

Seeing this problem on Linux Mint here, with no + in my key or secret.

Output from the test script:

/aws-creds-test $ make test
./test-creds.sh
Testing python...
Access Key: 
Secret Access Key: 
AKID   hash: 36b0df669bfc2fa232f31ada2b40e8f58ec152b0afee875f28b21e32e2d59a30
AKID length: 20

SAK    hash: 02b21158d3ab7d2691ceef468951c3b3551704a8eea19ad4a8f59c7be38378f6
SAK  length: 40
Error making AWS request: An error occurred (SignatureDoesNotMatch) when calling the GetCallerIdentity operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

Testing javasript...
Access Key: ********************
Secret Access Key: ****************************************
AKID   hash: 36b0df669bfc2fa232f31ada2b40e8f58ec152b0afee875f28b21e32e2d59a30
AKID length: 20

SAK    hash: 02b21158d3ab7d2691ceef468951c3b3551704a8eea19ad4a8f59c7be38378f6
SAK  length: 40
Error making AWS request
{ SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
    at Request.extractError (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/protocol/query.js:47:29)
    at Request.callListeners (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/sequential_executor.js:105:20)
    at Request.emit (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
    at Request.emit (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/request.js:683:14)
    at Request.transition (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/request.js:685:12)
    at Request.callListeners (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/sequential_executor.js:115:18)
  message: 'The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.',
  code: 'SignatureDoesNotMatch',
  time: 2017-09-18T20:33:23.951Z,
  requestId: '9e62c6c2-9cb0-11e7-9856-a5fd5c3e417d',
  statusCode: 403,
  retryable: false,
  retryDelay: 60.66602455065775 }
Makefile:6: recipe for target 'test' failed
make: *** [test] Error 1

[codingthat]

After upgrading awscli to aws-cli/1.11.154 Python/2.7.12 Linux/4.4.0-53-generic botocore/1.7.12:

$ make test
./test-creds.sh
Testing python...
Access Key: 
Secret Access Key: 
AKID   hash: 0cdf83ac8cf800ca46738682ff5a0ab35d94891a568fc6fd9115ecf13dcce542
AKID length: 20

SAK    hash: 7ae856b46f3d5cd23b94f60765adbeb13215f6c226a2953ab93eed9e26d51694
SAK  length: 40
Error making AWS request: An error occurred (SignatureDoesNotMatch) when calling the GetCallerIdentity operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

Testing javasript...
Access Key: ********************
Secret Access Key: ****************************************
AKID   hash: 0cdf83ac8cf800ca46738682ff5a0ab35d94891a568fc6fd9115ecf13dcce542
AKID length: 20

SAK    hash: 7ae856b46f3d5cd23b94f60765adbeb13215f6c226a2953ab93eed9e26d51694
SAK  length: 40
Error making AWS request
{ SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
    at Request.extractError (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/protocol/query.js:47:29)
    at Request.callListeners (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/sequential_executor.js:105:20)
    at Request.emit (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
    at Request.emit (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/request.js:683:14)
    at Request.transition (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/request.js:685:12)
    at Request.callListeners (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/sequential_executor.js:115:18)
  message: 'The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.',
  code: 'SignatureDoesNotMatch',
  time: 2017-09-18T20:43:21.662Z,
  requestId: '02ab939a-9cb2-11e7-a1f3-87975b0dbd52',
  statusCode: 403,
  retryable: false,
  retryDelay: 86.52138921193912 }
Makefile:6: recipe for target 'test' failed
make: *** [test] Error 1

[DanAbbz92]

I just recreated my keys - My new one still contains a '+', but now able to use the cli

Could be as easy as that

[codingthat]

@DanAbbz92 indeed, I happened to find the same solution around now. No idea why the old keys never worked, but the new ones were fine using the same process.

[WMcKibbin]

I had a ^V in my Secret key from a bad paste attempt. It may be prudent to put a stronger warning on checking for bad characters in the keys. Will prevent further unneeded escalations.

[kulkarnij]

This issue was reported in 2014. Today is Oct 26, 2017. I encountered this issue, my secret had a "+" in it. I created a new key and put it in ~/.aws/configure Come on Amazon, do you ever plan to fix this **bug***???

[robinske]

I encountered this issue today after installing the cli and running aws configure. My keys had no special characters in them but the following did fix my problem:

• rm -r ~/.aws/
• recreated the .aws folder and the credentials file and added the credentials back in manually

tl;dr turning it off and on again worked for me ¯_(ツ)_/¯

[asmaier]

For people using Hadoop ending up here: A related bug has been fixed for Hadoop 2.8.0: "s3:" URLs break when Secret Key contains a slash, even if encoded

[bayaro]

Hi, today I have caught the same issue. The box had wrong time on it. After updating time all is working.

[EdouardMYOB]

Adding another "me too"

I had a Secret key that had two '+' characters in it, and that worked from my .aws/credentials file on my Windows VM (when used by a .NET application), but when I installed awscli from brew on my MacBook Pro, and copied the .aws files across (testing for file encodings, end-of-line formats etc) it failed with SignatureDoesNotMatch.

I tried recreating the credentials until I got a secret key without any non alphanumerics, and now it works from the awscli on my Mac. Copying those credentials back to my Windows machine and running the .NET application, that still works.

I didn't make any changes to the time on either machine (The Mac was using NTP already, and the Windows VM looks likes it's running about 12 minutes behind the actual time)

I installed awscli with: brew install awscli

and aws --version returns: aws-cli/1.14.30 Python/3.6.4 Darwin/16.7.0 botocore/1.8.34

[stephenfeather]

Well, I pushed code to lambdas this afternoon (2018-02-01 15:48 EST with lambda in us-east-1).
Now at 6pm, I'm getting signature errors on every system in the office. Looking back through this thread: my times are correct, nothing has changed, credentials are under a year old, have been working since the day they were established, using homebrew version aws-cli/1.14.30 Python/3.6.4 Darwin/17.4.0 botocore/1.8.34 (did try a downgrade to a 1.14.2x version, no love)

This is some malarky

[FedericoBiccheddu]

Having the same issue and solved genereting new keys without any special characters (like /, + and so on).

Thanks to @hellais for the input!

[oreofeolurin]

Just had the same issue, solved it by correcting my laptops clock. Apparently i was behind time.

[ezrataylor]

I just experienced this issue and it appears that my ntp client was 10 minutes behind. I did a ntpdate and all is now fixed.

[JohnVonNeumann]

I can confirm that recreating my access keys until I got one without special characters in it, worked. What a ridiculous bug, wow.

Seeing as this is such a long running issue, would it not be intelligent to update the error messaging to give users a link to a potential fix, like rebuilding your keys? Instead of something which makes out that the issue is far more complex than "yeah we error out when your keys have special chars in them, sorry!".

[siluri]

same issue hear:

Versions:

aws-cli/1.14.58 Python/2.7.10 Darwin/17.4.0 botocore/1.9.11

Command:

aws s3 ls got following error: Unknown Signature Version: s3v3.

no solution:

i updated my cloak and i generate a Secret without any special Character

update - fixed by following

aws configure set default.s3.signature_version s3v4

[stefano-lupo]

Yeah this is still a problem - my secret key ended with a + character and no fix I found worked. Regenerated new keys with no + at the end of the secret key and it worked fine.

How on earth is this still an issue?

[madept]

An error occurred (SignatureDoesNotMatch) when calling the CreateMultipartUpload operation: The request signature we calculated does not match the signature you provided. Check your key and signing method. please help.

[tomwojcik]

My secret starts with + sign and I didn't even know there's this issue until today. I use boto3 python to access my s3. It doesn't work when I pass credentials as raw strings but works fine if I load it from config.ini as a variable using configparser.RawConfigParser(). Of course, generating a new secret without + sign at the end or at the beginning will solve this issue too.

Nonetheless, if this (for some reason) can't be fixed maybe change the exception message to something like "we don't allow + sign, generate a new one if you want to access it the way you do".

[mpierini]

I am using aws cli on osx and I also had a secret that appeared to not be correct. My original one had a + and an = in it and I received the SignatureDoesNotMatch error when attempting to cp files to s3. I regenerated keys and my new secret is now an alphanumeric string. Just adding another confirmation that regeneration works. :relieved:

[shawnsmithdev]

In the hope this might provide insight, this problem (not handling + in secret keys) exposes itself with this version on RHEL5

aws-cli/1.15.25 Python/3.4.7 Linux/3.2.45-0.6.wd.865.49.315.metal1.x86_64 botocore/1.10.25

but does not occur with this version on Ubuntu

aws-cli/1.11.13 Python/3.5.2 Linux/4.4.0-121-generic botocore/1.4.70

[dsyahrizal]

Started Jan 2014 and now June 2018, over 4 years and I had the same problem with SignatureDoesNotMatch error. The solution for me was the same as all the majority solutions here, get a new Secret Key without any special character as for my former key has a colon :, tried the time syncing, but not working for me. I'm using WSL.

aws-cli/1.15.27 Python/3.6.5 Linux/4.4.0-17134-Microsoft botocore/1.10.27

[ghost]

Just updating what @gchiu said in April 2017: it is still the case in June 2018 that secrets that have the slash (/) character in them may make the PHP client not work (PHP 7 on Windows 10 in my case), returning the signatures do not match error. In this situation, just generate another pair of keys that is safer.

[krish7919]

I was flummoxed by this for about 30 mins.

Followed this issue and checked the local time, etc. - all was good.

In desperation, nuked the ~/.aws/credentials file and logged in again (essentially recreating the file) and voila, just works.

Wonder why does it throw this error at all!

EDIT: Doesn't seem to be related to the secret key in my case; they were all mostly simple strings.

[jaredkove]

+1 on this issue, my key started with an =. Regenerated a key that only had a / in it and all was well. Tried encasing the key in " marks, but to no avail.

Not something I would expect to see from the AWS CLI.

[costash1]

Adding to the same problem here, I cannot believe that the / in my key would have caused this. Thanks for the time wasted!

[mikearnett]

I had this problem. I believe it was a result of initially installing the aws cli as the root user. The resolution seemed to be uninstalling the aws cli, deleting both the .aws folder in the current user's home folder as well as in the root folder, and then running 'aws configure' again as the current user.

[LJvdBerg]

I experienced this problem when running a bash script using a systemd timer on Ubuntu. When manually running the script with my user, everything worked fine. However, the timer would keep on throwing the (SignatureDoesNotMatch) error. I then noticed that the (SignatureDoesNotMatch) was produced for any aws command running as root and that 'aws configure' did not save new values being provided.

To resolve the problem I logged in as root 'su -i', changed to 'cd ~/.aws/' and removed the configuration with 'sudo rm -r credentials', ran 'aws configure' again and this time the new values was saved. From there everything worked again as expected!

[villasenor]

Can confirm that this issue still exists on aws-cli/1.15.4 Python/2.7.15rc1 Linux/4.15.0-42-generic botocore/1.12.8.

An error occurred (SignatureDoesNotMatch) when calling the <whatever> operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

And turns out there was a + in my secret. I regenerated and everything is fine now. When can we expect a fix for this @jamesls? Or is there anything I can do to help?

[hsheikha1429]

Faced the same on my aws cli because the secret key was containing + ...(as described by above) After regenerating a new key..(as I saw from delmartechdude comment above).... the issue been solved.

[LufoX11]

My two cents. It was giving me this error because I was trying to upload content to s3 with accelerated transfers this way (it used to work in the past): --endpoint-url http://imaat.s3-accelerate.amazonaws.com (--endpoint-url http://<bucket-name>.s3-accelerate.amazonaws.com) as specified in acceleration endpoint properties:

Following instructions in official docs: https://docs.aws.amazon.com/es_es/AmazonS3/latest/dev/transfer-acceleration-examples.html I replaced that last part with: --endpoint-url http://s3-accelerate.amazonaws.com and run the command aws configure set s3.addressing_style virtual to build the hostname dinamically. Check: https://docs.aws.amazon.com/cli/latest/topic/s3-config.html#addressing-style

I don't know why, but now it works. My bucket name ("imaat") doesn't have any special character which may lead to DNS failures, but it failed for some reason with latest cli updates.

[dave-miles]

Adding a profile via text edit and got this failure. Updating the profile access id and secret via an aws config set and it worked. This is for a secret with '+' in it and aws-cli/1.16.23 Python/2.7.15 Windows/10 botocore/1.12.13

[scrufee]

@dave-miles You're on to something, thank you for commenting! I'm expanding on your finding below:

I ran into this issue with some docker images. Originally I was using an ADD in the dockerfile to add the ~/.aws/credentials file into the container.

If we did this, we would run into the SignatureDoesNotMatch error when trying to download from s3.

I removed the ADD line in the dockerfile, rebuilt and launched a new docker container. In this new container, I manually ran aws configure set aws_access_key_id <access key id goes here> and aws configure set aws_secret_access_key <secret access key goes here> This was the first time entering the credentials information in this container (I.E. the container was a "fresh" centos image).

After using the aws configure set commands, I was able to successfully download from s3.

For anyone using this with a dockerfile, you could use RUN statements in the dockerfile to run the two commands or you could use an ADD statement to push a script to your docker container:

!/bin/sh

aws configure set aws_access_key_id access-key-id-goes-here aws configure set aws_secret_access_key secret-access-key-goes-here

[erickrawczyk]

I had the same problem as @villasenor - a + in the secret key would cause the error when configuring the awscli using env vars in docker. rotating the keys fixed the issue .

[tomchiverton]

Ditto here, but there are no special chars in the access key or secret key. Regenerated a new set for the same IAM user, and the new ones can list buckets, old ones can not.

This occurred with both AWS cli and Java SDK calls. Suggesting the fault is not in the clients...

Both sets are still live. If anyone at Amazon want's more details please get in contact.

[ElementalWarrior]

My co-worker just encountered this too. I tried debugging by creating an access key until I got one with a + or / at the start. Wasn't able to repro though.

[blbradley]

I had a co-worker experience this. We determined that this occurs specifically Ubuntu 18.04 with + or / in the secret key.

[cuichenli]

Got the same error today, currently using Windows 10. However, when I use the same access key on another laptop (mac), it works fine for me. Then I tried the access key within WSL, which is also fine. Not sure the reason, and there is no special character in the aws key.

[lukelane124]

I'm having this error with one set of access keys and not the other. As mentioned in several other posts here my key as a '/' in it. To me this issue seems like a simple problem of either the server or the clients encoding/decoding using the RFC URI encoding standard and the other not using it. I plan to run these test scripts mentioned and attempt to reproduce errors.

[Denubis]

To other folks here, I ran into the error, but I had incorrect credentials cached in my ~/.aws folder. It looks there first and to environment variables second.

[martin-bts]

I am experiencing this on Windows 10 using Git Bash. It works just fine with Powershell. The Python invocation is obv different, but its the same Python and Python module. I also have + and / in my key.

[pjmorr]

I just had this problem and for me, the fix was to remove the spaces. example. instead of the default of: [profilename] aws_access_key_id = MYAWSACCESSKEYID aws_secret_access_key = MYAWSSECRETACCESKEY I changed it to: [profilename] aws_access_key_id=MYAWSACCESSKEYID aws_secret_access_key=MYAWSSECRETACCESKEY

note the lack of spaces around the =. This fixed it for me and I have + and / in my key too btw.

[bisdavid]

All, there are some awesome troubleshooting tips in here. I'm going to turn these into a page in the Troubleshooting section in the CLI Users Guide. Thanks for the contributions!

[JonathanNathanson]

Hi all,

I can see there are a lot of answers here, but for me it was the special characters in the AWS Secret Access Key. Mine started with "=+", but when I generated a new one without special chars from the web console it started working immediately.

I'm running awscli in a Zsh shell on Ubuntu on Windows:

jonathan@SurfaceBook  ~  aws --version aws-cli/1.16.216 Python/2.7.12 Linux/4.4.0-17134-Microsoft botocore/1.12.206

I hope this is helpful to others.

Thanks Jonathan

[okarlsson]

Just sinked 4 hours of debugging into this until i found this thread. I could use the s3 cli locally without any issues, but when running them in circleci I got this error: SignatureDoesNotMatch..

As others have suggested my secret access key contained a + character, and after generating a new key everything started to work.

Would almost have been impossible to debug without this thread

[erikdao]

Thanks @blbradley . It was exactly the problem that I had.

[svjmandryk]

had the same problem - the solution was to delete Windows environment variables with obsolete AWS credentials

[Kit-Ok]

I had the problem too on Python3 boto3. Mine starts with =/