"Signature not yet current" in test environment

Question

In an AWS test environment, our testers frequently need to change the date/time on instances as part of their test suites. Unfortunately, this appears to break Session Manager authentication. The SSM agent generates errors such as:  
  
2021-05-27 18:58:54 ERROR {HandleAwsError @ awserr.go.49} {ssm-agent-worker} {HealthCheck} error when calling AWS APIs. error details - InvalidSignatureException: Signature not yet current: 20210527T175854Z is still later than 20210430T180355Z (20210430T175855Z + 5 min.)  
	status code: 400, request id: caaa36f2-c644-4c91-b461-0dbd8a51774e  
  
In the above case, the (Windows 10) instance's clock was set to a future date. Is there any configuration option that would allow us to bypass date-based checks during authentication? Presumably this is an SSL certificate issue.  
  
I note from the AWS SDK that certain authentication options allow for a maximum clock drift of five minutes. Does this apply here?  
  
In short: is there any way to keep Session Manager available despite changes to the system clock?

Accepted Answer

This is not supported in Session Manager (as it also makes AWS API calls).  
  
Thanks.

Answer

Hi @RobPomeroy,  
  
SSM Agent uses AWS Go SDK, so the behavior you are seeing is expected.  
  
Some more information here as well:  
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html#configure_ntp  
"If you use the AWS CLI or an AWS SDK to make requests from your instance, these tools sign requests on your behalf. If your instance's date and time are not set correctly, the date in the signature may not match the date of the request, and AWS rejects the request."

Answer

Right, that's what I feared. So my question remains: is there any way to keep Session Manager available despite changes to the system clock?  
  
(I think I know the answer!)

&quot;Signature not yet current&quot; in test environment

関連するコンテンツ

"Signature not yet current" in test environment