amazon web services - Signature expired: is now earlier than error : InvalidSignatureException

Question

I am trying a small example with AWS API Gateway and IAM authorization. The AWS API Gateway generated the below Endpoint :

https://xyz1234.execute-api.us-east-2.amazonaws.com/Users/users

with POST action and no parameters.

Initially I had turned off the IAM for this POST Method and I verified results using Postman it works. Then I created a new IAM User and attached AmazonAPIGatewayInvokeFullAccess Policy to the user thereby giving permission to invoke any API's. Enabled the IAM for the POST Method.

I then went to Postman - and added Authorization with AccessKey, Secret Key, AWS Region as us-east-2 and Service Name as execute-api and tried to execute the Request but I got InvalidSignatureException Error with 403 as return code.

The body contains following message :

Signature expired: 20170517T062414Z is now earlier than 20170517T062840Z (20170517T063340Z - 5 min.)" 

What am I missing ?

Answer 1

A request signed with AWS sigV4 includes a timestamp for when the signature was created. Signatures are only valid for a short amount of time after they are created. (This limits the amount of time that a replay attack can be attempted.)

When the signature is validated the timestamp is compared to the current time. If this indicates that the signature was not created recently, then signature validation fails with the error message you mentioned.

A common cause of this is when the local clock on the host generating the signature is off by more than a couple of minutes.