Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SignatureDoesNotMatch error #602

Open
thomaswitt opened this issue Jan 22, 2014 · 140 comments

Comments

Projects
None yet
@thomaswitt
Copy link

commented Jan 22, 2014

I keep on getting a A client error (SignatureDoesNotMatch) occurred when calling the ListUsers operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

I set the environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_DEFAULT_REGION.

@jamesls

This comment has been minimized.

Copy link
Member

commented Jan 22, 2014

EDIT: If you are running into this issue, we'd appreciate your help in troubleshooting. I'm updating this comment for better visibility on troubleshooting steps.

Troubleshooting

The first step for troubleshooting this is to determine whether or not the issue is with the credentials themselves or with the CLI. To test this, try using these credentials in other AWS SDKs (javascript, ruby, java, etc). To help with this, I've created a test script that uses the AWS SDK for python and javascript which is available here: https://github.com/jamesls/aws-creds-test . After cloning, just run make install, make test. It will prompt you for credentials (similar to the CLI) and make an API call to sts.GetCallerIdentity.

/tmp $ mkdir /tmp/repro-cli-602
/tmp $ cd /tmp/repro-cli-602/
/tmp/repro-cli-602 $ git clone git://github.com/jamesls/aws-creds-test
Cloning into 'aws-creds-test'...
...
/tmp/repro-cli-602 $ cd aws-creds-test/
/tmp/repro-cli-602/aws-creds-test (master u=) $ make install
npm install
aws-js-cli@1.0.0 /private/tmp/repro-cli-602/aws-creds-test
├─┬ aws-sdk@2.45.0
...
pip install -r requirements.txt
Requirement already satisfied: botocore<2.0.0,>=1.5.0 in /usr/local/lib/python2.7/site-packages (from -r requirements.txt (line 1))
...



/tmp/repro-cli-602/aws-creds-test (master u=) $ make test
./test-creds.sh
Testing python...
Access Key:
Secret Access Key:
AKID   hash: 4e7c36343646e1fa7495092bffcd4b9b7dd00f2f5014a189ab81f326e6472a62
AKID length: 20

SAK    hash: 941a655993caccb1a1218883b97a88b6f41762c6d03902f1cdd1e2a5de5fd82e
SAK  length: 40
Successfuly made an AWS request with the provided credentials.

Testing javasript...
Access Key: ********************
Secret Access Key: ****************************************
AKID   hash: 4e7c36343646e1fa7495092bffcd4b9b7dd00f2f5014a189ab81f326e6472a62
AKID length: 20


SAK    hash: 941a655993caccb1a1218883b97a88b6f41762c6d03902f1cdd1e2a5de5fd82e
SAK  length: 40
Sucessfully made an AWS request with the provided credentials.

For people running into this issue, please run the test script and share the output.

This should give us better insight into where this issue is occurring:

  • If the above script passes for both python and javascript but is failing when using the CLI, likely a CLI issue.
  • If the script fails for python but passes for javascript, likely an issue with botocore (which the CLI uses).
  • If the above script fails for both python and javascript, likely an issue with the actual credentials.

Thanks in advance for anyone that can help us troubleshoot this issue. Let me know if there's any questions.

@thomaswitt

This comment has been minimized.

Copy link
Author

commented Jan 23, 2014

This is how it looks like:

thomas@iMac:~ $ echo $AWS_ACCESS_KEY_ID
AKIAXXXXXXXXXXXXXXXX
thomas@iMac:~ $ echo $AWS_SECRET_ACCESS_KEY
abcaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa+0
thomas@iMac:~ $ aws configure list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
              env    AWS_ACCESS_KEY_ID
              env    AWS_SECRET_ACCESS_KEY
    region                eu-west-1              env    AWS_DEFAULT_REGION
@foscraig

This comment has been minimized.

Copy link
Contributor

commented Apr 4, 2014

Any updates on this issue? I'm also encountering this error and my credentials file hasn't changed.

@squirvoid

This comment has been minimized.

Copy link

commented Apr 28, 2014

I have a similar issue. Jenkins s3 plugin is able to put an object using my credentials, but the aws-cli is giving me the errors below.

aws s3 cp s3://my-bucket/folder/test.txt test.txt
A client error (Forbidden) occurred when calling the HeadObject operation: Forbidden Completed 1 part(s) with ... file(s) remaining

aws s3api get-object --bucket my-bucket --key folder/test.txt test.txt
A client error (SignatureDoesNotMatch) occurred when calling the GetObject operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.
@JeremyShort

This comment has been minimized.

Copy link

commented May 14, 2014

I am running into the same issue. If I make up a secret it gives me a different (AuthFailure) error.

[ec2-user@ip-127.0.0.1]]$ aws configure list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
access_key     ****************AMKA              env    AWS_ACCESS_KEY_ID
secret_key     ****************jPU2              env    AWS_SECRET_ACCESS_KEY
    region                us-west-2              env    AWS_DEFAULT_REGION

This is pretty much stopping me completely. I can do some things with the ec2-blah-stuff utilities by specifying x509 certs but the help says that's deprecated so I don't want to depend on it. Any help troubleshooting or what ever would really be appreciated.

@jamesls

This comment has been minimized.

Copy link
Member

commented May 14, 2014

The first step would be to ensure that your access/secret keys are actually valid. A few things to try:

  • Does these same access/secret key credentials work with other tools? (The java/javascript/ruby/python SDK?)
  • Do other commands besides "aws s3" work for you? Does "aws ec2 describe-instances" still generate auth errors?
@JeremyShort

This comment has been minimized.

Copy link

commented May 15, 2014

They do not work with other tools (ec2-describe-instance for instance).

I think I have the appropriate rights since using the certs works. To make sure it's not a workstation thing I built an Amazon Linux instance and I'm using the awscli verison that comes with it but getting the same message.

@TeePaps

This comment has been minimized.

Copy link

commented Jul 16, 2014

Also an issue for me. I'm using it in a docker container, built with the same Dockerfile.
It works fine when built on an EC2, but does not work when built locally on a coreos vagrant box.

@jamesls

This comment has been minimized.

Copy link
Member

commented Jul 28, 2014

It looks like the issue is with the credentials themselves. I've double checked this, and I'm not able to repro this issue. Double check the credentials on the security credentials page. If someone can provide an exact set of steps that demonstrate the issue, I'd be happy to take another look.

@jamesls jamesls closed this Jul 28, 2014

@rvfn

This comment has been minimized.

Copy link

commented Aug 1, 2014

Just had this happening to me and was a result of my system time being off by too much even though it did not report that. Ran ntpdate against pool.ntp.org and fixed this problem for me.

@anuraj-optimizely

This comment has been minimized.

Copy link

commented Oct 14, 2014

If you are getting this error when cred are setup using env variable, try sudo

@rcosnita

This comment has been minimized.

Copy link

commented Oct 24, 2014

If you are in a virtual machine make sure your host os time matches the guest os time. If this is not the case you will get into the error you described.

@j0ni

This comment has been minimized.

Copy link

commented Nov 3, 2014

A very similar error occurs for me with good credentials, whilst listing a bucket which has a lot of keys in it. Here's the error:

A client error (SignatureDoesNotMatch) occurred when calling the ListObjects operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

Here's my output from aws configure list

      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
access_key     ****************4UNA shared-credentials-file
secret_key     ****************MNOG shared-credentials-file
    region                <not set>             None    None

Note that these credentials work fine with other aws invocations, and in fact this list op runs for a long time (more than an hour) before bailing with this error. I have a file with over 82,000 lines of output in it from the command which eventually failed.

@aub

This comment has been minimized.

Copy link

commented Nov 14, 2014

I've been getting this issue, and if I just sleep my script for a second and try again then it goes through. It's almost like it's getting throttled and returning the wrong error or something.

@ansjob

This comment has been minimized.

Copy link

commented Nov 18, 2014

I can report this issue too. Trying to upload a 11 GB file using aws cp foo s3://mybucket/foo/bar I get various errors like:

A client error (SignatureDoesNotMatch) occurred when calling the UploadPart operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

and

Max retries exceeded with url: /***REDACTED***?partNumber=196&uploadId=B2viwGFF4Lmq5itbs8ipqwBExx0BWGRm3gkG_D5EYTiU8uEO_tmUT.d.i7BcgPnP5npZa.OW7yMfJ3ZhhLJD61zP7EVv.5.ZftCJQbKNdkEBeijGBqWlrxz4vMx3B05Q (Caused by <class 'socket.gaierror'>: [Errno -2] Name or service not known)

I've checked that my system time is correct. I also noticed considerable slowness (on the level of http requests timing out) on the same system while uploading, so this being a throttling issue does sound reasonable. It also works fine to upload small files with the same credentials, and using the web console from the same machine, so this does appear to be a aws-cli problem.

@ranrub

This comment has been minimized.

Copy link

commented Nov 19, 2014

This happened to me with too with aws-cli 1.5.5, updating aws-cli to 1.6.2 solved it.

@ansjob

This comment has been minimized.

Copy link

commented Nov 19, 2014

Happens to me with 1.6.2

@ye

This comment has been minimized.

Copy link

commented Nov 25, 2014

This happened to me today. This is new to me. Been using awl-cli for a few months no problem and no change to the credentials AFAIK.

$ aws configure --profile ye list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                       ye           manual    --profile
access_key     ****************ERMQ shared-credentials-file    
secret_key     ****************E8Id shared-credentials-file    
    region                us-east-1      config-file    ~/.aws/config
@jamesls

This comment has been minimized.

Copy link
Member

commented Nov 25, 2014

I believe this issue is now fixed via boto/botocore#388, and will be available in the next AWS CLI release.

@ye

This comment has been minimized.

Copy link

commented Nov 25, 2014

@jamesls confirmed fixed on awscli version 1.6.4. I was using 1.5.4. Thanks!

@wolfeidau

This comment has been minimized.

Copy link

commented Dec 2, 2014

I am getting this issue on a fresh ubuntu system.

A client error (SignatureDoesNotMatch) occurred when calling the PutObject operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

Installed aws-cli via pip

$ pip list
ansible (1.5.4)
apt-xapian-index (0.45)
argparse (1.2.1)
awscli (1.6.5)
bcdoc (0.12.2)
botocore (0.76.0)
chardet (2.0.1)
Cheetah (2.4.4)
cloud-init (0.7.5)
colorama (0.2.5)
configobj (4.7.2)
docutils (0.11)
html5lib (0.999)
httplib2 (0.8)
Jinja2 (2.7.2)
jmespath (0.5.0)
jsonpatch (1.3)
jsonpointer (1.0)
Landscape-Client (14.01)
MarkupSafe (0.18)
mercurial (2.8.2)
oauth (1.0.1)
PAM (0.4.2)
Pillow (2.3.0)
pip (1.5.4)
prettytable (0.7.2)
pyasn1 (0.1.7)
pycrypto (2.6.1)
pycurl (7.19.3)
Pygments (1.6)
pyinotify (0.9.4)
pyOpenSSL (0.13)
pyserial (2.6)
python-apt (0.9.3.5)
python-dateutil (2.3)
python-debian (0.1.21-nmu2ubuntu2)
PyYAML (3.10)
requests (2.2.1)
roman (2.0.0)
rsa (3.1.2)
setuptools (3.3)
six (1.5.2)
Sphinx (1.2.2)
ssh-import-id (3.21)
Twisted-Core (13.2.0)
urllib3 (1.7.1)
wsgiref (0.1.2)
zope.interface (4.0.5)

Any ideas on how to fix it?

@aub

This comment has been minimized.

Copy link

commented Dec 2, 2014

My solution was to sleep for a few seconds and then try it again, but it
sounds like there may be an update to the tool that fixes it as well.

On Tue, Dec 2, 2014 at 3:38 AM, Mark Wolfe notifications@github.com wrote:

I am getting this issue on a fresh ubuntu system.

A client error (SignatureDoesNotMatch) occurred when calling the PutObject operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

Installed aws-cli via pip

$ pip list
ansible (1.5.4)
apt-xapian-index (0.45)
argparse (1.2.1)
awscli (1.6.5)
bcdoc (0.12.2)
botocore (0.76.0)
chardet (2.0.1)
Cheetah (2.4.4)
cloud-init (0.7.5)
colorama (0.2.5)
configobj (4.7.2)
docutils (0.11)
html5lib (0.999)
httplib2 (0.8)
Jinja2 (2.7.2)
jmespath (0.5.0)
jsonpatch (1.3)
jsonpointer (1.0)
Landscape-Client (14.01)
MarkupSafe (0.18)
mercurial (2.8.2)
oauth (1.0.1)
PAM (0.4.2)
Pillow (2.3.0)
pip (1.5.4)
prettytable (0.7.2)
pyasn1 (0.1.7)
pycrypto (2.6.1)
pycurl (7.19.3)
Pygments (1.6)
pyinotify (0.9.4)
pyOpenSSL (0.13)
pyserial (2.6)
python-apt (0.9.3.5)
python-dateutil (2.3)
python-debian (0.1.21-nmu2ubuntu2)
PyYAML (3.10)
requests (2.2.1)
roman (2.0.0)
rsa (3.1.2)
setuptools (3.3)
six (1.5.2)
Sphinx (1.2.2)
ssh-import-id (3.21)
Twisted-Core (13.2.0)
urllib3 (1.7.1)
wsgiref (0.1.2)
zope.interface (4.0.5)

Any ideas on how to fix it?


Reply to this email directly or view it on GitHub
#602 (comment).

@ye

This comment has been minimized.

Copy link

commented Dec 3, 2014

@wolfeidau and yeah I spoke too soon. The locally pip installed awscli is giving the SignatureDoesNotMatch errors again. Yikes!

A client error (SignatureDoesNotMatch) occurred when calling the DeregisterInstancesFromLoadBalancer operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

The Canonical String for this request should have been
'POST
/

host:elasticloadbalancing.us-east-1.amazonaws.com
user-agent:aws-cli/1.6.5 Python/2.7.8 Darwin/13.4.0
x-amz-date:20141203T015747Z

host;user-agent;x-amz-date
1d9dafbf4bfa9b1225d91bdbf99d8645503484d174b9094e4c3af637e6664b5b'

The String-to-Sign should have been
'AWS4-HMAC-SHA256
20141203T015747Z
20141203/us-east-1/elasticloadbalancing/aws4_request
5a56d12a4920502f4124e37a92aad475c36edda93d9865871e6a4fe1e49045c3'
@jamesls

This comment has been minimized.

Copy link
Member

commented Dec 3, 2014

Does this issue happen only when a request is retried? Or does this happen everytime you run the deregister-instances-from-load-balancer command?

@ye

This comment has been minimized.

Copy link

commented Dec 3, 2014

@jamesls it happens everytime now :(

@Clepher

This comment has been minimized.

Copy link

commented Jan 28, 2015

I know this issue is closed but wanted to share that you can see this error when running in a VM which hibernates. In such cases, the system clock doesn't consistently catch up if you're using Ubuntu. Just update the time to fix (i.e. sudo ntpdate -s time.nist.gov).

@include

This comment has been minimized.

Copy link

commented Feb 18, 2015

hello, is there any final fix on this?

@gsterndale

This comment has been minimized.

Copy link

commented Mar 11, 2015

+1

Using version 1.7.8 of the CLI I was seeing the same SignatureDoesNotMatch error when trying the following:
$ aws iam list-users

And getting an AuthFailure for this:
$ aws ec2 describe-security-groups

After deleting my keys and trying new ones, both commands work.

This is the old secret access key that may have been the cause of my problems, note the percent, plus and forward slash characters: H2J7/oT3Fib15SwFVB1s3EnTCmg+SC7wF7qoP+dw%

@johnjelinek

This comment has been minimized.

Copy link

commented Mar 11, 2015

👍 @gsterndale. My access key with % in it didn't work. I had to generate new keys.

@oreofeolurin

This comment has been minimized.

Copy link

commented Mar 1, 2018

Just had the same issue, solved it by correcting my laptops clock. Apparently i was behind time.

@ezrataylor

This comment has been minimized.

Copy link

commented Mar 5, 2018

I just experienced this issue and it appears that my ntp client was 10 minutes behind. I did a ntpdate and all is now fixed.

@JohnVonNeumann

This comment has been minimized.

Copy link

commented Mar 14, 2018

I can confirm that recreating my access keys until I got one without special characters in it, worked. What a ridiculous bug, wow.

Seeing as this is such a long running issue, would it not be intelligent to update the error messaging to give users a link to a potential fix, like rebuilding your keys? Instead of something which makes out that the issue is far more complex than "yeah we error out when your keys have special chars in them, sorry!".

@siluri

This comment has been minimized.

Copy link

commented Mar 18, 2018

same issue hear:

Versions:

aws-cli/1.14.58 Python/2.7.10 Darwin/17.4.0 botocore/1.9.11

Command:

aws s3 ls
got following error:
Unknown Signature Version: s3v3.

no solution:

i updated my cloak and i generate a Secret without any special Character

update - fixed by following

aws configure set default.s3.signature_version s3v4

@stefano-lupo

This comment has been minimized.

Copy link

commented Apr 3, 2018

Yeah this is still a problem - my secret key ended with a + character and no fix I found worked. Regenerated new keys with no + at the end of the secret key and it worked fine.

How on earth is this still an issue?

@madept

This comment has been minimized.

Copy link

commented Apr 18, 2018

An error occurred (SignatureDoesNotMatch) when calling the CreateMultipartUpload operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.
please help.

@tomwojcik

This comment has been minimized.

Copy link

commented May 10, 2018

My secret starts with + sign and I didn't even know there's this issue until today. I use boto3 python to access my s3. It doesn't work when I pass credentials as raw strings but works fine if I load it from config.ini as a variable using configparser.RawConfigParser(). Of course, generating a new secret without + sign at the end or at the beginning will solve this issue too.

Nonetheless, if this (for some reason) can't be fixed maybe change the exception message to something like "we don't allow + sign, generate a new one if you want to access it the way you do".

@mpierini

This comment has been minimized.

Copy link

commented May 11, 2018

I am using aws cli on osx and I also had a secret that appeared to not be correct. My original one had a + and an = in it and I received the SignatureDoesNotMatch error when attempting to cp files to s3. I regenerated keys and my new secret is now an alphanumeric string. Just adding another confirmation that regeneration works. 😌

@shawnsmithdev

This comment has been minimized.

Copy link

commented May 31, 2018

In the hope this might provide insight, this problem (not handling + in secret keys) exposes itself with this version on RHEL5

aws-cli/1.15.25 Python/3.4.7 Linux/3.2.45-0.6.wd.865.49.315.metal1.x86_64 botocore/1.10.25

but does not occur with this version on Ubuntu

aws-cli/1.11.13 Python/3.5.2 Linux/4.4.0-121-generic botocore/1.4.70

@dsyahrizal

This comment has been minimized.

Copy link

commented Jun 12, 2018

Started Jan 2014 and now June 2018, over 4 years and I had the same problem with SignatureDoesNotMatch error. The solution for me was the same as all the majority solutions here, get a new Secret Key without any special character as for my former key has a colon :, tried the time syncing, but not working for me. I'm using WSL.

aws-cli/1.15.27 Python/3.6.5 Linux/4.4.0-17134-Microsoft botocore/1.10.27

@ghost

This comment has been minimized.

Copy link

commented Jun 18, 2018

Just updating what @gchiu said in April 2017: it is still the case in June 2018 that secrets that have the slash (/) character in them may make the PHP client not work (PHP 7 on Windows 10 in my case), returning the signatures do not match error. In this situation, just generate another pair of keys that is safer.

@moanany moanany referenced this issue Sep 11, 2018

Open

any one help? #39

@krish7919

This comment has been minimized.

Copy link

commented Sep 21, 2018

I was flummoxed by this for about 30 mins.

Followed this issue and checked the local time, etc. - all was good.

In desperation, nuked the ~/.aws/credentials file and logged in again (essentially recreating the file) and voila, just works.

Wonder why does it throw this error at all!

EDIT:
Doesn't seem to be related to the secret key in my case; they were all mostly simple strings.

@wheatleyjj

This comment has been minimized.

Copy link

commented Oct 1, 2018

+1 on this issue, my key started with an =. Regenerated a key that only had a / in it and all was well. Tried encasing the key in " marks, but to no avail.

Not something I would expect to see from the AWS CLI.

@costash1

This comment has been minimized.

Copy link

commented Oct 20, 2018

Adding to the same problem here, I cannot believe that the / in my key would have caused this. Thanks for the time wasted!

@mikearnett

This comment has been minimized.

Copy link

commented Oct 25, 2018

I had this problem. I believe it was a result of initially installing the aws cli as the root user. The resolution seemed to be uninstalling the aws cli, deleting both the .aws folder in the current user's home folder as well as in the root folder, and then running 'aws configure' again as the current user.

@LJvdBerg

This comment has been minimized.

Copy link

commented Oct 31, 2018

I experienced this problem when running a bash script using a systemd timer on Ubuntu. When manually running the script with my user, everything worked fine. However, the timer would keep on throwing the (SignatureDoesNotMatch) error. I then noticed that the (SignatureDoesNotMatch) was produced for any aws command running as root and that 'aws configure' did not save new values being provided.

To resolve the problem I logged in as root 'su -i', changed to 'cd ~/.aws/' and removed the configuration with 'sudo rm -r credentials', ran 'aws configure' again and this time the new values was saved. From there everything worked again as expected!

@villasenor

This comment has been minimized.

Copy link

commented Dec 12, 2018

Can confirm that this issue still exists on aws-cli/1.15.4 Python/2.7.15rc1 Linux/4.15.0-42-generic botocore/1.12.8.

An error occurred (SignatureDoesNotMatch) when calling the <whatever> operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

And turns out there was a + in my secret. I regenerated and everything is fine now. When can we expect a fix for this @jamesls? Or is there anything I can do to help?

@hsheikha1429

This comment has been minimized.

Copy link

commented Dec 29, 2018

Faced the same on my aws cli because the secret key was containing + ...(as described by above) After regenerating a new key..(as I saw from delmartechdude comment above).... the issue been solved.

@shamank

This comment has been minimized.

Copy link

commented Jan 9, 2019

My two cents. It was giving me this error because I was trying to upload content to s3 with accelerated transfers this way (it used to work in the past): --endpoint-url http://imaat.s3-accelerate.amazonaws.com (--endpoint-url http://<bucket-name>.s3-accelerate.amazonaws.com) as specified in acceleration endpoint properties:
screenshot-s3 console aws amazon com-2019 01 09-17-58-00

Following instructions in official docs: https://docs.aws.amazon.com/es_es/AmazonS3/latest/dev/transfer-acceleration-examples.html I replaced that last part with: --endpoint-url http://s3-accelerate.amazonaws.com and run the command aws configure set s3.addressing_style virtual to build the hostname dinamically. Check: https://docs.aws.amazon.com/cli/latest/topic/s3-config.html#addressing-style

I don't know why, but now it works. My bucket name ("imaat") doesn't have any special character which may lead to DNS failures, but it failed for some reason with latest cli updates.

@dave-miles

This comment has been minimized.

Copy link

commented Jan 24, 2019

Adding a profile via text edit and got this failure. Updating the profile access id and secret via an aws config set and it worked. This is for a secret with '+' in it and aws-cli/1.16.23 Python/2.7.15 Windows/10 botocore/1.12.13

@PercussivesScruf

This comment has been minimized.

Copy link

commented Jan 25, 2019

@dave-miles You're on to something, thank you for commenting! I'm expanding on your finding below:

I ran into this issue with some docker images. Originally I was using an ADD in the dockerfile to add the ~/.aws/credentials file into the container.

If we did this, we would run into the SignatureDoesNotMatch error when trying to download from s3.

I removed the ADD line in the dockerfile, rebuilt and launched a new docker container. In this new container, I manually ran aws configure set aws_access_key_id <access key id goes here> and aws configure set aws_secret_access_key <secret access key goes here> This was the first time entering the credentials information in this container (I.E. the container was a "fresh" centos image).

After using the aws configure set commands, I was able to successfully download from s3.

For anyone using this with a dockerfile, you could use RUN statements in the dockerfile to run the two commands or you could use an ADD statement to push a script to your docker container:

#!/bin/sh

aws configure set aws_access_key_id access-key-id-goes-here
aws configure set aws_secret_access_key secret-access-key-goes-here

@erickrawczyk

This comment has been minimized.

Copy link

commented Feb 15, 2019

I had the same problem as @villasenor - a + in the secret key would cause the error when configuring the awscli using env vars in docker. rotating the keys fixed the issue .

@tomchiverton

This comment has been minimized.

Copy link

commented Feb 19, 2019

Ditto here, but there are no special chars in the access key or secret key.
Regenerated a new set for the same IAM user, and the new ones can list buckets, old ones can not.

This occurred with both AWS cli and Java SDK calls. Suggesting the fault is not in the clients...

Both sets are still live. If anyone at Amazon want's more details please get in contact.

@ElementalWarrior

This comment has been minimized.

Copy link

commented Feb 19, 2019

My co-worker just encountered this too. I tried debugging by creating an access key until I got one with a + or / at the start. Wasn't able to repro though.

@blbradley

This comment has been minimized.

Copy link

commented Mar 20, 2019

I had a co-worker experience this. We determined that this occurs specifically Ubuntu 18.04 with + or / in the secret key.

@cuichenli

This comment has been minimized.

Copy link

commented Mar 23, 2019

Got the same error today, currently using Windows 10. However, when I use the same access key on another laptop (mac), it works fine for me. Then I tried the access key within WSL, which is also fine. Not sure the reason, and there is no special character in the aws key.

fahall pushed a commit to tribalcrossing/aws-sdk-net that referenced this issue Apr 4, 2019

Disable chunked transfers to workaround iOS bug. Details below:
            // [RMS][copied by AH] from https://github.com/VISUAL-VOCAL/aws-sdk-net,
            // Force disable chunked transfers Work around this bug:
            // aws#820
            //
            // Also discussed at here:
            // https://answers.unity.com/questions/1450373/set-content-length-header-for-unitywebrequest-post.html
            // aws#835
            //
            // Might be related:
            // aws/aws-cli#602
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.