EDIT: If you are running into this issue, we'd appreciate your help in troubleshooting. I'm updating this comment for better visibility on troubleshooting steps.

Troubleshooting

The first step for troubleshooting this is to determine whether or not the issue is with the credentials themselves or with the CLI. To test this, try using these credentials in other AWS SDKs (javascript, ruby, java, etc). To help with this, I've created a test script that uses the AWS SDK for python and javascript which is available here: https://github.com/jamesls/aws-creds-test . After cloning, just run make install, make test. It will prompt you for credentials (similar to the CLI) and make an API call to sts.GetCallerIdentity.

/tmp $ mkdir /tmp/repro-cli-602
/tmp $ cd /tmp/repro-cli-602/
/tmp/repro-cli-602 $ git clone git://github.com/jamesls/aws-creds-test
Cloning into 'aws-creds-test'...
...
/tmp/repro-cli-602 $ cd aws-creds-test/
/tmp/repro-cli-602/aws-creds-test (master u=) $ make install
npm install
aws-js-cli@1.0.0 /private/tmp/repro-cli-602/aws-creds-test
├─┬ aws-sdk@2.45.0
...
pip install -r requirements.txt
Requirement already satisfied: botocore<2.0.0,>=1.5.0 in /usr/local/lib/python2.7/site-packages (from -r requirements.txt (line 1))
...



/tmp/repro-cli-602/aws-creds-test (master u=) $ make test
./test-creds.sh
Testing python...
Access Key:
Secret Access Key:
AKID   hash: 4e7c36343646e1fa7495092bffcd4b9b7dd00f2f5014a189ab81f326e6472a62
AKID length: 20

SAK    hash: 941a655993caccb1a1218883b97a88b6f41762c6d03902f1cdd1e2a5de5fd82e
SAK  length: 40
Successfuly made an AWS request with the provided credentials.

Testing javasript...
Access Key: ********************
Secret Access Key: ****************************************
AKID   hash: 4e7c36343646e1fa7495092bffcd4b9b7dd00f2f5014a189ab81f326e6472a62
AKID length: 20


SAK    hash: 941a655993caccb1a1218883b97a88b6f41762c6d03902f1cdd1e2a5de5fd82e
SAK  length: 40
Sucessfully made an AWS request with the provided credentials.

For people running into this issue, please run the test script and share the output.

This should give us better insight into where this issue is occurring:

• If the above script passes for both python and javascript but is failing when using the CLI, likely a CLI issue.
• If the script fails for python but passes for javascript, likely an issue with botocore (which the CLI uses).
• If the above script fails for both python and javascript, likely an issue with the actual credentials.

Thanks in advance for anyone that can help us troubleshoot this issue. Let me know if there's any questions.

This is how it looks like:

thomas@iMac:~ $ echo $AWS_ACCESS_KEY_ID
AKIAXXXXXXXXXXXXXXXX
thomas@iMac:~ $ echo $AWS_SECRET_ACCESS_KEY
abcaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa+0
thomas@iMac:~ $ aws configure list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
              env    AWS_ACCESS_KEY_ID
              env    AWS_SECRET_ACCESS_KEY
    region                eu-west-1              env    AWS_DEFAULT_REGION

Any updates on this issue? I'm also encountering this error and my credentials file hasn't changed.

I have a similar issue. Jenkins s3 plugin is able to put an object using my credentials, but the aws-cli is giving me the errors below.

aws s3 cp s3://my-bucket/folder/test.txt test.txt
A client error (Forbidden) occurred when calling the HeadObject operation: Forbidden Completed 1 part(s) with ... file(s) remaining

aws s3api get-object --bucket my-bucket --key folder/test.txt test.txt
A client error (SignatureDoesNotMatch) occurred when calling the GetObject operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

I am running into the same issue. If I make up a secret it gives me a different (AuthFailure) error.

[ec2-user@ip-127.0.0.1]]$ aws configure list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
access_key     ****************AMKA              env    AWS_ACCESS_KEY_ID
secret_key     ****************jPU2              env    AWS_SECRET_ACCESS_KEY
    region                us-west-2              env    AWS_DEFAULT_REGION

This is pretty much stopping me completely. I can do some things with the ec2-blah-stuff utilities by specifying x509 certs but the help says that's deprecated so I don't want to depend on it. Any help troubleshooting or what ever would really be appreciated.

The first step would be to ensure that your access/secret keys are actually valid. A few things to try:

• Does these same access/secret key credentials work with other tools? (The java/javascript/ruby/python SDK?)
• Do other commands besides "aws s3" work for you? Does "aws ec2 describe-instances" still generate auth errors?

They do not work with other tools (ec2-describe-instance for instance).

I think I have the appropriate rights since using the certs works. To make sure it's not a workstation thing I built an Amazon Linux instance and I'm using the awscli verison that comes with it but getting the same message.

Also an issue for me. I'm using it in a docker container, built with the same Dockerfile.
It works fine when built on an EC2, but does not work when built locally on a coreos vagrant box.

It looks like the issue is with the credentials themselves. I've double checked this, and I'm not able to repro this issue. Double check the credentials on the security credentials page. If someone can provide an exact set of steps that demonstrate the issue, I'd be happy to take another look.

Just had this happening to me and was a result of my system time being off by too much even though it did not report that. Ran ntpdate against pool.ntp.org and fixed this problem for me.

If you are getting this error when cred are setup using env variable, try sudo

If you are in a virtual machine make sure your host os time matches the guest os time. If this is not the case you will get into the error you described.

A very similar error occurs for me with good credentials, whilst listing a bucket which has a lot of keys in it. Here's the error:

A client error (SignatureDoesNotMatch) occurred when calling the ListObjects operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

Here's my output from aws configure list

      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
access_key     ****************4UNA shared-credentials-file
secret_key     ****************MNOG shared-credentials-file
    region                <not set>             None    None

Note that these credentials work fine with other aws invocations, and in fact this list op runs for a long time (more than an hour) before bailing with this error. I have a file with over 82,000 lines of output in it from the command which eventually failed.

I've been getting this issue, and if I just sleep my script for a second and try again then it goes through. It's almost like it's getting throttled and returning the wrong error or something.

I can report this issue too. Trying to upload a 11 GB file using aws cp foo s3://mybucket/foo/bar I get various errors like:

A client error (SignatureDoesNotMatch) occurred when calling the UploadPart operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

and

Max retries exceeded with url: /***REDACTED***?partNumber=196&uploadId=B2viwGFF4Lmq5itbs8ipqwBExx0BWGRm3gkG_D5EYTiU8uEO_tmUT.d.i7BcgPnP5npZa.OW7yMfJ3ZhhLJD61zP7EVv.5.ZftCJQbKNdkEBeijGBqWlrxz4vMx3B05Q (Caused by <class 'socket.gaierror'>: [Errno -2] Name or service not known)

I've checked that my system time is correct. I also noticed considerable slowness (on the level of http requests timing out) on the same system while uploading, so this being a throttling issue does sound reasonable. It also works fine to upload small files with the same credentials, and using the web console from the same machine, so this does appear to be a aws-cli problem.

This happened to me with too with aws-cli 1.5.5, updating aws-cli to 1.6.2 solved it.

Happens to me with 1.6.2

This happened to me today. This is new to me. Been using awl-cli for a few months no problem and no change to the credentials AFAIK.

$ aws configure --profile ye list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                       ye           manual    --profile
access_key     ****************ERMQ shared-credentials-file    
secret_key     ****************E8Id shared-credentials-file    
    region                us-east-1      config-file    ~/.aws/config

I believe this issue is now fixed via boto/botocore#388, and will be available in the next AWS CLI release.

@jamesls confirmed fixed on awscli version 1.6.4. I was using 1.5.4. Thanks!

I am getting this issue on a fresh ubuntu system.

A client error (SignatureDoesNotMatch) occurred when calling the PutObject operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

Installed aws-cli via pip

$ pip list
ansible (1.5.4)
apt-xapian-index (0.45)
argparse (1.2.1)
awscli (1.6.5)
bcdoc (0.12.2)
botocore (0.76.0)
chardet (2.0.1)
Cheetah (2.4.4)
cloud-init (0.7.5)
colorama (0.2.5)
configobj (4.7.2)
docutils (0.11)
html5lib (0.999)
httplib2 (0.8)
Jinja2 (2.7.2)
jmespath (0.5.0)
jsonpatch (1.3)
jsonpointer (1.0)
Landscape-Client (14.01)
MarkupSafe (0.18)
mercurial (2.8.2)
oauth (1.0.1)
PAM (0.4.2)
Pillow (2.3.0)
pip (1.5.4)
prettytable (0.7.2)
pyasn1 (0.1.7)
pycrypto (2.6.1)
pycurl (7.19.3)
Pygments (1.6)
pyinotify (0.9.4)
pyOpenSSL (0.13)
pyserial (2.6)
python-apt (0.9.3.5)
python-dateutil (2.3)
python-debian (0.1.21-nmu2ubuntu2)
PyYAML (3.10)
requests (2.2.1)
roman (2.0.0)
rsa (3.1.2)
setuptools (3.3)
six (1.5.2)
Sphinx (1.2.2)
ssh-import-id (3.21)
Twisted-Core (13.2.0)
urllib3 (1.7.1)
wsgiref (0.1.2)
zope.interface (4.0.5)

Any ideas on how to fix it?

My solution was to sleep for a few seconds and then try it again, but it
sounds like there may be an update to the tool that fixes it as well.

On Tue, Dec 2, 2014 at 3:38 AM, Mark Wolfe notifications@github.com wrote:

I am getting this issue on a fresh ubuntu system.

A client error (SignatureDoesNotMatch) occurred when calling the PutObject operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

Installed aws-cli via pip

$ pip list
ansible (1.5.4)
apt-xapian-index (0.45)
argparse (1.2.1)
awscli (1.6.5)
bcdoc (0.12.2)
botocore (0.76.0)
chardet (2.0.1)
Cheetah (2.4.4)
cloud-init (0.7.5)
colorama (0.2.5)
configobj (4.7.2)
docutils (0.11)
html5lib (0.999)
httplib2 (0.8)
Jinja2 (2.7.2)
jmespath (0.5.0)
jsonpatch (1.3)
jsonpointer (1.0)
Landscape-Client (14.01)
MarkupSafe (0.18)
mercurial (2.8.2)
oauth (1.0.1)
PAM (0.4.2)
Pillow (2.3.0)
pip (1.5.4)
prettytable (0.7.2)
pyasn1 (0.1.7)
pycrypto (2.6.1)
pycurl (7.19.3)
Pygments (1.6)
pyinotify (0.9.4)
pyOpenSSL (0.13)
pyserial (2.6)
python-apt (0.9.3.5)
python-dateutil (2.3)
python-debian (0.1.21-nmu2ubuntu2)
PyYAML (3.10)
requests (2.2.1)
roman (2.0.0)
rsa (3.1.2)
setuptools (3.3)
six (1.5.2)
Sphinx (1.2.2)
ssh-import-id (3.21)
Twisted-Core (13.2.0)
urllib3 (1.7.1)
wsgiref (0.1.2)
zope.interface (4.0.5)

Any ideas on how to fix it?

—
Reply to this email directly or view it on GitHub
#602 (comment).

@wolfeidau and yeah I spoke too soon. The locally pip installed awscli is giving the SignatureDoesNotMatch errors again. Yikes!

A client error (SignatureDoesNotMatch) occurred when calling the DeregisterInstancesFromLoadBalancer operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

The Canonical String for this request should have been
'POST
/

host:elasticloadbalancing.us-east-1.amazonaws.com
user-agent:aws-cli/1.6.5 Python/2.7.8 Darwin/13.4.0
x-amz-date:20141203T015747Z

host;user-agent;x-amz-date
1d9dafbf4bfa9b1225d91bdbf99d8645503484d174b9094e4c3af637e6664b5b'

The String-to-Sign should have been
'AWS4-HMAC-SHA256
20141203T015747Z
20141203/us-east-1/elasticloadbalancing/aws4_request
5a56d12a4920502f4124e37a92aad475c36edda93d9865871e6a4fe1e49045c3'

Does this issue happen only when a request is retried? Or does this happen everytime you run the deregister-instances-from-load-balancer command?

@jamesls it happens everytime now :(

I know this issue is closed but wanted to share that you can see this error when running in a VM which hibernates. In such cases, the system clock doesn't consistently catch up if you're using Ubuntu. Just update the time to fix (i.e. sudo ntpdate -s time.nist.gov).

hello, is there any final fix on this?

+1

Using version 1.7.8 of the CLI I was seeing the same SignatureDoesNotMatch error when trying the following:
$ aws iam list-users

And getting an AuthFailure for this:
$ aws ec2 describe-security-groups

After deleting my keys and trying new ones, both commands work.

This is the old secret access key that may have been the cause of my problems, note the percent, plus and forward slash characters: H2J7/oT3Fib15SwFVB1s3EnTCmg+SC7wF7qoP+dw%

👍 @gsterndale. My access key with % in it didn't work. I had to generate new keys.

I'm in a virtual machine making the host Time&Region similar to the guest Time&Region solves the problem .

Just wanted to chime in that this hit me today as well on a newly created key - and after lots of frustration, landed here and saw mention of a / in the key. Sure enough, that was the issue - new key without it works. Wtf?!

I can not believe this issue's opened in 2014 and still there is no fix for it, this bug forced me to make a new set of AWS credential for myself, I even tried to encode the '/' but it didn't work :(

Eliminating the credential with the "/" fixed the issue for me. Thanks to everyone for pointing this out.

Just hit this in 2020 now. Secret key has a '+'.

aws-cli — developed by aws project — fails with valid aws keys... for 6 years?

Same problem in 2020 January. Secret key has a "/" slash character.

I generated a new credential set, using the AWS IAM console, and ensured that the secret key was all alphanumeric, no "/" no "+" and so on. I replaced my old secret key with the new secret key, in my ~/.aws/credentials file, then retried.

This solved it.

Same issue here on 2020. But I can not remove none alphanumeric characters as they are part of my credentials it self, and I'm not in control of that

I first ran into timeout issues and after updating my awscli ran into this issue. You thought 6 years is enough to make it work...

am also having this deploying Vue.js app through gitlab to AWS S3 bucket can someone tell me what to do
msg:fatal error: An error occurred (SignatureDoesNotMatch) when calling the ListObjectsV2 operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

I did not have any non-alphanumeric chars, but working with profiled did not work, for a single profile. I regenerated the credentials using the console and the new ones just worked.

Getting such errors as well today, and regenerating the credentials without special characters ('+' or '/') works for me.

I still have the same issue , but it happens suddenly, I work with Get and Put operations and one works, the other doesn't. and yes my secret key doesn't contain any special characters. any help? I first call getIntent (amazon lex models API) to retrieve the intents checksum, then call putIntent to update that that intent. Get method works (Not all the time) but put method appears the same issue of signature, while if I removed Get method API from code, Put method works 2 times out of three.

I had this issue, I suggest you to generate new keys
and re-configure your aws profile

aws configure

AWS Access Key ID [****************QD5E]: AWS_ACCESS_KEY_ID
AWS Secret Access Key [****************ANjA]: AWS_SECRET_ACCESS_KEY
Default region name [eu-west-3]: AWS_REGION
Default output format [json]: OUTPUT_FORMAT

Hi !

I am getting this same issue when using pre-signed URL returned to my client
The URL is generated in the server (for a limited time). The server is python and I don't see any error there, but the client is JS - only gets the URL and opens it. Part of the URL are generated credentials for this resource)

The error is on and off, so I think it is related to what is said here about special keys in the credentials, but since I am using credentials generated in the server - I cannot change them !

Any way to take care of this in the code ? parse the specials keys somehow ?

Hi !

I am getting this same issue when using pre-signed URL returned to my client
The URL is generated in the server (for a limited time). The server is python and I don't see any error there, but the client is JS - only gets the URL and opens it. Part of the URL are generated credentials for this resource)

The error is on and off, so I think it is related to what is said here about special keys in the credentials, but since I am using credentials generated in the server - I cannot change them !

Any way to take care of this in the code ? parse the specials keys somehow ?

@maya-harel you can change the credentials from IAM -> users select user you have created and re-generate the secret key security credentials tab.

also timing in code is really fatal, for each request you make in back-end, get the current time to use it in header to generate the signature.

As an aside, there have been a lot of blind "regenerate your IAM credentials" suggestions to users who've explicitly said it's not an option for them.

This is not helpful to the users, and distracts from the fact that this is a known bug that continues to affect aws-cli users attempting to use valid IAM credentials.

Running into this as well.
$ aws --version
aws-cli/1.16.300 Python/2.7.16 Linux/4.14.152-127.182.amzn2.x86_64 botocore/1.13.36

My keys are completely alpha-numeric, no special characters.

The keys work from the shell, however when used via Jenkins in a Makefile target, this error occurs. Not sure what is happening here.

My secret key has both / and + in it. Running into this issue and have tried:

• Trough aws-cli > aws iam get-user (using ~/.aws/credentials file)
• boto3 (through python 3.6.8)
  • Hardcoded keys
  • Envirnoment Variable
  • Argument boto3.Session(profile_name=PROFILE) (which pulls from ~/.aws/credentials)

All of these result in the SignatureDoesNotMatch error.

I currently cannot regenerate the key.

What I don't understand is that I can use the S3 Protocol in Cyberduck (https://cyberduck.io/) and it works as expected. How could that be?

This has to be one of the most frustrating bugs I have encountered and it's nuts that it hasn't been fixed. Getting a cred without a "+" worked for me in CircleCI.

Is it still crashing? facing the same problem, wow i cannot be possible...

Yes, it is frustrating. My secret key that had a + didn't work in a Jenkins pipeline, but when I generated a new one, which only had a few of /, worked fine.

I had this issue on package installed version of awscli on Ubuntu 16.04. I fixed it by installing awscli as a python pip package.
For instructions, follow this link under section Installing AWS CLI using Python PIP

Issue Encountered

1. Encountered the InvalidSignatureException error after regenerating the Access Key
2. Partial Error log is as provided below.

$ python SetupAWS.py list_things
Traceback (most recent call last):
File "SetupAWS.py", line 222, in
list_things()
File "SetupAWS.py", line 182, in list_things
things = client.list_things()['things']
File "c:\Program Files (x86)\Python38-32\lib\site-packages\botocore-1.16.6-py3.8.egg\botocore\client.py", line 316, in _api_call
return self._make_api_call(operation_name, kwargs)
File "c:\Program Files (x86)\Python38-32\lib\site-packages\botocore-1.16.6-py3.8.egg\botocore\client.py", line 626, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (InvalidSignatureException) when calling the ListThings operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

Root Cause Analysis

1. As suggested by many in their comments above, the presence of "+" in my Secret Access Key was resulting in the above error.

Resolution

1. Generated new Access Key as an IAM User and verified that the new Secret Access Key does not contain a "+" within the string.
2. Ran the aws configure command and provided the new values.
3. Ran the python SetupAWS.py list_things command, which successfully listed my thing, as shown below,

$ python SetupAWS.py list_things
[{'thingName': 'myThingName', 'thingArn': 'myThingArn', 'attributes': {}, 'version': 1}]

This issue has been open for six years, and I thank you for your patience, persistence, and the information you have provided. A few underlying causes have been identified through your comments (#602 (comment)) and compiled into the Command Line User Guide Troubleshooting Errors chapter. These causes include clock skew and some operating systems mishandling keys with special characters.

I attempted to reproduce this using a number of different environments. I used Ubuntu 16.04, Ubuntu 18.04, and Amazon Linux 2, with Python 3.6.8 and 3.8.3. While many commenters used Python 2, I did not attempt to reproduce since it is no longer supported. I used the latest v1 aws-cli (1.18.80 at the time of writing) as well as an older version (1.11.78) referenced in this issue. I used the script provided (#602 (comment)) by @jamesls that creates new credential pairs until it encounters one with special characters and let them run for up to an hour each. I did not have any occurrences of a SignatureDoesNotMatch error. I received occasional AuthFailure errors on the describe-instances command, but a retry of the command with the same credentials succeeds.

The large number of comments makes it difficult for new users coming to this issue to find requests from our developer team for troubleshooting suggestions. To assist our team and the community in determining a cause of this error, I am closing this issue.

Due to the variation of user environments where this error occurs, please file a separate issue instead of commenting on an existing one.