AWS API: InvalidSignatureException: Signature Expired Error

Karuppiah NatarajanKaruppiah Natarajan
2 min read

If you ever see AWS API saying something like -

{"message":"Signature expired: 20240522T115159Z is now earlier than 20240522T120519Z (20240522T121019Z - 5 min.)"}

And notice the response header mentioning

'x-amzn-ErrorType': 'InvalidSignatureException'

And the response code being 403, then you can probably start looking at the date and time of your system

In my case, somehow, my MacOS Date and Time was wrong, and hence this error occurred when I was using the AWS Python CLI aws, which gave this error, like this -

$ aws eks list-clusters

An error occurred (InvalidSignatureException) when calling the ListClusters operation: Signature expired: 20240522T115547Z is now earlier than 20240522T120908Z (20240522T121408Z - 5 min.)

To see more verbose logs, use --verbose or --debug, whatever is relevant for the AWS CLI command and you will see that this error message is coming from the AWS API itself :) - the InvalidSignatureException comes from the x-amzn-ErrorType HTTP response header's value and the message Signature expired: 20240522T115547Z is now earlier than 20240522T120908Z (20240522T121408Z - 5 min.) comes from the HTTP response body of the AWS API HTTP request

I initially thought the issue is due to something else - say my VPN, which has some different time etc. I don't know what time the VPN has etc, it's probably right or wrong, but what matter is - what MY system's Date and Time is, the system that I use to make the AWS API call - more like, the system that I use to create the Signature which I use in the AWS API call. And I believe the Signature needs Date and Time as input. I haven't personally created the AWS Signature using the AWS Access Key ID and AWS Secret Access Key, so I can't comment much on it, but it's clear that if the Date and Time input for the Signature is wrong, then the AWS API gives the error that the Signature is invalid by saying InvalidSignatureException and saying Signature expired and in our case, I think the AWS API is okay with a Signature which has Date and Time 5 minutes prior to the actual current Date and Time - I'm assuming this is some leeway for Date and Time that can be a bit wrong or to be able to use Old Signatures? I'm not sure. But if the Date and Time is too old, like in this case, it's older than 5 minutes of the actual current Date and Time, and that's not okay by the AWS API, so, it gives error

0
Subscribe to my newsletter

Read articles from Karuppiah Natarajan directly inside your inbox. Subscribe to the newsletter, and don't miss out.

AWSaws cliawscli aws cli v2

Written by

Karuppiah Natarajan
Karuppiah Natarajan

I like learning new stuff - anything, including technology. I love tinkering with new tools, systems and services, especially open source projects