Recurring SignatureDoesNotMatch client error

[DrStrangepork]

I am running into this error consistently (roughly 40% of the time) whenever I run any aws command:

A client error (SignatureDoesNotMatch) occurred when calling the UpdateStack operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

The Canonical String for this request should have been
'POST
/

host:cloudformation.us-west-2.amazonaws.com
user-agent:aws-cli/1.5.4 Python/2.7.5 Linux/3.10.0-123.9.3.el7.x86_64
x-amz-date:20141110T221804Z

host;user-agent;x-amz-date
9702b61843b3b8ec870e23798ad8dbf07724933d525b65e56f4d37aeb87be274'

The String-to-Sign should have been
'AWS4-HMAC-SHA256
20141110T221804Z
20141110/us-west-2/cloudformation/aws4_request
2a1f3882a9b688b83c95f30981cde22d7f6a66b240537f0f855cfc01071c40e3'

Every time this happens, I immediately run the command again, and it works every time. I have even reproduced this error by running <aws command>; <same exact aws command> with the former failing and latter succeeding with <1s between commands.

Here is the output from aws configure list:

      Name                    Value             Type    Location
      ----                    -----             ----    --------
  profile                <not set>             None    None
access_key     ****************N5OA      config-file
secret_key     ****************w7FE      config-file
    region                us-east-1              env    AWS_DEFAULT_REGION

And the time delta between my guest VM and my host is <1s. Any ideas?

[DrStrangepork]

I am running aws-cli/1.5.4. I noticed a SignatureDoesNotMatch bug closed with 1.6.0, so I'll upgrade and try my problem again.

[cuky23]

I have a working aws-cli/1.2.0 Python/2.7.3 Linux/3.2.0-52-virtual, however post an upgrade on one of the hosts to aws-cli/1.6.0 Python/2.7.3 Linux/3.2.0-52-virtual

aws ec2 describe-instances fails with AuthFailure. very interested in finding a solution to this one.

when I revert the version backwards. everything works again. so I guess 1.6.0 still has the bug
:(

[cuky23]

pip install awscli==1.4.4 : seems to be last stable version, that works for me.

[jamesls]

I believe these issues should be fixed with the 1.6.0 release of the AWS CLI. Let us know if you're still seeing issues.

[DrStrangepork]

I have run several aws commands since upgrading to 1.6.0, and I have not been able to repro my earlier errors. I will consider this ticket closed and will reopen if I run into further issues.

[DrStrangepork]

Tried to remove label response-needed, but I can't. Re-closing

[DrStrangepork]

Nope, I am still getting this error consistently, as well as this error when performing aws ec2 describe-images:

A client error (AuthFailure) occurred when calling the DescribeImages operation: AWS was not able to validate the provided access credentials

Here is an example of something I've run today (after upgrading to aws-cli 1.6.0):

$ aws --region us-west-2 cloudformation create-stack --stack-name stackname --template-body file:///earth/rkasten/stack.json --capabilities CAPABILITY_IAM

A client error (SignatureDoesNotMatch) occurred when calling the CreateStack operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

The Canonical String for this request should have been
'POST
/

host:cloudformation.us-west-2.amazonaws.com
user-agent:aws-cli/1.6.0 Python/2.7.5 Linux/3.10.0-123.9.3.el7.x86_64
x-amz-date:20141112T215527Z

host;user-agent;x-amz-date
72b75f54b8c9c0c4dff4dd1ea9fdcd1ce2818fa024c8808fc2bb6f7e1bbb24de'

The String-to-Sign should have been
'AWS4-HMAC-SHA256
20141112T215527Z
20141112/us-west-2/cloudformation/aws4_request
61256d4ff4b7ae15ff5826563902a17bbbc59b15d9dafe81cafaaf85c4c39d81'

[cuky23]

I have stayed with the 1.4.4 release. is it possible that the version of 1.6 on pypy is broken? Once my deadline around the current script I am writting is over , I am willing to re-test 1.6

[jamesls]

There was another issue causing these failed requests as well. I'm working on a fix now.

[jamesls]

This issue has now been fixed (boto/botocore#379) and will be available in the next AWS CLI release. Thanks again for reporting.

[howardroark]

I am using version 1.7.23 and this issue of intermittent auth failure is occurring for me. Has the fix been included in this release?

Actually for me it is...

A client error (AuthFailure) occurred when calling the AnyCommand operation: AWS was not able to validate the provided access credentials

It sort of seems to start happening and carries on for a while and then stops again.

[Nevon]

I'm on 1.7.43 and this is consistently failing for me, using credentials that I have verified to work.

➜  ~  aws --version
aws-cli/1.7.43 Python/2.7.6 Darwin/14.4.0
➜  ~  aws s3 cp --acl public-read ./hello.txt s3://my-bucket/foo/
upload failed: ./hello.txt to s3://my-bucket/foo/hello.txt A client error (SignatureDoesNotMatch) occurred when calling the PutObject operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

➜  ~  aws configure list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
access_key     ****************JG4A shared-credentials-file
secret_key     ****************PdD% shared-credentials-file
    region                eu-west-1      config-file    ~/.aws/config

[jamesls]

Could you share:

1. Do other "aws s3" commands succeed for you?
2. Do other non-s3 commands work? e.g aws iam list-users?

[Nevon]

Do other "aws s3" commands succeed for you?

Nope. Same thing. For example:

➜  ~  aws s3 ls

A client error (SignatureDoesNotMatch) occurred when calling the ListBuckets operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

Do other non-s3 commands work?

➜  ~  aws iam list-users

A client error (SignatureDoesNotMatch) occurred when calling the ListUsers operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

The Canonical String for this request should have been
'POST
/

host:iam.amazonaws.com
user-agent:aws-cli/1.7.43 Python/2.7.6 Darwin/14.4.0
x-amz-date:20150814T085358Z

host;user-agent;x-amz-date
b6359072c78d70ebee1e81adcbab4f01bf2c23245fa365ef83fe8f1f955085e2'

The String-to-Sign should have been
'AWS4-HMAC-SHA256
20150814T085358Z
20150814/us-east-1/iam/aws4_request
04c520f8d29cb653e89fc4fdc57e07296fd4c2571940c8b5da83bca959427632'

[jamesls]

Interesting. And when you say you've verified these credentials work, do you mean that you've used other tools/SDKs with these same credentials and they work for you?

[Nevon]

These are shared credentials that are working for other people.

EDIT: Ugghhh. I'm afraid it was an ID10T error. I'm not sure if it was a vim slipup or what, but a trailing character had managed to sneak its way into my config. Everything worked fine once I recreated the credentials file.

[gaganpa2020]

My aws-cli version is 1.9.9 & still i'm getting same error :-

[10:02:46][Step 3/7] A client error (SignatureDoesNotMatch) occurred when calling the CreateStack operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
[10:02:46][Step 3/7]
[10:02:46][Step 3/7] The Canonical String for this request should have been
[10:02:46][Step 3/7] 'POST
[10:02:46][Step 3/7] /
[10:02:46][Step 3/7]
[10:02:46][Step 3/7] host:cloudformation.amazonaws.com
[10:02:46][Step 3/7] user-agent:aws-cli/1.9.9 Python/2.6.6 Linux/2.6.32-431.29.2.el6.x86_64 botocore/1.3.9
[10:02:46][Step 3/7] x-amz-date:20160224T100245Z
[10:02:46][Step 3/7]
[10:02:46][Step 3/7] host;user-agent;x-amz-date
[10:02:46][Step 3/7]
[10:02:46][Step 3/7] The String-to-Sign should have been

Please suggest.

[ameya-s]

Check if your system clock is inline with the region defined for the instance.