SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details #86

Closed
pilani opened this Issue Mar 28, 2013 · 17 comments
@pilani

I am using aws-sdk for node.js and making an API call to copyImage method using EC2 client from Singapore region to Tokyo.
I have a about 26 AMIs that I need to copy so I have written a program and am initiating the copy process parallely for all.
while copying i am getting this error" SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details" for some AMI's.
Suppose i run my program 3 times then its not necessary that this error will come for same AMI(source region) every run.
Its coming randomly for some Images and for some its succeeding.
Please revert back on this issue.

@lsegal

Can you provide more information about the intermittent failures? It's hard to reproduce this specific issue. If you can reproduce this and print the results of

 console.log(this.httpResponse)

and

console.log(this.request.httpRequest)

That would be helpful.

For example:

ec2.client.copyImage(params, function (err, data) {
  if (err) {
    console.log("Got error:", err.message);
    console.log("Request:");
    console.log(this.request.httpRequest);
    console.log("Response:");
    console.log(this.httpResponse);
  }
  // ...
});
@pilani
Request:
{ method: 'POST',
  path: '/',
  headers: 
   { 'User-Agent': 'aws-sdk-nodejs/v0.9.7-pre.8 linux/v0.8.17',
     'Content-Type': 'application/x-www-form-urlencoded; charset=utf-8',
     'Content-Length': 228 },
  body: 'AWSAccessKeyId=*something*&Action=DescribeSecurityGroups&Signature=WVNJG7aKN3fBd%2FFIivanvr3jRkZSrXiD6GWKfrMCAwI%3D&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2013-04-11T07%3A11%3A00.620Z&Version=2013-02-01',
  endpoint: 
   { protocol: 'https:',
     slashes: true,
     host: 'ec2.us-east-1.amazonaws.com',
     hostname: 'ec2.us-east-1.amazonaws.com',
     href: 'https://ec2.us-east-1.amazonaws.com/',
     pathname: '/',
     path: '/',
     port: 443,
     constructor: { [Function: Endpoint] __super__: [Function: Object] } },
  region: 'us-east-1',
  params: 
   { params: 
      [ [Object],
        [Object],
        [Object],
        [Object],
        [Object],
        [Object],
        [Object] ] } }
Response:
{ statusCode: 403,
  headers: 
   { 'transfer-encoding': 'chunked',
     date: 'Thu, 11 Apr 2013 07:11:02 GMT',
     server: 'AmazonEC2' },
  body: <Buffer 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 52 65 73 70 6f 6e 73 65 3e 3c 45 ...> }
@lsegal

It looks like the request is being sent to the us-east-1 endpoint, which from your description is not what you are trying to do. Are you providing the correct region to either the global config or EC2 object?

If so, perhaps this is an issue only on retries, which could explain the "randomness". Adding a console.log line for this.retryCount (or even just this) would help to show if this was triggered by a retry or not.

@pagameba

I'm getting this error (SignatureDoesNotMatch) with s3 getBucketTagging using v0.9.8-pre.9 installed via npm.

var aws = require('aws-sdk');

aws.config.loadFromPath(path.join('.', 'aws-credentials.json'));
aws.config.update({region: 'us-east-1'});
s3 = new aws.S3();

s3.client.getBucketTagging({
  Bucket: '<bucket-name>'
}, function(err, data) {
  if (err) {
    return console.log('Error getting bucket tagging: ' + JSON.stringify(err));
  }
  console.log(JSON.stringify(data));
});

output:

Error getting bucket tagging: {"message":"The request signature we calculated does not match the signature you provided. Check your key and signing method.","code":"SignatureDoesNotMatch","name":"SignatureDoesNotMatch","statusCode":403,"retryable":false}

Using the same s3 client, other operations (at least listBuckets) do work.

Any help would be appreciated. I'm trying to set up cost allocation billing and I want to add a standard set of tags to all our assets and doing so by hand would be ... tedious :)

@lsegal

Closed by #107

@lsegal lsegal closed this Apr 30, 2013
@laser

@pilani - It's been a long while since you posted this question, but, I ran into a similar issue.

Essentially, the library I was using to generate the Signature query string parameter wasn't escaping spaces. So, every so often a value would be generated that contained a space - and I'd see a 403. Ensuring proper encoding of URI query string parameter-values did the trick.

Erin

CC @lsegal

@krilnon

In case this helps anyone: I was getting this same signature failure, but the mistake I was making was including an extra HTTPS header (Content-type) which is apparently used to calculate the signature.

Frustrating to track down, for sure, but ultimately my fault.

@bedney

I fought with this error for 2 days, until I generated a new set of keys for my account, after which everything worked magically. Note that my old keys were very old (from 2006). A nice error message of Expired Keys or Obsolete keys or something would have been very helpful here. I realize that this is probably not something that can be detected by the JS library, but maybe a request upstream to add this to AWS in general would be in order here...

@TKBurner TKBurner referenced this issue in fastlane/fastlane Apr 27, 2016
Closed

setupSnapshot() Causing AWS Failure #4366

2 of 2 tasks complete
@erdogankaya
erdogankaya commented Jun 15, 2016 edited

i try to create bucket

var http = require('http')
var crypto = require("crypto")

var isoDate =new Date();
var sc = crypto.createHmac('sha1', "my-key").update(new Buffer("PUT\n\n\n"+isoDate+"\n/erka", 'utf-8')).digest('base64');
var options = {
port:80,
hostname: "s3.kaya.pvt",
headers:{
Host: "erka.s3.kaya.pvt",
Authorization: 'AWS our-id:'+sc,
Date: new Date(),
"Content-Length": 0,
},

}

callback = function(response) {
var str = '';
response.on('data', function (chunk) {
console.log("-------------");
str += chunk;
console.log(chunk.toString());
});
response.on('end', function () {
console.log("**********");
console.log(str);
});
}
http.request(options, callback).end();

this return

<?xml version="1.0" encoding="UTF-8"?>SignatureDoesNotMatchThe request signature we calculated does not match the signature you provided. Check your AWS secret access key and signing method.erka/

where is problem? anyone can help?

@chrisradek
Amazon Web Services member

@erdogankaya
It doesn't appear as though you're using the AWS SDK. It exposes an operation to create an s3 bucket:
http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html#createBucket-property

Please take a look at our getting started guide for information on how to configure and use the SDK:
http://docs.aws.amazon.com/AWSJavaScriptSDK/guide/node-intro.html

@erdogankaya
erdogankaya commented Jun 15, 2016 edited

@chrisradek
we use our s3 . Dont use amazon s3. so i cant use aws-sdk. i try to http protocol for create bucket. but its said signature fault. Can u help?

@filipegmiranda

I am having the same issue, but it looks like in the GET (I am trying to retrieve the file)

Problem accessing S3. Status 403, code SignatureDoesNotMatch, message 'SignatureDoesNotMatch'
Original xml:
Some(SignatureDoesNotMatchThe request signature we calculated does not match the signature you provided. Check your key and signing method.AKIAI3DOSLNJC4YGPZSQAWS4-HMAC-SHA256
20160627T212133Z
20160627/eu-west-1/s3/aws4_request
f8795580f6de5742706adab4ca6c89f8bfa9565b1e0c837a54297a2dcd8114df0dd99e84f2424d8d46dcff6119a9e34fa049489106149214caefe0fc1bd2d21341 57 53 34 2d 48 4d 41 43 2d 53 48 41 32 35 36 0a 32 30 31 36 30 36 32 37 54 32 31 32 31 33 33 5a 0a 32 30 31 36 30 36 32 37 2f 65 75 2d 77 65 73 74 2d 31 2f 73 33 2f 61 77 73 34 5f 72 65 71 75 65 73 74 0a 66 38 37 39 35 35 38 30 66 36 64 65 35 37 34 32 37 30 36 61 64 61 62 34 63 61 36 63 38 39 66 38 62 66 61 39 35 36 35 62 31 65 30 63 38 33 37 61 35 34 32 39 37 61 32 64 63 64 38 31 31 34 64 66GET
/test%C2%ADtest%C2%ADtest%C2%ADfilipe/1234.jpg

What can I do?

@LiuJoyceC

Hi @filipegmiranda
Can you provide the relevant code you are running to provide more context? What SignatureVersion are you using, and are you specifying the correct region for your bucket? Are you using the AWS SDK, and if so, what version? Are you using Amazon S3, or a third party S3 clone?

@filipegmiranda

Hi @LiuJoyceC

I am using play-s3 - it is a Scala Library that is suppose to work fine with Play Framework.

Here is my complete stack:

  • Scala
  • Play Framework 2.5

I am trying to retrieve a file from my Bucket, my credentials are fine. And yes, I am providing the region, which is the correct one:

Here are my properties in application.conf:

aws.accessKeyId="AAAA" // Not the real one
aws.secretKey="AAAA" //NOt the real one
aws.bucket="filipe-bucket"
s3.region="eu-west-1"

I have just posted a question with all of this information also in StackOverFlow:

http://stackoverflow.com/questions/38063684/signaturedoesnotmatch-in-s3-using-play-s3-and-play-framework-2-5-scala

My next step is to give up on this library, which appear to be really nice and try to do with the Java SDK from Amazon directly.

Take a look: https://github.com/Kaliber/play-s3/

@LiuJoyceC

Hi @filipegmiranda
Since you are getting a signature mismatch error, can you provide the signature version you are using (v2 or v4)? What version of the AWS SDK are you using? How are you instantiating the S3 service object? What options are you passing in to the S3 constructor when you instantiate it?
Note that the endpoints configured on an S3 service object is determined when you instantiate it, so changing the region on it later (s3.region = "eu-west-1") won't correct the endpoint to the right region. You'll need to pass in the region as an option to the S3 constructor when instantiating it. The latest version of the SDK supports redirecting the endpoint to the right region for Amazon S3 but is not able to override custom endpoints if you are using a 3rd party S3 clone.

@filipegmiranda
filipegmiranda commented Jun 28, 2016 edited

Hi @LiuJoyceC

I am using v4, I actually don't know which version of the SDK, since I am using using

play-s3, I don't think it even uses SDK behind the scenes.

:)

https://github.com/Kaliber/play-s3

I will try to use the official AWS client

@parthrao

Regenerating keys worked for me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment