Login/Register
Signature expired: is now earlier than error : InvalidSignatureException
Asked Answered
Solved amazon-web-servicespostmanaws-api-gatewayamazon-iam
B

23

86

I am trying a small example with AWS API Gateway and IAM authorization. The AWS API Gateway generated the below Endpoint :

https://xyz1234.execute-api.us-east-2.amazonaws.com/Users/users

with POST action and no parameters.

Initially I had turned off the IAM for this POST Method and I verified results using Postman it works. Then I created a new IAM User and attached AmazonAPIGatewayInvokeFullAccess Policy to the user thereby giving permission to invoke any API's. Enabled the IAM for the POST Method.

I then went to Postman - and added Authorization with AccessKey, Secret Key, AWS Region as us-east-2 and Service Name as execute-api and tried to execute the Request but I got InvalidSignatureException Error with 403 as return code.

The body contains following message :

Signature expired: 20170517T062414Z is now earlier than 20170517T062840Z (20170517T063340Z - 5 min.)"

What am I missing ?

enter image description here

Benumb answered 17/5, 2017 at 6:42 Comment(4)
Did you set the clock and time zone properly on the machine where you generated the signature?Recti
Thank you @Michael-sqlbot - by mistake the time was set manually on the machine and was not set to the standard time.Benumb
Something with your machine time, I had this problem when I used docker. the time in docker container was in the past, I had to restart the docker serviceElis
For anybody who's using WIndows 11 with WSL2. Windows often can't sync the time. Clicking Sync Time in Settings helps to fix the time zone but never helped me to fix the topic issue. Usually I just restart the machine and it's gone.Coil
M
88

A request signed with AWS sigV4 includes a timestamp for when the signature was created. Signatures are only valid for a short amount of time after they are created. (This limits the amount of time that a replay attack can be attempted.)

When the signature is validated the timestamp is compared to the current time. If this indicates that the signature was not created recently, then signature validation fails with the error message you mentioned.

If you get this on in a Docker container on Windows that uses WSL, then it may help to fix the WSL time with by running wsl -d docker-desktop -e /sbin/hwclock -s in a Powershell. You can verify this is the case beforehand by logging into the container and typing date in the terminal and comparing it with your host machine time.

A common cause of this is when the local clock on the host generating the signature is off by more than a couple of minutes.

Mammary answered 17/5, 2017 at 19:57 Comment(1)
or your problem is date/time like me. Then: timedatectl set-timezone America/<your_zone> && timedatectl --adjust-system-clock. if dont work, try install chrony and enable the service.Treulich
T
69

You need to synchronize your machines local clock with NTP.

for eg. on an ubuntu machine:

sudo ntpdate pool.ntp.org

System time goes out of sync quite often. You need to keep them in sync periodically.

You can run a daily CRON job to keep your system time in sync as mentioned at this link: Periodically synchronize time in Linux

Create a bash script to sync time called ntpdate and put the below into it

#!/bin/sh
# sync server time
/usr/sbin/ntpdate pool.ntp.org >> /tmp/ntpdate.log

You can place this script anywhere you like and then set up a cron I will be putting it into the daily cron directory so that it runs once every day So my ntpdate script is now in /etc/cron.daily/ntpdate and it will run every day

Make this script executable

chmod +x /etc/cron.daily/ntpdate

Test it by running the script once and look for some output in /tmp/ntpdate.log

/etc/cron.daily/ntpdate

In your log file you should see something like

26 Aug 12:19:06 ntpdate[2191]: adjust time server 206.108.0.131 offset 0.272120 sec
Thundershower answered 17/5, 2017 at 20:54 Comment(3)
Thanks for sharing that @Yeshodhan. a guess - I have set my MacBook's time to Auto Set Date and Time - I believe this will take care of synchronization ?Benumb
This is very likely to happen if you are on a VM, especially using Vagrant and if you leverage the suspend command frequently. Just a note from personal experience.Cerda
I want to add to this because I ran into this issue running WSL2 on Windows 11. I checked the clock synchronization and found that my desktop could not reach the NTP server, even when I manually attempted to run a sync. In my case, the tried and true method of turning it off and on again was the solution.Sushi
W
33

Faced similar issue when I use timedatectl command to change datetime of underlying machine... Explanation given by MikeD & others are really informative to fix the issue....

sudo apt install ntp
sudo apt install ntpdate
sudo ntpdate ntp.ubuntu.com

After synchronizing time with correct current datetime, this issue will be resolved

Wilsey answered 12/6, 2019 at 7:18 Comment(1)
is this tool just plain removed in ubuntu 20?Cottager
L
15

For me, the issue happened while using WSL. The date in WSL was out of sync. The solution was to run the command wsl --shutdown and restart docker.

Ligula answered 3/5, 2021 at 16:5 Comment(1)
Nailed it! For clarification for anyone else who does this, run wsl --shutdown in Powershell and once it finishes shutting down then Docker will pop up a notification saying it needs to restart. WSL will automatically restart somehow during this process.Patricide
H
14

Had this problem on Windows. The current time got out of sync after a power outage. Solved it by: Setting -> date and time -> Sync now.

date and time

Haemolysis answered 15/5, 2022 at 8:35 Comment(1)
working solution for windows, thanksLecia
P
8

If you are in AWS Ec2 Ubuntu server and somehow not able to fix time with NTP thing.

sudo date -s "$(wget -qSO- --max-redirect=0 google.com 2>&1 | grep Date: | cut -d' ' -f5-8)Z"

Source:https://askubuntu.com/a/655528

Phore answered 9/1, 2021 at 21:14 Comment(1)
Wow, the most Linux independent solution, that does not require unique tools (e.g. ntpdate is no longer available in RHEL8).Selfless
I
7

This one command did the trick 

sudo ntpdate pool.ntp.org
Infuriate answered 8/10, 2019 at 2:47 Comment(0)
M
7

Make sure your PC's clock is set correctly. I faced the same issue and then realized my clock wasn't showing the right time due to some reason. As soon as I corrected the time, it started working fine again! Hope this helped.

Masqat answered 10/8, 2020 at 19:32 Comment(1)
Thanks (and welcome to stack overflow!). In my case I was using a VM (WSL2) which had become out of sync with the host, fixing the time on the VM 9either manually or by just restarting it) resolved the error.Audsley
T
5

I was also facing this issue , added

correctClockSkew: true

and issue fixed for me 

const nodemailer = require('nodemailer');
const ses = require('nodemailer-ses-transport');



let transporter = nodemailer.createTransport(ses({
        correctClockSkew: true,
        accessKeyId: **,
        secretAccessKey: **,
        region: **
    }));
Tybalt answered 11/6, 2018 at 9:31 Comment(0)
P
3

I have tried all the solution related to time sync, but nothing works out. What I did was, while creating a service client, I set the correctClockSkew option as true. This solved my problem.

For instance:

let dynamodb = new AWS.DynamoDB({correctClockSkew: true});

Hope this will sort out.

Reference: https://github.com/aws/aws-sdk-js/issues/527

Ptolemaist answered 16/9, 2021 at 6:23 Comment(0)
R
2

Same issue i was facing, when i login to AWS account and try to create dataset in Databrew, use get this kind of error there. I have windows machine. What i have done is sync windows date and time. It sorted out my issue. Goto settings -> date and time -> sync Please refer this image for your information

settings

Rapping answered 14/5, 2023 at 9:38 Comment(0)
C
1

For those who face this issue while running Lambda functions (that use other AWS services like DynamoDB) locally with sam local invoke: The time in docker container, used by sam, may not be in sync with host. Restarting your docker on host (Docker Desktop on Windows) should resolve this issue.

Cadent answered 4/6, 2020 at 18:31 Comment(0)
D
1

Complementing what as @miked-at-aws post about AWS sigV4, There are at least 2 main possible root causes for the clock skew:

  1. your CPU is overloaded (reaching 99% usage or in EC2 instances with CPU limits that run out on CPU credits).

Why would this generate the time skew? because when the amazon SDK creates the time stamp to the moment the request is sent, normally there shouldn't be more than just a few nano or micro seconds, but if your CPU is overwhelmed it may take it several seconds or even minutes in some cases to process, so for this root cause you will experience not a 100% events lost but just some x% that may not be too big.

  1. for the second root cause which is that your machine clock isn't just adjusted, well probably 100% of your events are being lost and you just have to make sure that your machine clock is being set and adjusted correctly.
Dorothy answered 30/9, 2020 at 1:59 Comment(0)
G
1

I was making AWS API requests from a VM on my local machine. I checked the date was correct and was syncing, but I was still getting the error above. I halted and re-upped my VM and the error went away. I never figured out the exact cause, but "turning it off and back on again" fixed it.

Goebbels answered 17/11, 2020 at 4:4 Comment(0)
A
1

I faced same issue in WSL. I'm able to fix this by restarting WSL.

wsl --shutdown

Antione answered 25/7, 2023 at 12:41 Comment(0)
S
0

I have face this same problem while fetching video from Amazon Kinesis to my local website. So, in order to solve this problem i have install crony in my computer.This crony solved my problem.You can see the Amazon crony installation in this following link. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html

Slicer answered 11/8, 2019 at 6:55 Comment(0)
H
0

What worked for me was to change the time on my computer. I am in the UK so I put it forward one hour to put on a European time zone. Then it worked. This is not the best fix but it worked for me to move forward. I set the timezone to eu-west-2 which is London so I am not sure why it only worked when I put the time on my computer forward an hour. I need to look into that.

Hanse answered 1/11, 2021 at 12:45 Comment(0)
P
0

Just try to update the system date and time they might be outdated synchronize your clock, and reload your console. This worked for me.

Pennyroyal answered 28/6, 2022 at 5:16 Comment(0)
H
0

I faced similar issues. But the error occurred because of some of my mistakes in codes - Instead of using any react-aws package/node-modules, I was creating each and every value like credential scope, signed headers, signature key/signing key, authorization header, etc, from scratch using Crypto.HmacSHA256() method in a function named axiosConfig().

So what went wrong, I was generating amz_date out of the axiosConfig() function in the same file i.e. when an API call is made, the signature token was generated based on an old time when amz_date was created. So if the time difference between the creation of amz_date and the signature token is more than 5 minutes, the InvalidSignatureException error is thrown. So, declaring amz_date within axiosConfig() fixed my code.

Codes with error -

export const axiosConfig = (request_parameters: string) => {

// token/key generation codes
}
  let amz_date = getAmzDate(new Date().toISOString());

The correct form of code -

export const axiosConfig = (request_parameters: string) => {

// token/key generation codes
  let amz_date = getAmzDate(new Date().toISOString());

}
Hollingsworth answered 31/1, 2023 at 5:47 Comment(2)
As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center.Clubhaul
If you have a new question, please ask it by clicking the Ask Question button. Include a link to this question if it helps provide context. - From ReviewHamitic
A
0

Faced this issue twice so far. Date, time of linux machine was the issue in both the cases.

Check your system's date with the following command in linux:

date

In case of any lag, update time using the command(use current timestamp)

sudo date --set="Sat Jul 15 13:35:10 IST 2023"
Anybody answered 15/7, 2023 at 8:38 Comment(0)
S
0

If you using any system like windows or linux to login in your aws account. First you have to check the system date , time and also region. Set proper date and time. This is enough to resolve this problem.

Surcharge answered 11/5 at 12:48 Comment(0)
M
0

For me this happened on AWS Console in Chrome on macOS. Becasue time was surprisingly off. Apple wanted me to take some user account related action, and evidently all apple services(including Apple time server) weren't responding. Once I took the action and disabled-then-enabled automatic time sync, time on machine got corrected automatically.

Fun part: I was thinking ohh wow there's time to evening (LOL)

Murrell answered 27/5 at 20:17 Comment(0)
P
0

This command will fix the issue: in ubunut or wsl ubuntu:

sudo ntpdate pool.ntp.org
Pound answered 14/6 at 7:53 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.