New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SignatureDoesNotMatch error #602

Open
thomaswitt opened this Issue Jan 22, 2014 · 125 comments

Comments

Projects
None yet
@thomaswitt

thomaswitt commented Jan 22, 2014

I keep on getting a A client error (SignatureDoesNotMatch) occurred when calling the ListUsers operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

I set the environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_DEFAULT_REGION.

@jamesls

This comment has been minimized.

Show comment
Hide comment
@jamesls

jamesls Jan 22, 2014

Member

EDIT: If you are running into this issue, we'd appreciate your help in troubleshooting. I'm updating this comment for better visibility on troubleshooting steps.

Troubleshooting

The first step for troubleshooting this is to determine whether or not the issue is with the credentials themselves or with the CLI. To test this, try using these credentials in other AWS SDKs (javascript, ruby, java, etc). To help with this, I've created a test script that uses the AWS SDK for python and javascript which is available here: https://github.com/jamesls/aws-creds-test . After cloning, just run make install, make test. It will prompt you for credentials (similar to the CLI) and make an API call to sts.GetCallerIdentity.

/tmp $ mkdir /tmp/repro-cli-602
/tmp $ cd /tmp/repro-cli-602/
/tmp/repro-cli-602 $ git clone git://github.com/jamesls/aws-creds-test
Cloning into 'aws-creds-test'...
...
/tmp/repro-cli-602 $ cd aws-creds-test/
/tmp/repro-cli-602/aws-creds-test (master u=) $ make install
npm install
aws-js-cli@1.0.0 /private/tmp/repro-cli-602/aws-creds-test
├─┬ aws-sdk@2.45.0
...
pip install -r requirements.txt
Requirement already satisfied: botocore<2.0.0,>=1.5.0 in /usr/local/lib/python2.7/site-packages (from -r requirements.txt (line 1))
...



/tmp/repro-cli-602/aws-creds-test (master u=) $ make test
./test-creds.sh
Testing python...
Access Key:
Secret Access Key:
AKID   hash: 4e7c36343646e1fa7495092bffcd4b9b7dd00f2f5014a189ab81f326e6472a62
AKID length: 20

SAK    hash: 941a655993caccb1a1218883b97a88b6f41762c6d03902f1cdd1e2a5de5fd82e
SAK  length: 40
Successfuly made an AWS request with the provided credentials.

Testing javasript...
Access Key: ********************
Secret Access Key: ****************************************
AKID   hash: 4e7c36343646e1fa7495092bffcd4b9b7dd00f2f5014a189ab81f326e6472a62
AKID length: 20


SAK    hash: 941a655993caccb1a1218883b97a88b6f41762c6d03902f1cdd1e2a5de5fd82e
SAK  length: 40
Sucessfully made an AWS request with the provided credentials.

For people running into this issue, please run the test script and share the output.

This should give us better insight into where this issue is occurring:

  • If the above script passes for both python and javascript but is failing when using the CLI, likely a CLI issue.
  • If the script fails for python but passes for javascript, likely an issue with botocore (which the CLI uses).
  • If the above script fails for both python and javascript, likely an issue with the actual credentials.

Thanks in advance for anyone that can help us troubleshoot this issue. Let me know if there's any questions.

Member

jamesls commented Jan 22, 2014

EDIT: If you are running into this issue, we'd appreciate your help in troubleshooting. I'm updating this comment for better visibility on troubleshooting steps.

Troubleshooting

The first step for troubleshooting this is to determine whether or not the issue is with the credentials themselves or with the CLI. To test this, try using these credentials in other AWS SDKs (javascript, ruby, java, etc). To help with this, I've created a test script that uses the AWS SDK for python and javascript which is available here: https://github.com/jamesls/aws-creds-test . After cloning, just run make install, make test. It will prompt you for credentials (similar to the CLI) and make an API call to sts.GetCallerIdentity.

/tmp $ mkdir /tmp/repro-cli-602
/tmp $ cd /tmp/repro-cli-602/
/tmp/repro-cli-602 $ git clone git://github.com/jamesls/aws-creds-test
Cloning into 'aws-creds-test'...
...
/tmp/repro-cli-602 $ cd aws-creds-test/
/tmp/repro-cli-602/aws-creds-test (master u=) $ make install
npm install
aws-js-cli@1.0.0 /private/tmp/repro-cli-602/aws-creds-test
├─┬ aws-sdk@2.45.0
...
pip install -r requirements.txt
Requirement already satisfied: botocore<2.0.0,>=1.5.0 in /usr/local/lib/python2.7/site-packages (from -r requirements.txt (line 1))
...



/tmp/repro-cli-602/aws-creds-test (master u=) $ make test
./test-creds.sh
Testing python...
Access Key:
Secret Access Key:
AKID   hash: 4e7c36343646e1fa7495092bffcd4b9b7dd00f2f5014a189ab81f326e6472a62
AKID length: 20

SAK    hash: 941a655993caccb1a1218883b97a88b6f41762c6d03902f1cdd1e2a5de5fd82e
SAK  length: 40
Successfuly made an AWS request with the provided credentials.

Testing javasript...
Access Key: ********************
Secret Access Key: ****************************************
AKID   hash: 4e7c36343646e1fa7495092bffcd4b9b7dd00f2f5014a189ab81f326e6472a62
AKID length: 20


SAK    hash: 941a655993caccb1a1218883b97a88b6f41762c6d03902f1cdd1e2a5de5fd82e
SAK  length: 40
Sucessfully made an AWS request with the provided credentials.

For people running into this issue, please run the test script and share the output.

This should give us better insight into where this issue is occurring:

  • If the above script passes for both python and javascript but is failing when using the CLI, likely a CLI issue.
  • If the script fails for python but passes for javascript, likely an issue with botocore (which the CLI uses).
  • If the above script fails for both python and javascript, likely an issue with the actual credentials.

Thanks in advance for anyone that can help us troubleshoot this issue. Let me know if there's any questions.

@thomaswitt

This comment has been minimized.

Show comment
Hide comment
@thomaswitt

thomaswitt Jan 23, 2014

This is how it looks like:

thomas@iMac:~ $ echo $AWS_ACCESS_KEY_ID
AKIAXXXXXXXXXXXXXXXX
thomas@iMac:~ $ echo $AWS_SECRET_ACCESS_KEY
abcaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa+0
thomas@iMac:~ $ aws configure list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
              env    AWS_ACCESS_KEY_ID
              env    AWS_SECRET_ACCESS_KEY
    region                eu-west-1              env    AWS_DEFAULT_REGION

thomaswitt commented Jan 23, 2014

This is how it looks like:

thomas@iMac:~ $ echo $AWS_ACCESS_KEY_ID
AKIAXXXXXXXXXXXXXXXX
thomas@iMac:~ $ echo $AWS_SECRET_ACCESS_KEY
abcaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa+0
thomas@iMac:~ $ aws configure list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
              env    AWS_ACCESS_KEY_ID
              env    AWS_SECRET_ACCESS_KEY
    region                eu-west-1              env    AWS_DEFAULT_REGION
@foscraig

This comment has been minimized.

Show comment
Hide comment
@foscraig

foscraig Apr 4, 2014

Contributor

Any updates on this issue? I'm also encountering this error and my credentials file hasn't changed.

Contributor

foscraig commented Apr 4, 2014

Any updates on this issue? I'm also encountering this error and my credentials file hasn't changed.

@squirvoid

This comment has been minimized.

Show comment
Hide comment
@squirvoid

squirvoid Apr 28, 2014

I have a similar issue. Jenkins s3 plugin is able to put an object using my credentials, but the aws-cli is giving me the errors below.

aws s3 cp s3://my-bucket/folder/test.txt test.txt
A client error (Forbidden) occurred when calling the HeadObject operation: Forbidden Completed 1 part(s) with ... file(s) remaining

aws s3api get-object --bucket my-bucket --key folder/test.txt test.txt
A client error (SignatureDoesNotMatch) occurred when calling the GetObject operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

squirvoid commented Apr 28, 2014

I have a similar issue. Jenkins s3 plugin is able to put an object using my credentials, but the aws-cli is giving me the errors below.

aws s3 cp s3://my-bucket/folder/test.txt test.txt
A client error (Forbidden) occurred when calling the HeadObject operation: Forbidden Completed 1 part(s) with ... file(s) remaining

aws s3api get-object --bucket my-bucket --key folder/test.txt test.txt
A client error (SignatureDoesNotMatch) occurred when calling the GetObject operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.
@JeremyShort

This comment has been minimized.

Show comment
Hide comment
@JeremyShort

JeremyShort May 14, 2014

I am running into the same issue. If I make up a secret it gives me a different (AuthFailure) error.

[ec2-user@ip-127.0.0.1]]$ aws configure list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
access_key     ****************AMKA              env    AWS_ACCESS_KEY_ID
secret_key     ****************jPU2              env    AWS_SECRET_ACCESS_KEY
    region                us-west-2              env    AWS_DEFAULT_REGION

This is pretty much stopping me completely. I can do some things with the ec2-blah-stuff utilities by specifying x509 certs but the help says that's deprecated so I don't want to depend on it. Any help troubleshooting or what ever would really be appreciated.

JeremyShort commented May 14, 2014

I am running into the same issue. If I make up a secret it gives me a different (AuthFailure) error.

[ec2-user@ip-127.0.0.1]]$ aws configure list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
access_key     ****************AMKA              env    AWS_ACCESS_KEY_ID
secret_key     ****************jPU2              env    AWS_SECRET_ACCESS_KEY
    region                us-west-2              env    AWS_DEFAULT_REGION

This is pretty much stopping me completely. I can do some things with the ec2-blah-stuff utilities by specifying x509 certs but the help says that's deprecated so I don't want to depend on it. Any help troubleshooting or what ever would really be appreciated.

@jamesls

This comment has been minimized.

Show comment
Hide comment
@jamesls

jamesls May 14, 2014

Member

The first step would be to ensure that your access/secret keys are actually valid. A few things to try:

  • Does these same access/secret key credentials work with other tools? (The java/javascript/ruby/python SDK?)
  • Do other commands besides "aws s3" work for you? Does "aws ec2 describe-instances" still generate auth errors?
Member

jamesls commented May 14, 2014

The first step would be to ensure that your access/secret keys are actually valid. A few things to try:

  • Does these same access/secret key credentials work with other tools? (The java/javascript/ruby/python SDK?)
  • Do other commands besides "aws s3" work for you? Does "aws ec2 describe-instances" still generate auth errors?
@JeremyShort

This comment has been minimized.

Show comment
Hide comment
@JeremyShort

JeremyShort May 15, 2014

They do not work with other tools (ec2-describe-instance for instance).

I think I have the appropriate rights since using the certs works. To make sure it's not a workstation thing I built an Amazon Linux instance and I'm using the awscli verison that comes with it but getting the same message.

JeremyShort commented May 15, 2014

They do not work with other tools (ec2-describe-instance for instance).

I think I have the appropriate rights since using the certs works. To make sure it's not a workstation thing I built an Amazon Linux instance and I'm using the awscli verison that comes with it but getting the same message.

@TeePaps

This comment has been minimized.

Show comment
Hide comment
@TeePaps

TeePaps Jul 16, 2014

Also an issue for me. I'm using it in a docker container, built with the same Dockerfile.
It works fine when built on an EC2, but does not work when built locally on a coreos vagrant box.

TeePaps commented Jul 16, 2014

Also an issue for me. I'm using it in a docker container, built with the same Dockerfile.
It works fine when built on an EC2, but does not work when built locally on a coreos vagrant box.

@jamesls

This comment has been minimized.

Show comment
Hide comment
@jamesls

jamesls Jul 28, 2014

Member

It looks like the issue is with the credentials themselves. I've double checked this, and I'm not able to repro this issue. Double check the credentials on the security credentials page. If someone can provide an exact set of steps that demonstrate the issue, I'd be happy to take another look.

Member

jamesls commented Jul 28, 2014

It looks like the issue is with the credentials themselves. I've double checked this, and I'm not able to repro this issue. Double check the credentials on the security credentials page. If someone can provide an exact set of steps that demonstrate the issue, I'd be happy to take another look.

@jamesls jamesls closed this Jul 28, 2014

@rvfn

This comment has been minimized.

Show comment
Hide comment
@rvfn

rvfn Aug 1, 2014

Just had this happening to me and was a result of my system time being off by too much even though it did not report that. Ran ntpdate against pool.ntp.org and fixed this problem for me.

rvfn commented Aug 1, 2014

Just had this happening to me and was a result of my system time being off by too much even though it did not report that. Ran ntpdate against pool.ntp.org and fixed this problem for me.

@anuraj-optimizely

This comment has been minimized.

Show comment
Hide comment
@anuraj-optimizely

anuraj-optimizely Oct 14, 2014

If you are getting this error when cred are setup using env variable, try sudo

anuraj-optimizely commented Oct 14, 2014

If you are getting this error when cred are setup using env variable, try sudo

@rcosnita

This comment has been minimized.

Show comment
Hide comment
@rcosnita

rcosnita Oct 24, 2014

If you are in a virtual machine make sure your host os time matches the guest os time. If this is not the case you will get into the error you described.

rcosnita commented Oct 24, 2014

If you are in a virtual machine make sure your host os time matches the guest os time. If this is not the case you will get into the error you described.

@j0ni

This comment has been minimized.

Show comment
Hide comment
@j0ni

j0ni Nov 3, 2014

A very similar error occurs for me with good credentials, whilst listing a bucket which has a lot of keys in it. Here's the error:

A client error (SignatureDoesNotMatch) occurred when calling the ListObjects operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

Here's my output from aws configure list

      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
access_key     ****************4UNA shared-credentials-file
secret_key     ****************MNOG shared-credentials-file
    region                <not set>             None    None

Note that these credentials work fine with other aws invocations, and in fact this list op runs for a long time (more than an hour) before bailing with this error. I have a file with over 82,000 lines of output in it from the command which eventually failed.

j0ni commented Nov 3, 2014

A very similar error occurs for me with good credentials, whilst listing a bucket which has a lot of keys in it. Here's the error:

A client error (SignatureDoesNotMatch) occurred when calling the ListObjects operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

Here's my output from aws configure list

      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
access_key     ****************4UNA shared-credentials-file
secret_key     ****************MNOG shared-credentials-file
    region                <not set>             None    None

Note that these credentials work fine with other aws invocations, and in fact this list op runs for a long time (more than an hour) before bailing with this error. I have a file with over 82,000 lines of output in it from the command which eventually failed.

@aub

This comment has been minimized.

Show comment
Hide comment
@aub

aub Nov 14, 2014

I've been getting this issue, and if I just sleep my script for a second and try again then it goes through. It's almost like it's getting throttled and returning the wrong error or something.

aub commented Nov 14, 2014

I've been getting this issue, and if I just sleep my script for a second and try again then it goes through. It's almost like it's getting throttled and returning the wrong error or something.

@ansjob

This comment has been minimized.

Show comment
Hide comment
@ansjob

ansjob Nov 18, 2014

I can report this issue too. Trying to upload a 11 GB file using aws cp foo s3://mybucket/foo/bar I get various errors like:

A client error (SignatureDoesNotMatch) occurred when calling the UploadPart operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

and

Max retries exceeded with url: /***REDACTED***?partNumber=196&uploadId=B2viwGFF4Lmq5itbs8ipqwBExx0BWGRm3gkG_D5EYTiU8uEO_tmUT.d.i7BcgPnP5npZa.OW7yMfJ3ZhhLJD61zP7EVv.5.ZftCJQbKNdkEBeijGBqWlrxz4vMx3B05Q (Caused by <class 'socket.gaierror'>: [Errno -2] Name or service not known)

I've checked that my system time is correct. I also noticed considerable slowness (on the level of http requests timing out) on the same system while uploading, so this being a throttling issue does sound reasonable. It also works fine to upload small files with the same credentials, and using the web console from the same machine, so this does appear to be a aws-cli problem.

ansjob commented Nov 18, 2014

I can report this issue too. Trying to upload a 11 GB file using aws cp foo s3://mybucket/foo/bar I get various errors like:

A client error (SignatureDoesNotMatch) occurred when calling the UploadPart operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

and

Max retries exceeded with url: /***REDACTED***?partNumber=196&uploadId=B2viwGFF4Lmq5itbs8ipqwBExx0BWGRm3gkG_D5EYTiU8uEO_tmUT.d.i7BcgPnP5npZa.OW7yMfJ3ZhhLJD61zP7EVv.5.ZftCJQbKNdkEBeijGBqWlrxz4vMx3B05Q (Caused by <class 'socket.gaierror'>: [Errno -2] Name or service not known)

I've checked that my system time is correct. I also noticed considerable slowness (on the level of http requests timing out) on the same system while uploading, so this being a throttling issue does sound reasonable. It also works fine to upload small files with the same credentials, and using the web console from the same machine, so this does appear to be a aws-cli problem.

@ranrub

This comment has been minimized.

Show comment
Hide comment
@ranrub

ranrub Nov 19, 2014

This happened to me with too with aws-cli 1.5.5, updating aws-cli to 1.6.2 solved it.

ranrub commented Nov 19, 2014

This happened to me with too with aws-cli 1.5.5, updating aws-cli to 1.6.2 solved it.

@ansjob

This comment has been minimized.

Show comment
Hide comment
@ansjob

ansjob Nov 19, 2014

Happens to me with 1.6.2

ansjob commented Nov 19, 2014

Happens to me with 1.6.2

@ye

This comment has been minimized.

Show comment
Hide comment
@ye

ye Nov 25, 2014

This happened to me today. This is new to me. Been using awl-cli for a few months no problem and no change to the credentials AFAIK.

$ aws configure --profile ye list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                       ye           manual    --profile
access_key     ****************ERMQ shared-credentials-file    
secret_key     ****************E8Id shared-credentials-file    
    region                us-east-1      config-file    ~/.aws/config

ye commented Nov 25, 2014

This happened to me today. This is new to me. Been using awl-cli for a few months no problem and no change to the credentials AFAIK.

$ aws configure --profile ye list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                       ye           manual    --profile
access_key     ****************ERMQ shared-credentials-file    
secret_key     ****************E8Id shared-credentials-file    
    region                us-east-1      config-file    ~/.aws/config
@jamesls

This comment has been minimized.

Show comment
Hide comment
@jamesls

jamesls Nov 25, 2014

Member

I believe this issue is now fixed via boto/botocore#388, and will be available in the next AWS CLI release.

Member

jamesls commented Nov 25, 2014

I believe this issue is now fixed via boto/botocore#388, and will be available in the next AWS CLI release.

@ye

This comment has been minimized.

Show comment
Hide comment
@ye

ye Nov 25, 2014

@jamesls confirmed fixed on awscli version 1.6.4. I was using 1.5.4. Thanks!

ye commented Nov 25, 2014

@jamesls confirmed fixed on awscli version 1.6.4. I was using 1.5.4. Thanks!

@wolfeidau

This comment has been minimized.

Show comment
Hide comment
@wolfeidau

wolfeidau Dec 2, 2014

I am getting this issue on a fresh ubuntu system.

A client error (SignatureDoesNotMatch) occurred when calling the PutObject operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

Installed aws-cli via pip

$ pip list
ansible (1.5.4)
apt-xapian-index (0.45)
argparse (1.2.1)
awscli (1.6.5)
bcdoc (0.12.2)
botocore (0.76.0)
chardet (2.0.1)
Cheetah (2.4.4)
cloud-init (0.7.5)
colorama (0.2.5)
configobj (4.7.2)
docutils (0.11)
html5lib (0.999)
httplib2 (0.8)
Jinja2 (2.7.2)
jmespath (0.5.0)
jsonpatch (1.3)
jsonpointer (1.0)
Landscape-Client (14.01)
MarkupSafe (0.18)
mercurial (2.8.2)
oauth (1.0.1)
PAM (0.4.2)
Pillow (2.3.0)
pip (1.5.4)
prettytable (0.7.2)
pyasn1 (0.1.7)
pycrypto (2.6.1)
pycurl (7.19.3)
Pygments (1.6)
pyinotify (0.9.4)
pyOpenSSL (0.13)
pyserial (2.6)
python-apt (0.9.3.5)
python-dateutil (2.3)
python-debian (0.1.21-nmu2ubuntu2)
PyYAML (3.10)
requests (2.2.1)
roman (2.0.0)
rsa (3.1.2)
setuptools (3.3)
six (1.5.2)
Sphinx (1.2.2)
ssh-import-id (3.21)
Twisted-Core (13.2.0)
urllib3 (1.7.1)
wsgiref (0.1.2)
zope.interface (4.0.5)

Any ideas on how to fix it?

wolfeidau commented Dec 2, 2014

I am getting this issue on a fresh ubuntu system.

A client error (SignatureDoesNotMatch) occurred when calling the PutObject operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

Installed aws-cli via pip

$ pip list
ansible (1.5.4)
apt-xapian-index (0.45)
argparse (1.2.1)
awscli (1.6.5)
bcdoc (0.12.2)
botocore (0.76.0)
chardet (2.0.1)
Cheetah (2.4.4)
cloud-init (0.7.5)
colorama (0.2.5)
configobj (4.7.2)
docutils (0.11)
html5lib (0.999)
httplib2 (0.8)
Jinja2 (2.7.2)
jmespath (0.5.0)
jsonpatch (1.3)
jsonpointer (1.0)
Landscape-Client (14.01)
MarkupSafe (0.18)
mercurial (2.8.2)
oauth (1.0.1)
PAM (0.4.2)
Pillow (2.3.0)
pip (1.5.4)
prettytable (0.7.2)
pyasn1 (0.1.7)
pycrypto (2.6.1)
pycurl (7.19.3)
Pygments (1.6)
pyinotify (0.9.4)
pyOpenSSL (0.13)
pyserial (2.6)
python-apt (0.9.3.5)
python-dateutil (2.3)
python-debian (0.1.21-nmu2ubuntu2)
PyYAML (3.10)
requests (2.2.1)
roman (2.0.0)
rsa (3.1.2)
setuptools (3.3)
six (1.5.2)
Sphinx (1.2.2)
ssh-import-id (3.21)
Twisted-Core (13.2.0)
urllib3 (1.7.1)
wsgiref (0.1.2)
zope.interface (4.0.5)

Any ideas on how to fix it?

@aub

This comment has been minimized.

Show comment
Hide comment
@aub

aub Dec 2, 2014

My solution was to sleep for a few seconds and then try it again, but it
sounds like there may be an update to the tool that fixes it as well.

On Tue, Dec 2, 2014 at 3:38 AM, Mark Wolfe notifications@github.com wrote:

I am getting this issue on a fresh ubuntu system.

A client error (SignatureDoesNotMatch) occurred when calling the PutObject operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

Installed aws-cli via pip

$ pip list
ansible (1.5.4)
apt-xapian-index (0.45)
argparse (1.2.1)
awscli (1.6.5)
bcdoc (0.12.2)
botocore (0.76.0)
chardet (2.0.1)
Cheetah (2.4.4)
cloud-init (0.7.5)
colorama (0.2.5)
configobj (4.7.2)
docutils (0.11)
html5lib (0.999)
httplib2 (0.8)
Jinja2 (2.7.2)
jmespath (0.5.0)
jsonpatch (1.3)
jsonpointer (1.0)
Landscape-Client (14.01)
MarkupSafe (0.18)
mercurial (2.8.2)
oauth (1.0.1)
PAM (0.4.2)
Pillow (2.3.0)
pip (1.5.4)
prettytable (0.7.2)
pyasn1 (0.1.7)
pycrypto (2.6.1)
pycurl (7.19.3)
Pygments (1.6)
pyinotify (0.9.4)
pyOpenSSL (0.13)
pyserial (2.6)
python-apt (0.9.3.5)
python-dateutil (2.3)
python-debian (0.1.21-nmu2ubuntu2)
PyYAML (3.10)
requests (2.2.1)
roman (2.0.0)
rsa (3.1.2)
setuptools (3.3)
six (1.5.2)
Sphinx (1.2.2)
ssh-import-id (3.21)
Twisted-Core (13.2.0)
urllib3 (1.7.1)
wsgiref (0.1.2)
zope.interface (4.0.5)

Any ideas on how to fix it?


Reply to this email directly or view it on GitHub
#602 (comment).

aub commented Dec 2, 2014

My solution was to sleep for a few seconds and then try it again, but it
sounds like there may be an update to the tool that fixes it as well.

On Tue, Dec 2, 2014 at 3:38 AM, Mark Wolfe notifications@github.com wrote:

I am getting this issue on a fresh ubuntu system.

A client error (SignatureDoesNotMatch) occurred when calling the PutObject operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

Installed aws-cli via pip

$ pip list
ansible (1.5.4)
apt-xapian-index (0.45)
argparse (1.2.1)
awscli (1.6.5)
bcdoc (0.12.2)
botocore (0.76.0)
chardet (2.0.1)
Cheetah (2.4.4)
cloud-init (0.7.5)
colorama (0.2.5)
configobj (4.7.2)
docutils (0.11)
html5lib (0.999)
httplib2 (0.8)
Jinja2 (2.7.2)
jmespath (0.5.0)
jsonpatch (1.3)
jsonpointer (1.0)
Landscape-Client (14.01)
MarkupSafe (0.18)
mercurial (2.8.2)
oauth (1.0.1)
PAM (0.4.2)
Pillow (2.3.0)
pip (1.5.4)
prettytable (0.7.2)
pyasn1 (0.1.7)
pycrypto (2.6.1)
pycurl (7.19.3)
Pygments (1.6)
pyinotify (0.9.4)
pyOpenSSL (0.13)
pyserial (2.6)
python-apt (0.9.3.5)
python-dateutil (2.3)
python-debian (0.1.21-nmu2ubuntu2)
PyYAML (3.10)
requests (2.2.1)
roman (2.0.0)
rsa (3.1.2)
setuptools (3.3)
six (1.5.2)
Sphinx (1.2.2)
ssh-import-id (3.21)
Twisted-Core (13.2.0)
urllib3 (1.7.1)
wsgiref (0.1.2)
zope.interface (4.0.5)

Any ideas on how to fix it?


Reply to this email directly or view it on GitHub
#602 (comment).

@ye

This comment has been minimized.

Show comment
Hide comment
@ye

ye Dec 3, 2014

@wolfeidau and yeah I spoke too soon. The locally pip installed awscli is giving the SignatureDoesNotMatch errors again. Yikes!

A client error (SignatureDoesNotMatch) occurred when calling the DeregisterInstancesFromLoadBalancer operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

The Canonical String for this request should have been
'POST
/

host:elasticloadbalancing.us-east-1.amazonaws.com
user-agent:aws-cli/1.6.5 Python/2.7.8 Darwin/13.4.0
x-amz-date:20141203T015747Z

host;user-agent;x-amz-date
1d9dafbf4bfa9b1225d91bdbf99d8645503484d174b9094e4c3af637e6664b5b'

The String-to-Sign should have been
'AWS4-HMAC-SHA256
20141203T015747Z
20141203/us-east-1/elasticloadbalancing/aws4_request
5a56d12a4920502f4124e37a92aad475c36edda93d9865871e6a4fe1e49045c3'

ye commented Dec 3, 2014

@wolfeidau and yeah I spoke too soon. The locally pip installed awscli is giving the SignatureDoesNotMatch errors again. Yikes!

A client error (SignatureDoesNotMatch) occurred when calling the DeregisterInstancesFromLoadBalancer operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

The Canonical String for this request should have been
'POST
/

host:elasticloadbalancing.us-east-1.amazonaws.com
user-agent:aws-cli/1.6.5 Python/2.7.8 Darwin/13.4.0
x-amz-date:20141203T015747Z

host;user-agent;x-amz-date
1d9dafbf4bfa9b1225d91bdbf99d8645503484d174b9094e4c3af637e6664b5b'

The String-to-Sign should have been
'AWS4-HMAC-SHA256
20141203T015747Z
20141203/us-east-1/elasticloadbalancing/aws4_request
5a56d12a4920502f4124e37a92aad475c36edda93d9865871e6a4fe1e49045c3'
@jamesls

This comment has been minimized.

Show comment
Hide comment
@jamesls

jamesls Dec 3, 2014

Member

Does this issue happen only when a request is retried? Or does this happen everytime you run the deregister-instances-from-load-balancer command?

Member

jamesls commented Dec 3, 2014

Does this issue happen only when a request is retried? Or does this happen everytime you run the deregister-instances-from-load-balancer command?

@ye

This comment has been minimized.

Show comment
Hide comment
@ye

ye Dec 3, 2014

@jamesls it happens everytime now :(

ye commented Dec 3, 2014

@jamesls it happens everytime now :(

@Clepher

This comment has been minimized.

Show comment
Hide comment
@Clepher

Clepher Jan 28, 2015

I know this issue is closed but wanted to share that you can see this error when running in a VM which hibernates. In such cases, the system clock doesn't consistently catch up if you're using Ubuntu. Just update the time to fix (i.e. sudo ntpdate -s time.nist.gov).

Clepher commented Jan 28, 2015

I know this issue is closed but wanted to share that you can see this error when running in a VM which hibernates. In such cases, the system clock doesn't consistently catch up if you're using Ubuntu. Just update the time to fix (i.e. sudo ntpdate -s time.nist.gov).

@include

This comment has been minimized.

Show comment
Hide comment
@include

include Feb 18, 2015

hello, is there any final fix on this?

include commented Feb 18, 2015

hello, is there any final fix on this?

@gsterndale

This comment has been minimized.

Show comment
Hide comment
@gsterndale

gsterndale Mar 11, 2015

+1

Using version 1.7.8 of the CLI I was seeing the same SignatureDoesNotMatch error when trying the following:
$ aws iam list-users

And getting an AuthFailure for this:
$ aws ec2 describe-security-groups

After deleting my keys and trying new ones, both commands work.

This is the old secret access key that may have been the cause of my problems, note the percent, plus and forward slash characters: H2J7/oT3Fib15SwFVB1s3EnTCmg+SC7wF7qoP+dw%

gsterndale commented Mar 11, 2015

+1

Using version 1.7.8 of the CLI I was seeing the same SignatureDoesNotMatch error when trying the following:
$ aws iam list-users

And getting an AuthFailure for this:
$ aws ec2 describe-security-groups

After deleting my keys and trying new ones, both commands work.

This is the old secret access key that may have been the cause of my problems, note the percent, plus and forward slash characters: H2J7/oT3Fib15SwFVB1s3EnTCmg+SC7wF7qoP+dw%

@johnjelinek

This comment has been minimized.

Show comment
Hide comment
@johnjelinek

johnjelinek Mar 11, 2015

👍 @gsterndale. My access key with % in it didn't work. I had to generate new keys.

johnjelinek commented Mar 11, 2015

👍 @gsterndale. My access key with % in it didn't work. I had to generate new keys.

@hellais

This comment has been minimized.

Show comment
Hide comment
@hellais

hellais May 25, 2015

I have also experienced this issue multiple times. Every time regenerating the key until I got one without any special character in it (in particular I was having issues with the + sign in the secret) fixed it.

hellais commented May 25, 2015

I have also experienced this issue multiple times. Every time regenerating the key until I got one without any special character in it (in particular I was having issues with the + sign in the secret) fixed it.

@mikeatlas

This comment has been minimized.

Show comment
Hide comment
@mikeatlas

mikeatlas Jun 8, 2015

Truthfully all of my signing key problems melted away when I switched from running the command on an ubuntu machine instead of a local mac homebrew installation.

mikeatlas commented Jun 8, 2015

Truthfully all of my signing key problems melted away when I switched from running the command on an ubuntu machine instead of a local mac homebrew installation.

@nimalhot84

This comment has been minimized.

Show comment
Hide comment
@nimalhot84

nimalhot84 Aug 9, 2015

I am very new to AWS , faced this issuse right away on node js

              ^

SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the s
vice documentation for details.

The Canonical String for this request should have been
'POST
/

host:email.us-west-2.amazonaws.com
x-amz-content-sha256:89cdc817a829111278fbed35aacc694db71669f3845874beaecaf00ff2be1a39
x-amz-date:20150809T053346Z

host;x-amz-content-sha256;x-amz-date
89cdc817a829111278fbed35aacc694db71669f3845874beaecaf00ff2be1a39'

The String-to-Sign should have been
'AWS4-HMAC-SHA256
20150809T053346Z
20150809/us-west-2/ses/aws4_request
0b908b0248bae550b814b37629a418707742416377816b5a5e78e1897b72293e'

nimalhot84 commented Aug 9, 2015

I am very new to AWS , faced this issuse right away on node js

              ^

SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the s
vice documentation for details.

The Canonical String for this request should have been
'POST
/

host:email.us-west-2.amazonaws.com
x-amz-content-sha256:89cdc817a829111278fbed35aacc694db71669f3845874beaecaf00ff2be1a39
x-amz-date:20150809T053346Z

host;x-amz-content-sha256;x-amz-date
89cdc817a829111278fbed35aacc694db71669f3845874beaecaf00ff2be1a39'

The String-to-Sign should have been
'AWS4-HMAC-SHA256
20150809T053346Z
20150809/us-west-2/ses/aws4_request
0b908b0248bae550b814b37629a418707742416377816b5a5e78e1897b72293e'

@mcobzarenco

This comment has been minimized.

Show comment
Hide comment
@mcobzarenco

mcobzarenco Sep 22, 2015

+1

I am having this problem for all aws s3 commands (awscli 1.8.6 on ubuntu 14.04 LTS).
Are there any known solutions? I tried deleting my credentials file and run aws configure, rebooting, reinstalling awscli.

mcobzarenco commented Sep 22, 2015

+1

I am having this problem for all aws s3 commands (awscli 1.8.6 on ubuntu 14.04 LTS).
Are there any known solutions? I tried deleting my credentials file and run aws configure, rebooting, reinstalling awscli.

@gsterndale

This comment has been minimized.

Show comment
Hide comment
@gsterndale

gsterndale Sep 22, 2015

@mcobzarenco, have you tried new keys?

gsterndale commented Sep 22, 2015

@mcobzarenco, have you tried new keys?

@mcobzarenco

This comment has been minimized.

Show comment
Hide comment
@mcobzarenco

mcobzarenco Sep 23, 2015

@gsterndale I saw the comment above about having slashes in old keys, but that's not the case and my keys were recently generated (in June 2015). I only have this problem on AWS Ubuntu 14.04 LTS. On my laptop (14.04) awscli (same version) works fine.

mcobzarenco commented Sep 23, 2015

@gsterndale I saw the comment above about having slashes in old keys, but that's not the case and my keys were recently generated (in June 2015). I only have this problem on AWS Ubuntu 14.04 LTS. On my laptop (14.04) awscli (same version) works fine.

@gsterndale

This comment has been minimized.

Show comment
Hide comment
@gsterndale

gsterndale Sep 23, 2015

@mcobzarenco I don't think it's the age of the keys, rather the special characters in them. When I originally created keys, they happened to have percent, plus and forward slash characters. While debugging the issue I tried deleting and creating new keys. These new ones luckily did not have any of these characters and they work.

gsterndale commented Sep 23, 2015

@mcobzarenco I don't think it's the age of the keys, rather the special characters in them. When I originally created keys, they happened to have percent, plus and forward slash characters. While debugging the issue I tried deleting and creating new keys. These new ones luckily did not have any of these characters and they work.

@stebl

This comment has been minimized.

Show comment
Hide comment
@stebl

stebl Oct 2, 2015

just ran into this problem on ubuntu. When I entered the keys via cli, it stored them in ~/.aws/config, but stripped away the '+' character. Manually editing the file to add the '+' allowed me to connect.

stebl commented Oct 2, 2015

just ran into this problem on ubuntu. When I entered the keys via cli, it stored them in ~/.aws/config, but stripped away the '+' character. Manually editing the file to add the '+' allowed me to connect.

@mcobzarenco

This comment has been minimized.

Show comment
Hide comment
@mcobzarenco

mcobzarenco Oct 2, 2015

@gsterndale Thanks for the tip, I can confirm that generating a new key that doesn't contain + worked for me as well. @stebl's solution is nice if it's inconvenient to replace the keys.

mcobzarenco commented Oct 2, 2015

@gsterndale Thanks for the tip, I can confirm that generating a new key that doesn't contain + worked for me as well. @stebl's solution is nice if it's inconvenient to replace the keys.

@LewisLebentz

This comment has been minimized.

Show comment
Hide comment
@LewisLebentz

LewisLebentz May 12, 2017

I raised a support ticket to AWS yesterday, and today it appears to be resolved

I've tested multiple times and + and / both now seem to work? I can no longer reproduce this bug.

LewisLebentz commented May 12, 2017

I raised a support ticket to AWS yesterday, and today it appears to be resolved

I've tested multiple times and + and / both now seem to work? I can no longer reproduce this bug.

@bonescs

This comment has been minimized.

Show comment
Hide comment
@bonescs

bonescs May 15, 2017

I had the same issue on my Pi.
With the newest awscli (aws-cli/1.11.85 Python/3.4.2 Linux/4.9.24-v7+ botocore/1.5.48) I still had the issue:

root@pi:~# aws s3 ls s3://
An error occurred (SignatureDoesNotMatch) when calling the ListBuckets operation: The request signature we calculated does not match the signature you provided.
Check your Secret Access Key and signing method. For more information, see REST Authentication and SOAP Authentication for details.

Even with a secret key that had no special characters (+ or /) the access didn't work. The time was always in sync, unfortunately this wasn't the issue either.

In the ".aws/config" file I added a valid region (just for testing..) and suddenly it worked. Since I'm using compatible s3 storage (not s3 from Amazon)

[default]
aws_secret_access_key = MYKEY
aws_access_key_id = MYID
region = us-east-1 <-- there was a "dummy" value before.

As it looks, the region must have a "correct" value. When I change it back to something different like "dummyvalue" I get the same error as mentioned above.
Now with the value "us-east-1" it works!
Hope this helps someone.

bonescs commented May 15, 2017

I had the same issue on my Pi.
With the newest awscli (aws-cli/1.11.85 Python/3.4.2 Linux/4.9.24-v7+ botocore/1.5.48) I still had the issue:

root@pi:~# aws s3 ls s3://
An error occurred (SignatureDoesNotMatch) when calling the ListBuckets operation: The request signature we calculated does not match the signature you provided.
Check your Secret Access Key and signing method. For more information, see REST Authentication and SOAP Authentication for details.

Even with a secret key that had no special characters (+ or /) the access didn't work. The time was always in sync, unfortunately this wasn't the issue either.

In the ".aws/config" file I added a valid region (just for testing..) and suddenly it worked. Since I'm using compatible s3 storage (not s3 from Amazon)

[default]
aws_secret_access_key = MYKEY
aws_access_key_id = MYID
region = us-east-1 <-- there was a "dummy" value before.

As it looks, the region must have a "correct" value. When I change it back to something different like "dummyvalue" I get the same error as mentioned above.
Now with the value "us-east-1" it works!
Hope this helps someone.

@eikenb

This comment has been minimized.

Show comment
Hide comment
@eikenb

eikenb Jun 7, 2017

I just ran into this as well. Also seems to be an issue with a '+' in the secret key. If I have the creds in environment variables I get the error. If I put them in the ~/.aws/credentials file (by editing by hand) I don't get the error.

[edit] Just noticed the environment variables were in a file formatted for dos (ff=dos in vim). It was this because I had just taken the .csv file as downloaded and edited it to change the entries into environment variables. When I re-formatted the file into 'ff=unix' I no longer got the error. The only difference between the 2 is the line return, dos uses "CR-NL" while unix is just "NL". My guess is that it was actually that "CR" character that was the problem.

eikenb commented Jun 7, 2017

I just ran into this as well. Also seems to be an issue with a '+' in the secret key. If I have the creds in environment variables I get the error. If I put them in the ~/.aws/credentials file (by editing by hand) I don't get the error.

[edit] Just noticed the environment variables were in a file formatted for dos (ff=dos in vim). It was this because I had just taken the .csv file as downloaded and edited it to change the entries into environment variables. When I re-formatted the file into 'ff=unix' I no longer got the error. The only difference between the 2 is the line return, dos uses "CR-NL" while unix is just "NL". My guess is that it was actually that "CR" character that was the problem.

@existeundelta

This comment has been minimized.

Show comment
Hide comment
@existeundelta

existeundelta Jun 13, 2017

me too, and also confirm the "+" issue

existeundelta commented Jun 13, 2017

me too, and also confirm the "+" issue

@tylerjharden

This comment has been minimized.

Show comment
Hide comment
@tylerjharden

tylerjharden Jun 20, 2017

If you run into this when using Docker for Mac, simply restarting Docker will fix the system time discrepancy.

tylerjharden commented Jun 20, 2017

If you run into this when using Docker for Mac, simply restarting Docker will fix the system time discrepancy.

@derchrisuk

This comment has been minimized.

Show comment
Hide comment
@derchrisuk

derchrisuk Jun 21, 2017

I was facing the same problem.
Checked the secret, and it had +/ in it.
Had to create a new id pair without a special character to get it to work

derchrisuk commented Jun 21, 2017

I was facing the same problem.
Checked the secret, and it had +/ in it.
Had to create a new id pair without a special character to get it to work

@boutell

This comment has been minimized.

Show comment
Hide comment
@boutell

boutell Jun 29, 2017

Creating new keypairs until I got one with no special characters resolved it for me too; special characters (specifically +) simply do not work in ~/.aws/credentials.

boutell commented Jun 29, 2017

Creating new keypairs until I got one with no special characters resolved it for me too; special characters (specifically +) simply do not work in ~/.aws/credentials.

@Checkroth

This comment has been minimized.

Show comment
Hide comment
@Checkroth

Checkroth Jul 25, 2017

Generated key without special characters (specifically + ) fixed the issue for me too.

Formatting file as per @eikenb 's comment does the trick as well.

Checkroth commented Jul 25, 2017

Generated key without special characters (specifically + ) fixed the issue for me too.

Formatting file as per @eikenb 's comment does the trick as well.

@KumarAtwindsorinfosys

This comment has been minimized.

Show comment
Hide comment
@KumarAtwindsorinfosys

KumarAtwindsorinfosys Jul 27, 2017

Deleting the Key and creating new one worked for me.

KumarAtwindsorinfosys commented Jul 27, 2017

Deleting the Key and creating new one worked for me.

@zgr024

This comment has been minimized.

Show comment
Hide comment
@zgr024

zgr024 Aug 4, 2017

Just received this error. Updated system time which appeared to be more than 6 minutes off GMT. Fixed the issue immediately.

zgr024 commented Aug 4, 2017

Just received this error. Updated system time which appeared to be more than 6 minutes off GMT. Fixed the issue immediately.

@love8587

This comment has been minimized.

Show comment
Hide comment
@love8587

love8587 Aug 8, 2017

It was so strange and tricky for me.
I struggled with this problem and I was trying many times to resolve it.
At the moment It suddenly worked! I was surprised so I made new bucket but it didn't work. Because I had done nothing except changing code, I just waited for hours. Finally, it worked well although I did nothing. I can't believe it...

love8587 commented Aug 8, 2017

It was so strange and tricky for me.
I struggled with this problem and I was trying many times to resolve it.
At the moment It suddenly worked! I was surprised so I made new bucket but it didn't work. Because I had done nothing except changing code, I just waited for hours. Finally, it worked well although I did nothing. I can't believe it...

@Boggin

This comment has been minimized.

Show comment
Hide comment
@Boggin

Boggin Aug 15, 2017

Using aws configure in a bash shell on Windows 7 I found I had two aws_secret_access_key lines in my .aws/credentials and the second line was where I'd mis-typed a load of rubbish. Deleted the second line and it all worked.

Boggin commented Aug 15, 2017

Using aws configure in a bash shell on Windows 7 I found I had two aws_secret_access_key lines in my .aws/credentials and the second line was where I'd mis-typed a load of rubbish. Deleted the second line and it all worked.

@codingthat

This comment has been minimized.

Show comment
Hide comment
@codingthat

codingthat Sep 18, 2017

aws-cli/1.11.119 Python/2.7.12 Linux/4.4.0-53-generic botocore/1.5.82

Seeing this problem on Linux Mint here, with no + in my key or secret.

Output from the test script:

/aws-creds-test $ make test
./test-creds.sh
Testing python...
Access Key: 
Secret Access Key: 
AKID   hash: 36b0df669bfc2fa232f31ada2b40e8f58ec152b0afee875f28b21e32e2d59a30
AKID length: 20

SAK    hash: 02b21158d3ab7d2691ceef468951c3b3551704a8eea19ad4a8f59c7be38378f6
SAK  length: 40
Error making AWS request: An error occurred (SignatureDoesNotMatch) when calling the GetCallerIdentity operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

Testing javasript...
Access Key: ********************
Secret Access Key: ****************************************
AKID   hash: 36b0df669bfc2fa232f31ada2b40e8f58ec152b0afee875f28b21e32e2d59a30
AKID length: 20


SAK    hash: 02b21158d3ab7d2691ceef468951c3b3551704a8eea19ad4a8f59c7be38378f6
SAK  length: 40
Error making AWS request
{ SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
    at Request.extractError (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/protocol/query.js:47:29)
    at Request.callListeners (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/sequential_executor.js:105:20)
    at Request.emit (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
    at Request.emit (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/request.js:683:14)
    at Request.transition (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/request.js:685:12)
    at Request.callListeners (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/sequential_executor.js:115:18)
  message: 'The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.',
  code: 'SignatureDoesNotMatch',
  time: 2017-09-18T20:33:23.951Z,
  requestId: '9e62c6c2-9cb0-11e7-9856-a5fd5c3e417d',
  statusCode: 403,
  retryable: false,
  retryDelay: 60.66602455065775 }
Makefile:6: recipe for target 'test' failed
make: *** [test] Error 1

codingthat commented Sep 18, 2017

aws-cli/1.11.119 Python/2.7.12 Linux/4.4.0-53-generic botocore/1.5.82

Seeing this problem on Linux Mint here, with no + in my key or secret.

Output from the test script:

/aws-creds-test $ make test
./test-creds.sh
Testing python...
Access Key: 
Secret Access Key: 
AKID   hash: 36b0df669bfc2fa232f31ada2b40e8f58ec152b0afee875f28b21e32e2d59a30
AKID length: 20

SAK    hash: 02b21158d3ab7d2691ceef468951c3b3551704a8eea19ad4a8f59c7be38378f6
SAK  length: 40
Error making AWS request: An error occurred (SignatureDoesNotMatch) when calling the GetCallerIdentity operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

Testing javasript...
Access Key: ********************
Secret Access Key: ****************************************
AKID   hash: 36b0df669bfc2fa232f31ada2b40e8f58ec152b0afee875f28b21e32e2d59a30
AKID length: 20


SAK    hash: 02b21158d3ab7d2691ceef468951c3b3551704a8eea19ad4a8f59c7be38378f6
SAK  length: 40
Error making AWS request
{ SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
    at Request.extractError (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/protocol/query.js:47:29)
    at Request.callListeners (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/sequential_executor.js:105:20)
    at Request.emit (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
    at Request.emit (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/request.js:683:14)
    at Request.transition (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/request.js:685:12)
    at Request.callListeners (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/sequential_executor.js:115:18)
  message: 'The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.',
  code: 'SignatureDoesNotMatch',
  time: 2017-09-18T20:33:23.951Z,
  requestId: '9e62c6c2-9cb0-11e7-9856-a5fd5c3e417d',
  statusCode: 403,
  retryable: false,
  retryDelay: 60.66602455065775 }
Makefile:6: recipe for target 'test' failed
make: *** [test] Error 1
@codingthat

This comment has been minimized.

Show comment
Hide comment
@codingthat

codingthat Sep 18, 2017

After upgrading awscli to aws-cli/1.11.154 Python/2.7.12 Linux/4.4.0-53-generic botocore/1.7.12:

$ make test
./test-creds.sh
Testing python...
Access Key: 
Secret Access Key: 
AKID   hash: 0cdf83ac8cf800ca46738682ff5a0ab35d94891a568fc6fd9115ecf13dcce542
AKID length: 20

SAK    hash: 7ae856b46f3d5cd23b94f60765adbeb13215f6c226a2953ab93eed9e26d51694
SAK  length: 40
Error making AWS request: An error occurred (SignatureDoesNotMatch) when calling the GetCallerIdentity operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

Testing javasript...
Access Key: ********************
Secret Access Key: ****************************************
AKID   hash: 0cdf83ac8cf800ca46738682ff5a0ab35d94891a568fc6fd9115ecf13dcce542
AKID length: 20


SAK    hash: 7ae856b46f3d5cd23b94f60765adbeb13215f6c226a2953ab93eed9e26d51694
SAK  length: 40
Error making AWS request
{ SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
    at Request.extractError (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/protocol/query.js:47:29)
    at Request.callListeners (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/sequential_executor.js:105:20)
    at Request.emit (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
    at Request.emit (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/request.js:683:14)
    at Request.transition (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/request.js:685:12)
    at Request.callListeners (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/sequential_executor.js:115:18)
  message: 'The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.',
  code: 'SignatureDoesNotMatch',
  time: 2017-09-18T20:43:21.662Z,
  requestId: '02ab939a-9cb2-11e7-a1f3-87975b0dbd52',
  statusCode: 403,
  retryable: false,
  retryDelay: 86.52138921193912 }
Makefile:6: recipe for target 'test' failed
make: *** [test] Error 1

codingthat commented Sep 18, 2017

After upgrading awscli to aws-cli/1.11.154 Python/2.7.12 Linux/4.4.0-53-generic botocore/1.7.12:

$ make test
./test-creds.sh
Testing python...
Access Key: 
Secret Access Key: 
AKID   hash: 0cdf83ac8cf800ca46738682ff5a0ab35d94891a568fc6fd9115ecf13dcce542
AKID length: 20

SAK    hash: 7ae856b46f3d5cd23b94f60765adbeb13215f6c226a2953ab93eed9e26d51694
SAK  length: 40
Error making AWS request: An error occurred (SignatureDoesNotMatch) when calling the GetCallerIdentity operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

Testing javasript...
Access Key: ********************
Secret Access Key: ****************************************
AKID   hash: 0cdf83ac8cf800ca46738682ff5a0ab35d94891a568fc6fd9115ecf13dcce542
AKID length: 20


SAK    hash: 7ae856b46f3d5cd23b94f60765adbeb13215f6c226a2953ab93eed9e26d51694
SAK  length: 40
Error making AWS request
{ SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
    at Request.extractError (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/protocol/query.js:47:29)
    at Request.callListeners (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/sequential_executor.js:105:20)
    at Request.emit (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
    at Request.emit (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/request.js:683:14)
    at Request.transition (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/request.js:685:12)
    at Request.callListeners (/home/kev/projects/external/aws-creds-test/node_modules/aws-sdk/lib/sequential_executor.js:115:18)
  message: 'The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.',
  code: 'SignatureDoesNotMatch',
  time: 2017-09-18T20:43:21.662Z,
  requestId: '02ab939a-9cb2-11e7-a1f3-87975b0dbd52',
  statusCode: 403,
  retryable: false,
  retryDelay: 86.52138921193912 }
Makefile:6: recipe for target 'test' failed
make: *** [test] Error 1
@DanAbbz92

This comment has been minimized.

Show comment
Hide comment
@DanAbbz92

DanAbbz92 Oct 4, 2017

I just recreated my keys - My new one still contains a '+', but now able to use the cli

Could be as easy as that

DanAbbz92 commented Oct 4, 2017

I just recreated my keys - My new one still contains a '+', but now able to use the cli

Could be as easy as that

@codingthat

This comment has been minimized.

Show comment
Hide comment
@codingthat

codingthat Oct 4, 2017

@DanAbbz92 indeed, I happened to find the same solution around now. No idea why the old keys never worked, but the new ones were fine using the same process.

codingthat commented Oct 4, 2017

@DanAbbz92 indeed, I happened to find the same solution around now. No idea why the old keys never worked, but the new ones were fine using the same process.

@WMcKibbin

This comment has been minimized.

Show comment
Hide comment
@WMcKibbin

WMcKibbin Oct 20, 2017

I had a ^V in my Secret key from a bad paste attempt. It may be prudent to put a stronger warning on checking for bad characters in the keys. Will prevent further unneeded escalations.

WMcKibbin commented Oct 20, 2017

I had a ^V in my Secret key from a bad paste attempt. It may be prudent to put a stronger warning on checking for bad characters in the keys. Will prevent further unneeded escalations.

@kulkarnij

This comment has been minimized.

Show comment
Hide comment
@kulkarnij

kulkarnij Oct 26, 2017

This issue was reported in 2014. Today is Oct 26, 2017. I encountered this issue, my secret had a "+" in it. I created a new key and put it in ~/.aws/configure
Come on Amazon, do you ever plan to fix this bug*???

kulkarnij commented Oct 26, 2017

This issue was reported in 2014. Today is Oct 26, 2017. I encountered this issue, my secret had a "+" in it. I created a new key and put it in ~/.aws/configure
Come on Amazon, do you ever plan to fix this bug*???

@robinske

This comment has been minimized.

Show comment
Hide comment
@robinske

robinske Oct 28, 2017

I encountered this issue today after installing the cli and running aws configure. My keys had no special characters in them but the following did fix my problem:

  • rm -r ~/.aws/
  • recreated the .aws folder and the credentials file and added the credentials back in manually

tl;dr turning it off and on again worked for me ¯_(ツ)_/¯

robinske commented Oct 28, 2017

I encountered this issue today after installing the cli and running aws configure. My keys had no special characters in them but the following did fix my problem:

  • rm -r ~/.aws/
  • recreated the .aws folder and the credentials file and added the credentials back in manually

tl;dr turning it off and on again worked for me ¯_(ツ)_/¯

@asmaier

This comment has been minimized.

Show comment
Hide comment
@asmaier

asmaier Nov 7, 2017

For people using Hadoop ending up here: A related bug has been fixed for Hadoop 2.8.0:
"s3:" URLs break when Secret Key contains a slash, even if encoded

asmaier commented Nov 7, 2017

For people using Hadoop ending up here: A related bug has been fixed for Hadoop 2.8.0:
"s3:" URLs break when Secret Key contains a slash, even if encoded

@bayaro

This comment has been minimized.

Show comment
Hide comment
@bayaro

bayaro Jan 29, 2018

Hi, today I have caught the same issue.
The box had wrong time on it. After updating time all is working.

bayaro commented Jan 29, 2018

Hi, today I have caught the same issue.
The box had wrong time on it. After updating time all is working.

@EdouardMYOB

This comment has been minimized.

Show comment
Hide comment
@EdouardMYOB

EdouardMYOB Feb 1, 2018

Adding another "me too"

I had a Secret key that had two '+' characters in it, and that worked from my .aws/credentials file on my Windows VM (when used by a .NET application), but when I installed awscli from brew on my MacBook Pro, and copied the .aws files across (testing for file encodings, end-of-line formats etc) it failed with SignatureDoesNotMatch.

I tried recreating the credentials until I got a secret key without any non alphanumerics, and now it works from the awscli on my Mac. Copying those credentials back to my Windows machine and running the .NET application, that still works.

I didn't make any changes to the time on either machine (The Mac was using NTP already, and the Windows VM looks likes it's running about 12 minutes behind the actual time)

I installed awscli with: brew install awscli

and aws --version returns: aws-cli/1.14.30 Python/3.6.4 Darwin/16.7.0 botocore/1.8.34

EdouardMYOB commented Feb 1, 2018

Adding another "me too"

I had a Secret key that had two '+' characters in it, and that worked from my .aws/credentials file on my Windows VM (when used by a .NET application), but when I installed awscli from brew on my MacBook Pro, and copied the .aws files across (testing for file encodings, end-of-line formats etc) it failed with SignatureDoesNotMatch.

I tried recreating the credentials until I got a secret key without any non alphanumerics, and now it works from the awscli on my Mac. Copying those credentials back to my Windows machine and running the .NET application, that still works.

I didn't make any changes to the time on either machine (The Mac was using NTP already, and the Windows VM looks likes it's running about 12 minutes behind the actual time)

I installed awscli with: brew install awscli

and aws --version returns: aws-cli/1.14.30 Python/3.6.4 Darwin/16.7.0 botocore/1.8.34

@stephenfeather

This comment has been minimized.

Show comment
Hide comment
@stephenfeather

stephenfeather Feb 1, 2018

Well, I pushed code to lambdas this afternoon (2018-02-01 15:48 EST with lambda in us-east-1).
Now at 6pm, I'm getting signature errors on every system in the office.
Looking back through this thread: my times are correct, nothing has changed, credentials are under a year old, have been working since the day they were established, using homebrew version aws-cli/1.14.30 Python/3.6.4 Darwin/17.4.0 botocore/1.8.34 (did try a downgrade to a 1.14.2x version, no love)

This is some malarky

stephenfeather commented Feb 1, 2018

Well, I pushed code to lambdas this afternoon (2018-02-01 15:48 EST with lambda in us-east-1).
Now at 6pm, I'm getting signature errors on every system in the office.
Looking back through this thread: my times are correct, nothing has changed, credentials are under a year old, have been working since the day they were established, using homebrew version aws-cli/1.14.30 Python/3.6.4 Darwin/17.4.0 botocore/1.8.34 (did try a downgrade to a 1.14.2x version, no love)

This is some malarky

@FedericoBiccheddu

This comment has been minimized.

Show comment
Hide comment
@FedericoBiccheddu

FedericoBiccheddu Feb 5, 2018

Having the same issue and solved genereting new keys without any special characters (like /, + and so on).

Thanks to @hellais for the input!

FedericoBiccheddu commented Feb 5, 2018

Having the same issue and solved genereting new keys without any special characters (like /, + and so on).

Thanks to @hellais for the input!

@oreofeolurin

This comment has been minimized.

Show comment
Hide comment
@oreofeolurin

oreofeolurin Mar 1, 2018

Just had the same issue, solved it by correcting my laptops clock. Apparently i was behind time.

oreofeolurin commented Mar 1, 2018

Just had the same issue, solved it by correcting my laptops clock. Apparently i was behind time.

@ezrataylor

This comment has been minimized.

Show comment
Hide comment
@ezrataylor

ezrataylor Mar 5, 2018

I just experienced this issue and it appears that my ntp client was 10 minutes behind. I did a ntpdate and all is now fixed.

ezrataylor commented Mar 5, 2018

I just experienced this issue and it appears that my ntp client was 10 minutes behind. I did a ntpdate and all is now fixed.

@JohnVonNeumann

This comment has been minimized.

Show comment
Hide comment
@JohnVonNeumann

JohnVonNeumann Mar 14, 2018

I can confirm that recreating my access keys until I got one without special characters in it, worked. What a ridiculous bug, wow.

Seeing as this is such a long running issue, would it not be intelligent to update the error messaging to give users a link to a potential fix, like rebuilding your keys? Instead of something which makes out that the issue is far more complex than "yeah we error out when your keys have special chars in them, sorry!".

JohnVonNeumann commented Mar 14, 2018

I can confirm that recreating my access keys until I got one without special characters in it, worked. What a ridiculous bug, wow.

Seeing as this is such a long running issue, would it not be intelligent to update the error messaging to give users a link to a potential fix, like rebuilding your keys? Instead of something which makes out that the issue is far more complex than "yeah we error out when your keys have special chars in them, sorry!".

@siluri

This comment has been minimized.

Show comment
Hide comment
@siluri

siluri Mar 18, 2018

same issue hear:

Versions:

aws-cli/1.14.58 Python/2.7.10 Darwin/17.4.0 botocore/1.9.11

Command:

aws s3 ls
got following error:
Unknown Signature Version: s3v3.

no solution:

i updated my cloak and i generate a Secret without any special Character

update - fixed by following

aws configure set default.s3.signature_version s3v4

siluri commented Mar 18, 2018

same issue hear:

Versions:

aws-cli/1.14.58 Python/2.7.10 Darwin/17.4.0 botocore/1.9.11

Command:

aws s3 ls
got following error:
Unknown Signature Version: s3v3.

no solution:

i updated my cloak and i generate a Secret without any special Character

update - fixed by following

aws configure set default.s3.signature_version s3v4

@stefano-lupo

This comment has been minimized.

Show comment
Hide comment
@stefano-lupo

stefano-lupo Apr 3, 2018

Yeah this is still a problem - my secret key ended with a + character and no fix I found worked. Regenerated new keys with no + at the end of the secret key and it worked fine.

How on earth is this still an issue?

stefano-lupo commented Apr 3, 2018

Yeah this is still a problem - my secret key ended with a + character and no fix I found worked. Regenerated new keys with no + at the end of the secret key and it worked fine.

How on earth is this still an issue?

@madept

This comment has been minimized.

Show comment
Hide comment
@madept

madept Apr 18, 2018

An error occurred (SignatureDoesNotMatch) when calling the CreateMultipartUpload operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.
please help.

madept commented Apr 18, 2018

An error occurred (SignatureDoesNotMatch) when calling the CreateMultipartUpload operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.
please help.

@tomwojcik

This comment has been minimized.

Show comment
Hide comment
@tomwojcik

tomwojcik May 10, 2018

My secret starts with + sign and I didn't even know there's this issue until today. I use boto3 python to access my s3. It doesn't work when I pass credentials as raw strings but works fine if I load it from config.ini as a variable using configparser.RawConfigParser(). Of course, generating a new secret without + sign at the end or at the beginning will solve this issue too.

Nonetheless, if this (for some reason) can't be fixed maybe change the exception message to something like "we don't allow + sign, generate a new one if you want to access it the way you do".

tomwojcik commented May 10, 2018

My secret starts with + sign and I didn't even know there's this issue until today. I use boto3 python to access my s3. It doesn't work when I pass credentials as raw strings but works fine if I load it from config.ini as a variable using configparser.RawConfigParser(). Of course, generating a new secret without + sign at the end or at the beginning will solve this issue too.

Nonetheless, if this (for some reason) can't be fixed maybe change the exception message to something like "we don't allow + sign, generate a new one if you want to access it the way you do".

@mpierini

This comment has been minimized.

Show comment
Hide comment
@mpierini

mpierini May 11, 2018

I am using aws cli on osx and I also had a secret that appeared to not be correct. My original one had a + and an = in it and I received the SignatureDoesNotMatch error when attempting to cp files to s3. I regenerated keys and my new secret is now an alphanumeric string. Just adding another confirmation that regeneration works. 😌

mpierini commented May 11, 2018

I am using aws cli on osx and I also had a secret that appeared to not be correct. My original one had a + and an = in it and I received the SignatureDoesNotMatch error when attempting to cp files to s3. I regenerated keys and my new secret is now an alphanumeric string. Just adding another confirmation that regeneration works. 😌

@shawnsmithdev

This comment has been minimized.

Show comment
Hide comment
@shawnsmithdev

shawnsmithdev May 31, 2018

In the hope this might provide insight, this problem (not handling + in secret keys) exposes itself with this version on RHEL5

aws-cli/1.15.25 Python/3.4.7 Linux/3.2.45-0.6.wd.865.49.315.metal1.x86_64 botocore/1.10.25

but does not occur with this version on Ubuntu

aws-cli/1.11.13 Python/3.5.2 Linux/4.4.0-121-generic botocore/1.4.70

shawnsmithdev commented May 31, 2018

In the hope this might provide insight, this problem (not handling + in secret keys) exposes itself with this version on RHEL5

aws-cli/1.15.25 Python/3.4.7 Linux/3.2.45-0.6.wd.865.49.315.metal1.x86_64 botocore/1.10.25

but does not occur with this version on Ubuntu

aws-cli/1.11.13 Python/3.5.2 Linux/4.4.0-121-generic botocore/1.4.70

@dsyahrizal

This comment has been minimized.

Show comment
Hide comment
@dsyahrizal

dsyahrizal Jun 12, 2018

Started Jan 2014 and now June 2018, over 4 years and I had the same problem with SignatureDoesNotMatch error. The solution for me was the same as all the majority solutions here, get a new Secret Key without any special character as for my former key has a colon :, tried the time syncing, but not working for me. I'm using WSL.

aws-cli/1.15.27 Python/3.6.5 Linux/4.4.0-17134-Microsoft botocore/1.10.27

dsyahrizal commented Jun 12, 2018

Started Jan 2014 and now June 2018, over 4 years and I had the same problem with SignatureDoesNotMatch error. The solution for me was the same as all the majority solutions here, get a new Secret Key without any special character as for my former key has a colon :, tried the time syncing, but not working for me. I'm using WSL.

aws-cli/1.15.27 Python/3.6.5 Linux/4.4.0-17134-Microsoft botocore/1.10.27

@tropicalm

This comment has been minimized.

Show comment
Hide comment
@tropicalm

tropicalm Jun 18, 2018

Just updating what @gchiu said in April 2017: it is still the case in June 2018 that secrets that have the slash (/) character in them may make the PHP client not work (PHP 7 on Windows 10 in my case), returning the signatures do not match error. In this situation, just generate another pair of keys that is safer.

tropicalm commented Jun 18, 2018

Just updating what @gchiu said in April 2017: it is still the case in June 2018 that secrets that have the slash (/) character in them may make the PHP client not work (PHP 7 on Windows 10 in my case), returning the signatures do not match error. In this situation, just generate another pair of keys that is safer.

@moanany moanany referenced this issue Sep 11, 2018

Open

any one help? #39

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment