Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SignatureDoesNotMatch error #602

Closed
thomaswitt opened this issue Jan 22, 2014 · 175 comments
Closed

SignatureDoesNotMatch error #602

thomaswitt opened this issue Jan 22, 2014 · 175 comments

Comments

@thomaswitt
Copy link

@thomaswitt thomaswitt commented Jan 22, 2014

I keep on getting a A client error (SignatureDoesNotMatch) occurred when calling the ListUsers operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

I set the environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_DEFAULT_REGION.

@jamesls
Copy link
Member

@jamesls jamesls commented Jan 22, 2014

EDIT: If you are running into this issue, we'd appreciate your help in troubleshooting. I'm updating this comment for better visibility on troubleshooting steps.

Troubleshooting

The first step for troubleshooting this is to determine whether or not the issue is with the credentials themselves or with the CLI. To test this, try using these credentials in other AWS SDKs (javascript, ruby, java, etc). To help with this, I've created a test script that uses the AWS SDK for python and javascript which is available here: https://github.com/jamesls/aws-creds-test . After cloning, just run make install, make test. It will prompt you for credentials (similar to the CLI) and make an API call to sts.GetCallerIdentity.

/tmp $ mkdir /tmp/repro-cli-602
/tmp $ cd /tmp/repro-cli-602/
/tmp/repro-cli-602 $ git clone git://github.com/jamesls/aws-creds-test
Cloning into 'aws-creds-test'...
...
/tmp/repro-cli-602 $ cd aws-creds-test/
/tmp/repro-cli-602/aws-creds-test (master u=) $ make install
npm install
aws-js-cli@1.0.0 /private/tmp/repro-cli-602/aws-creds-test
├─┬ aws-sdk@2.45.0
...
pip install -r requirements.txt
Requirement already satisfied: botocore<2.0.0,>=1.5.0 in /usr/local/lib/python2.7/site-packages (from -r requirements.txt (line 1))
...



/tmp/repro-cli-602/aws-creds-test (master u=) $ make test
./test-creds.sh
Testing python...
Access Key:
Secret Access Key:
AKID   hash: 4e7c36343646e1fa7495092bffcd4b9b7dd00f2f5014a189ab81f326e6472a62
AKID length: 20

SAK    hash: 941a655993caccb1a1218883b97a88b6f41762c6d03902f1cdd1e2a5de5fd82e
SAK  length: 40
Successfuly made an AWS request with the provided credentials.

Testing javasript...
Access Key: ********************
Secret Access Key: ****************************************
AKID   hash: 4e7c36343646e1fa7495092bffcd4b9b7dd00f2f5014a189ab81f326e6472a62
AKID length: 20


SAK    hash: 941a655993caccb1a1218883b97a88b6f41762c6d03902f1cdd1e2a5de5fd82e
SAK  length: 40
Sucessfully made an AWS request with the provided credentials.

For people running into this issue, please run the test script and share the output.

This should give us better insight into where this issue is occurring:

  • If the above script passes for both python and javascript but is failing when using the CLI, likely a CLI issue.
  • If the script fails for python but passes for javascript, likely an issue with botocore (which the CLI uses).
  • If the above script fails for both python and javascript, likely an issue with the actual credentials.

Thanks in advance for anyone that can help us troubleshoot this issue. Let me know if there's any questions.

@thomaswitt
Copy link
Author

@thomaswitt thomaswitt commented Jan 23, 2014

This is how it looks like:

thomas@iMac:~ $ echo $AWS_ACCESS_KEY_ID
AKIAXXXXXXXXXXXXXXXX
thomas@iMac:~ $ echo $AWS_SECRET_ACCESS_KEY
abcaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa+0
thomas@iMac:~ $ aws configure list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
              env    AWS_ACCESS_KEY_ID
              env    AWS_SECRET_ACCESS_KEY
    region                eu-west-1              env    AWS_DEFAULT_REGION

@foscraig
Copy link
Contributor

@foscraig foscraig commented Apr 4, 2014

Any updates on this issue? I'm also encountering this error and my credentials file hasn't changed.

@squirvoid
Copy link

@squirvoid squirvoid commented Apr 28, 2014

I have a similar issue. Jenkins s3 plugin is able to put an object using my credentials, but the aws-cli is giving me the errors below.

aws s3 cp s3://my-bucket/folder/test.txt test.txt
A client error (Forbidden) occurred when calling the HeadObject operation: Forbidden Completed 1 part(s) with ... file(s) remaining

aws s3api get-object --bucket my-bucket --key folder/test.txt test.txt
A client error (SignatureDoesNotMatch) occurred when calling the GetObject operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

@JeremyShort
Copy link

@JeremyShort JeremyShort commented May 14, 2014

I am running into the same issue. If I make up a secret it gives me a different (AuthFailure) error.

[ec2-user@ip-127.0.0.1]]$ aws configure list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
access_key     ****************AMKA              env    AWS_ACCESS_KEY_ID
secret_key     ****************jPU2              env    AWS_SECRET_ACCESS_KEY
    region                us-west-2              env    AWS_DEFAULT_REGION

This is pretty much stopping me completely. I can do some things with the ec2-blah-stuff utilities by specifying x509 certs but the help says that's deprecated so I don't want to depend on it. Any help troubleshooting or what ever would really be appreciated.

@jamesls
Copy link
Member

@jamesls jamesls commented May 14, 2014

The first step would be to ensure that your access/secret keys are actually valid. A few things to try:

  • Does these same access/secret key credentials work with other tools? (The java/javascript/ruby/python SDK?)
  • Do other commands besides "aws s3" work for you? Does "aws ec2 describe-instances" still generate auth errors?

@JeremyShort
Copy link

@JeremyShort JeremyShort commented May 15, 2014

They do not work with other tools (ec2-describe-instance for instance).

I think I have the appropriate rights since using the certs works. To make sure it's not a workstation thing I built an Amazon Linux instance and I'm using the awscli verison that comes with it but getting the same message.

@TeePaps
Copy link

@TeePaps TeePaps commented Jul 16, 2014

Also an issue for me. I'm using it in a docker container, built with the same Dockerfile.
It works fine when built on an EC2, but does not work when built locally on a coreos vagrant box.

@jamesls
Copy link
Member

@jamesls jamesls commented Jul 28, 2014

It looks like the issue is with the credentials themselves. I've double checked this, and I'm not able to repro this issue. Double check the credentials on the security credentials page. If someone can provide an exact set of steps that demonstrate the issue, I'd be happy to take another look.

@jamesls jamesls closed this Jul 28, 2014
@rvfn
Copy link

@rvfn rvfn commented Aug 1, 2014

Just had this happening to me and was a result of my system time being off by too much even though it did not report that. Ran ntpdate against pool.ntp.org and fixed this problem for me.

@anuraj-optimizely
Copy link

@anuraj-optimizely anuraj-optimizely commented Oct 14, 2014

If you are getting this error when cred are setup using env variable, try sudo

@rcosnita
Copy link

@rcosnita rcosnita commented Oct 24, 2014

If you are in a virtual machine make sure your host os time matches the guest os time. If this is not the case you will get into the error you described.

@j0ni
Copy link

@j0ni j0ni commented Nov 3, 2014

A very similar error occurs for me with good credentials, whilst listing a bucket which has a lot of keys in it. Here's the error:

A client error (SignatureDoesNotMatch) occurred when calling the ListObjects operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

Here's my output from aws configure list

      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
access_key     ****************4UNA shared-credentials-file
secret_key     ****************MNOG shared-credentials-file
    region                <not set>             None    None

Note that these credentials work fine with other aws invocations, and in fact this list op runs for a long time (more than an hour) before bailing with this error. I have a file with over 82,000 lines of output in it from the command which eventually failed.

@aub
Copy link

@aub aub commented Nov 14, 2014

I've been getting this issue, and if I just sleep my script for a second and try again then it goes through. It's almost like it's getting throttled and returning the wrong error or something.

@ansjob
Copy link

@ansjob ansjob commented Nov 18, 2014

I can report this issue too. Trying to upload a 11 GB file using aws cp foo s3://mybucket/foo/bar I get various errors like:

A client error (SignatureDoesNotMatch) occurred when calling the UploadPart operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

and

Max retries exceeded with url: /***REDACTED***?partNumber=196&uploadId=B2viwGFF4Lmq5itbs8ipqwBExx0BWGRm3gkG_D5EYTiU8uEO_tmUT.d.i7BcgPnP5npZa.OW7yMfJ3ZhhLJD61zP7EVv.5.ZftCJQbKNdkEBeijGBqWlrxz4vMx3B05Q (Caused by <class 'socket.gaierror'>: [Errno -2] Name or service not known)

I've checked that my system time is correct. I also noticed considerable slowness (on the level of http requests timing out) on the same system while uploading, so this being a throttling issue does sound reasonable. It also works fine to upload small files with the same credentials, and using the web console from the same machine, so this does appear to be a aws-cli problem.

@ranrub
Copy link

@ranrub ranrub commented Nov 19, 2014

This happened to me with too with aws-cli 1.5.5, updating aws-cli to 1.6.2 solved it.

@ansjob
Copy link

@ansjob ansjob commented Nov 19, 2014

Happens to me with 1.6.2

@ye
Copy link

@ye ye commented Nov 25, 2014

This happened to me today. This is new to me. Been using awl-cli for a few months no problem and no change to the credentials AFAIK.

$ aws configure --profile ye list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                       ye           manual    --profile
access_key     ****************ERMQ shared-credentials-file    
secret_key     ****************E8Id shared-credentials-file    
    region                us-east-1      config-file    ~/.aws/config

@jamesls
Copy link
Member

@jamesls jamesls commented Nov 25, 2014

I believe this issue is now fixed via boto/botocore#388, and will be available in the next AWS CLI release.

@ye
Copy link

@ye ye commented Nov 25, 2014

@jamesls confirmed fixed on awscli version 1.6.4. I was using 1.5.4. Thanks!

@wolfeidau
Copy link

@wolfeidau wolfeidau commented Dec 2, 2014

I am getting this issue on a fresh ubuntu system.

A client error (SignatureDoesNotMatch) occurred when calling the PutObject operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

Installed aws-cli via pip

$ pip list
ansible (1.5.4)
apt-xapian-index (0.45)
argparse (1.2.1)
awscli (1.6.5)
bcdoc (0.12.2)
botocore (0.76.0)
chardet (2.0.1)
Cheetah (2.4.4)
cloud-init (0.7.5)
colorama (0.2.5)
configobj (4.7.2)
docutils (0.11)
html5lib (0.999)
httplib2 (0.8)
Jinja2 (2.7.2)
jmespath (0.5.0)
jsonpatch (1.3)
jsonpointer (1.0)
Landscape-Client (14.01)
MarkupSafe (0.18)
mercurial (2.8.2)
oauth (1.0.1)
PAM (0.4.2)
Pillow (2.3.0)
pip (1.5.4)
prettytable (0.7.2)
pyasn1 (0.1.7)
pycrypto (2.6.1)
pycurl (7.19.3)
Pygments (1.6)
pyinotify (0.9.4)
pyOpenSSL (0.13)
pyserial (2.6)
python-apt (0.9.3.5)
python-dateutil (2.3)
python-debian (0.1.21-nmu2ubuntu2)
PyYAML (3.10)
requests (2.2.1)
roman (2.0.0)
rsa (3.1.2)
setuptools (3.3)
six (1.5.2)
Sphinx (1.2.2)
ssh-import-id (3.21)
Twisted-Core (13.2.0)
urllib3 (1.7.1)
wsgiref (0.1.2)
zope.interface (4.0.5)

Any ideas on how to fix it?

@aub
Copy link

@aub aub commented Dec 2, 2014

My solution was to sleep for a few seconds and then try it again, but it
sounds like there may be an update to the tool that fixes it as well.

On Tue, Dec 2, 2014 at 3:38 AM, Mark Wolfe notifications@github.com wrote:

I am getting this issue on a fresh ubuntu system.

A client error (SignatureDoesNotMatch) occurred when calling the PutObject operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

Installed aws-cli via pip

$ pip list
ansible (1.5.4)
apt-xapian-index (0.45)
argparse (1.2.1)
awscli (1.6.5)
bcdoc (0.12.2)
botocore (0.76.0)
chardet (2.0.1)
Cheetah (2.4.4)
cloud-init (0.7.5)
colorama (0.2.5)
configobj (4.7.2)
docutils (0.11)
html5lib (0.999)
httplib2 (0.8)
Jinja2 (2.7.2)
jmespath (0.5.0)
jsonpatch (1.3)
jsonpointer (1.0)
Landscape-Client (14.01)
MarkupSafe (0.18)
mercurial (2.8.2)
oauth (1.0.1)
PAM (0.4.2)
Pillow (2.3.0)
pip (1.5.4)
prettytable (0.7.2)
pyasn1 (0.1.7)
pycrypto (2.6.1)
pycurl (7.19.3)
Pygments (1.6)
pyinotify (0.9.4)
pyOpenSSL (0.13)
pyserial (2.6)
python-apt (0.9.3.5)
python-dateutil (2.3)
python-debian (0.1.21-nmu2ubuntu2)
PyYAML (3.10)
requests (2.2.1)
roman (2.0.0)
rsa (3.1.2)
setuptools (3.3)
six (1.5.2)
Sphinx (1.2.2)
ssh-import-id (3.21)
Twisted-Core (13.2.0)
urllib3 (1.7.1)
wsgiref (0.1.2)
zope.interface (4.0.5)

Any ideas on how to fix it?


Reply to this email directly or view it on GitHub
#602 (comment).

@ye
Copy link

@ye ye commented Dec 3, 2014

@wolfeidau and yeah I spoke too soon. The locally pip installed awscli is giving the SignatureDoesNotMatch errors again. Yikes!

A client error (SignatureDoesNotMatch) occurred when calling the DeregisterInstancesFromLoadBalancer operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

The Canonical String for this request should have been
'POST
/

host:elasticloadbalancing.us-east-1.amazonaws.com
user-agent:aws-cli/1.6.5 Python/2.7.8 Darwin/13.4.0
x-amz-date:20141203T015747Z

host;user-agent;x-amz-date
1d9dafbf4bfa9b1225d91bdbf99d8645503484d174b9094e4c3af637e6664b5b'

The String-to-Sign should have been
'AWS4-HMAC-SHA256
20141203T015747Z
20141203/us-east-1/elasticloadbalancing/aws4_request
5a56d12a4920502f4124e37a92aad475c36edda93d9865871e6a4fe1e49045c3'

@jamesls
Copy link
Member

@jamesls jamesls commented Dec 3, 2014

Does this issue happen only when a request is retried? Or does this happen everytime you run the deregister-instances-from-load-balancer command?

@ye
Copy link

@ye ye commented Dec 3, 2014

@jamesls it happens everytime now :(

@j-gibbings
Copy link

@j-gibbings j-gibbings commented Jan 28, 2015

I know this issue is closed but wanted to share that you can see this error when running in a VM which hibernates. In such cases, the system clock doesn't consistently catch up if you're using Ubuntu. Just update the time to fix (i.e. sudo ntpdate -s time.nist.gov).

@include
Copy link

@include include commented Feb 18, 2015

hello, is there any final fix on this?

@gsterndale
Copy link

@gsterndale gsterndale commented Mar 11, 2015

+1

Using version 1.7.8 of the CLI I was seeing the same SignatureDoesNotMatch error when trying the following:
$ aws iam list-users

And getting an AuthFailure for this:
$ aws ec2 describe-security-groups

After deleting my keys and trying new ones, both commands work.

This is the old secret access key that may have been the cause of my problems, note the percent, plus and forward slash characters: H2J7/oT3Fib15SwFVB1s3EnTCmg+SC7wF7qoP+dw%

@johnjelinek
Copy link

@johnjelinek johnjelinek commented Mar 11, 2015

👍 @gsterndale. My access key with % in it didn't work. I had to generate new keys.

@HamdiAKRIMI
Copy link

@HamdiAKRIMI HamdiAKRIMI commented Nov 18, 2019

I'm in a virtual machine making the host Time&Region similar to the guest Time&Region solves the problem .

@switch120
Copy link

@switch120 switch120 commented Dec 4, 2019

Just wanted to chime in that this hit me today as well on a newly created key - and after lots of frustration, landed here and saw mention of a / in the key. Sure enough, that was the issue - new key without it works. Wtf?!

@Am1rr3zA
Copy link

@Am1rr3zA Am1rr3zA commented Dec 10, 2019

I can not believe this issue's opened in 2014 and still there is no fix for it, this bug forced me to make a new set of AWS credential for myself, I even tried to encode the '/' but it didn't work :(

@bizzarri
Copy link

@bizzarri bizzarri commented Dec 11, 2019

Eliminating the credential with the "/" fixed the issue for me. Thanks to everyone for pointing this out.

@penryu
Copy link

@penryu penryu commented Jan 16, 2020

Just hit this in 2020 now. Secret key has a '+'.

aws-cli — developed by aws project — fails with valid aws keys... for 6 years?

@joelparkerhenderson
Copy link

@joelparkerhenderson joelparkerhenderson commented Jan 17, 2020

Same problem in 2020 January. Secret key has a "/" slash character.

I generated a new credential set, using the AWS IAM console, and ensured that the secret key was all alphanumeric, no "/" no "+" and so on. I replaced my old secret key with the new secret key, in my ~/.aws/credentials file, then retried.

This solved it.

@columb1a
Copy link

@columb1a columb1a commented Jan 21, 2020

Same issue here on 2020. But I can not remove none alphanumeric characters as they are part of my credentials it self, and I'm not in control of that

@bizzarri
Copy link

@bizzarri bizzarri commented Jan 21, 2020

@billlyzhaoyh
Copy link

@billlyzhaoyh billlyzhaoyh commented Feb 27, 2020

I first ran into timeout issues and after updating my awscli ran into this issue. You thought 6 years is enough to make it work...

@jeff-ofobrukweta
Copy link

@jeff-ofobrukweta jeff-ofobrukweta commented Mar 2, 2020

am also having this deploying Vue.js app through gitlab to AWS S3 bucket can someone tell me what to do
msg:fatal error: An error occurred (SignatureDoesNotMatch) when calling the ListObjectsV2 operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

@MajorTal
Copy link

@MajorTal MajorTal commented Mar 20, 2020

I did not have any non-alphanumeric chars, but working with profiled did not work, for a single profile. I regenerated the credentials using the console and the new ones just worked.

@starndawn
Copy link

@starndawn starndawn commented Apr 6, 2020

Getting such errors as well today, and regenerating the credentials without special characters ('+' or '/') works for me.

@Ash-Mokhtar
Copy link

@Ash-Mokhtar Ash-Mokhtar commented Apr 6, 2020

I still have the same issue , but it happens suddenly, I work with Get and Put operations and one works, the other doesn't. and yes my secret key doesn't contain any special characters. any help? I first call getIntent (amazon lex models API) to retrieve the intents checksum, then call putIntent to update that that intent. Get method works (Not all the time) but put method appears the same issue of signature, while if I removed Get method API from code, Put method works 2 times out of three.

@FathyRida
Copy link

@FathyRida FathyRida commented Apr 12, 2020

I had this issue, I suggest you to generate new keys
and re-configure your aws profile

aws configure

AWS Access Key ID [****************QD5E]: AWS_ACCESS_KEY_ID
AWS Secret Access Key [****************ANjA]: AWS_SECRET_ACCESS_KEY
Default region name [eu-west-3]: AWS_REGION
Default output format [json]: OUTPUT_FORMAT

@maya-harel
Copy link

@maya-harel maya-harel commented May 9, 2020

Hi !

I am getting this same issue when using pre-signed URL returned to my client
The URL is generated in the server (for a limited time). The server is python and I don't see any error there, but the client is JS - only gets the URL and opens it. Part of the URL are generated credentials for this resource)

The error is on and off, so I think it is related to what is said here about special keys in the credentials, but since I am using credentials generated in the server - I cannot change them !

Any way to take care of this in the code ? parse the specials keys somehow ?

@Ash-Mokhtar
Copy link

@Ash-Mokhtar Ash-Mokhtar commented May 9, 2020

Hi !

I am getting this same issue when using pre-signed URL returned to my client
The URL is generated in the server (for a limited time). The server is python and I don't see any error there, but the client is JS - only gets the URL and opens it. Part of the URL are generated credentials for this resource)

The error is on and off, so I think it is related to what is said here about special keys in the credentials, but since I am using credentials generated in the server - I cannot change them !

Any way to take care of this in the code ? parse the specials keys somehow ?

@maya-harel you can change the credentials from IAM -> users select user you have created and re-generate the secret key security credentials tab.

also timing in code is really fatal, for each request you make in back-end, get the current time to use it in header to generate the signature.

@penryu
Copy link

@penryu penryu commented May 9, 2020

As an aside, there have been a lot of blind "regenerate your IAM credentials" suggestions to users who've explicitly said it's not an option for them.

This is not helpful to the users, and distracts from the fact that this is a known bug that continues to affect aws-cli users attempting to use valid IAM credentials.

@golharam
Copy link

@golharam golharam commented May 14, 2020

Running into this as well.
$ aws --version
aws-cli/1.16.300 Python/2.7.16 Linux/4.14.152-127.182.amzn2.x86_64 botocore/1.13.36

My keys are completely alpha-numeric, no special characters.

The keys work from the shell, however when used via Jenkins in a Makefile target, this error occurs. Not sure what is happening here.

@KeeonTabrizi
Copy link

@KeeonTabrizi KeeonTabrizi commented May 23, 2020

My secret key has both / and + in it. Running into this issue and have tried:

  • Trough aws-cli > aws iam get-user (using ~/.aws/credentials file)
  • boto3 (through python 3.6.8)
    • Hardcoded keys
    • Envirnoment Variable
    • Argument boto3.Session(profile_name=PROFILE) (which pulls from ~/.aws/credentials)

All of these result in the SignatureDoesNotMatch error.

I currently cannot regenerate the key.

What I don't understand is that I can use the S3 Protocol in Cyberduck (https://cyberduck.io/) and it works as expected. How could that be?

@clintonmedbery
Copy link

@clintonmedbery clintonmedbery commented May 28, 2020

This has to be one of the most frustrating bugs I have encountered and it's nuts that it hasn't been fixed. Getting a cred without a "+" worked for me in CircleCI.

@manel00
Copy link

@manel00 manel00 commented Jun 5, 2020

Is it still crashing? facing the same problem, wow i cannot be possible...

@rcmelendez
Copy link

@rcmelendez rcmelendez commented Jun 10, 2020

Yes, it is frustrating. My secret key that had a + didn't work in a Jenkins pipeline, but when I generated a new one, which only had a few of /, worked fine.

@georgesamy
Copy link

@georgesamy georgesamy commented Jun 11, 2020

I had this issue on package installed version of awscli on Ubuntu 16.04. I fixed it by installing awscli as a python pip package.
For instructions, follow this link under section Installing AWS CLI using Python PIP

@dipen-1337lab
Copy link

@dipen-1337lab dipen-1337lab commented Jun 16, 2020

Issue Encountered

  1. Encountered the InvalidSignatureException error after regenerating the Access Key
  2. Partial Error log is as provided below.

$ python SetupAWS.py list_things
Traceback (most recent call last):
File "SetupAWS.py", line 222, in
list_things()
File "SetupAWS.py", line 182, in list_things
things = client.list_things()['things']
File "c:\Program Files (x86)\Python38-32\lib\site-packages\botocore-1.16.6-py3.8.egg\botocore\client.py", line 316, in _api_call
return self._make_api_call(operation_name, kwargs)
File "c:\Program Files (x86)\Python38-32\lib\site-packages\botocore-1.16.6-py3.8.egg\botocore\client.py", line 626, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (InvalidSignatureException) when calling the ListThings operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

Root Cause Analysis

  1. As suggested by many in their comments above, the presence of "+" in my Secret Access Key was resulting in the above error.

Resolution

  1. Generated new Access Key as an IAM User and verified that the new Secret Access Key does not contain a "+" within the string.
  2. Ran the aws configure command and provided the new values.
  3. Ran the python SetupAWS.py list_things command, which successfully listed my thing, as shown below,

$ python SetupAWS.py list_things
[{'thingName': 'myThingName', 'thingArn': 'myThingArn', 'attributes': {}, 'version': 1}]

@kdaily
Copy link
Member

@kdaily kdaily commented Jun 24, 2020

This issue has been open for six years, and I thank you for your patience, persistence, and the information you have provided. A few underlying causes have been identified through your comments (#602 (comment)) and compiled into the Command Line User Guide Troubleshooting Errors chapter. These causes include clock skew and some operating systems mishandling keys with special characters.

I attempted to reproduce this using a number of different environments. I used Ubuntu 16.04, Ubuntu 18.04, and Amazon Linux 2, with Python 3.6.8 and 3.8.3. While many commenters used Python 2, I did not attempt to reproduce since it is no longer supported. I used the latest v1 aws-cli (1.18.80 at the time of writing) as well as an older version (1.11.78) referenced in this issue. I used the script provided (#602 (comment)) by @jamesls that creates new credential pairs until it encounters one with special characters and let them run for up to an hour each. I did not have any occurrences of a SignatureDoesNotMatch error. I received occasional AuthFailure errors on the describe-instances command, but a retry of the command with the same credentials succeeds.

The large number of comments makes it difficult for new users coming to this issue to find requests from our developer team for troubleshooting suggestions. To assist our team and the community in determining a cause of this error, I am closing this issue and creating a specific GitHub issue template that includes guidance and comment requirements for users encountering this error.

If you encounter this error, please head over to the issues tab, click the “New Issue” button, and use the template for a SignatureDoesNotMatch error report (or use the link below).

Due to the variation of user environments where this error occurs, please file a separate issue instead of commenting on an existing one.

Click here to file a SignatureDoesNotMatch error report

@kdaily kdaily closed this Jun 24, 2020
@aws aws locked and limited conversation to collaborators Jun 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet