Solve - SignatureDoesNotMatch Error in AWS CLI

avatar

Borislav Hadzhiev

Mon Sep 20 20212 min read

banner

Photo by Austin Schmid

Table of Contents #

  1. Solving SignatureDoesNotMatch Error in AWS CLI
  2. Verify your Credentials Are Correct
  3. Verify your Secret Key Doesn't Contain Special Characters
  4. Sync OS time if in Virtual Machine

Solving SignatureDoesNotMatch Error in AWS CLI #

There are 3 main reasons the SignatureDoesNotMatch occurs in AWS CLI:

  • Your secret access key or access key id are incorrect
  • Your auto-generated secret access key contains special characters (e.g. % , /, or + characters) that cause the error, try to create a new key pair
  • You are in a virtual machine and there is a discrepancy between the host's OS time and the guest's OS time

signature does not match error

Verify your Credentials Are Correct #

To solve the "Request signature we calculated does not match the signature you provided" error we must first verify the configured secret access key and access key id are correct.

If you have configured the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables, they have higher precedence than the values you've stored in your credentials file.

To print the environment variables, run the commands that correspond to your operating system:

shell
# Linux and macOS echo $AWS_ACCESS_KEY_ID echo $AWS_SECRET_ACCESS_KEY # on Windows with CMD echo %AWS_ACCESS_KEY_ID% echo %AWS_SECRET_ACCESS_KEY% # on Windows with PowerShell echo $Env:AWS_ACCESS_KEY_ID echo $Env:AWS_SECRET_ACCESS_KEY

If the environment variables are not set, verify the values of your aws_access_key_id and aws_secret_access_key variables in your credentials file.

The credentials file is located at ~/.aws/credentials on Linux and macOS and at C:\Users\USERNAME\.aws\credentials on Windows.

The syntax of the credentials file should look like:

credentials
[default] aws_access_key_id=YOUR_ACCESS_KEY_ID aws_secret_access_key=YOUR_SECRET_ACCESS_KEY [admin] aws_access_key_id=YOUR_ACCESS_KEY_ID aws_secret_access_key=YOUR_SECRET_ACCESS_KEY
Make sure you don't enclose the value of your aws_access_key_id or aws_secret_access_key in single, nor double quotes.

Verify your Secret Key Doesn't Contain Special Characters #

Once you're sure that the values of your access key and secret access key are correct, verify whether your secret access key contains any of the following characters: %, /, +.

If your secret key contains one of these characters, the solution is to generate a new credentials key pair.

Open your IAM console and click on the user. In the Security Credentials tab, click on the Create Access key button and update your configuration to use the newly generated credentials.

create access key

After you generate the key, run the aws configure command or update your environment variables to the new keys.

Sync OS time if in Virtual Machine #

The SignatureDoesNotMatch error commonly happens if you're in a virtual machine and the host's OS time does not match the guest's OS time.

If you're in an ubuntu virtual machine restart the timedatectl service unit to update the time to the current time:

shell
sudo systemctl restart systemd-timesyncd.service

To verify the time was updated successfully, check the logs:

shell
journalctl -xe | tail

Further Reading #

Join my newsletter

I'll send you 1 email a week with links to all of the articles I've written that week

Buy Me A Coffee